An exploitable heap overflow vulnerability exists in the DXF-parsing functionality of AutoDesk AutoCAD 2019 P.46.0.0. A specially crafted DXF file with too many cell margins populating an AcCellMargin object can cause a heap overflow, resulting in code execution. An attacker can provide a victim with a specially crafted DXF file to exploit the vulnerability.
AutoDesk AutoCAD 2019 P.46.0.0
8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-122: Heap-based Buffer Overflow
AutoDesk AutoCAD is a design and drafting application. AutoCAD helps civil engineers draft practically any civil engineering structure with ease, speed and accuracy. This application also helps engineers solve design issues earlier in the design process.
One of the file formats AutoCAD supports is DXF (Drawing Exchange Format). DXF was developed by AutoDesk to help pass data between the variety of AutoDesk applications. The format is a tagged data format where each element is prepended with a number that represents a group code signifying how the data is interpreted.
The module used for analysis is shown below.
0:000> lm vm acdb23 start end module name 00007ffd`bc550000 00007ffd`bda40000 acdb23 (export symbols) C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll Loaded symbol image file: C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll Image path: C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll Image name: acdb23.dll Timestamp: Mon Jan 29 20:32:20 2018 (5A6FF554) CheckSum: 014D5C2F ImageSize: 014F0000 File version: 18.104.22.168 Product version: 22.214.171.124
One element type handled by the DXF parser is the AcCellMargin. The creation of an AcCellMargin begins with a malloc of
0x38 bytes. This memory region is then passed to the following function for initialization.
acdb23.dll+d7998 .text:00000000010D7998 init_AcCellMargin proc near ; CODE XREF: sub_10D66B8+32↑p .text:00000000010D7998 ; sub_1A6ED0C+2C0↓p ... .text:00000000010D7998 000 lea rax, const AcCellMargin::`vftable' ;  .text:00000000010D799F 000 xor edx, edx .text:00000000010D79A1 000 mov [rcx], rax .text:00000000010D79A4 000 lea r8, [rcx+8] .text:00000000010D79A8 .text:00000000010D79A8 000 lea rax, [rdx-4] .text:00000000010D79AC 000 cmp rax, 1 .text:00000000010D79B0 000 mov rax, 3FAEB851EB851EB8h .text:00000000010D79BA 000 jbe short loc_10D79D0 .text:00000000010D79BC .text:00000000010D79BC 000 mov [r8], rax ;  .text:00000000010D79BF 000 inc rdx .text:00000000010D79C2 000 add r8, 8 .text:00000000010D79C6 000 cmp rdx, 6 .text:00000000010D79CA 000 jl short loc_10D79A8 .text:00000000010D79CC 000 mov rax, rcx .text:00000000010D79CF 000 retn
This element is initialized with the AcCellMargin vtable , as well as initialized with six values for the six different margins available . When parsing a group code of value
301, this AcCellMargin can be set using values from the DXF file. The code id of
40 is used to mark values to be written to the AcCellMargin.
acdb23.dll+a7002f top_loop: .text:0000000001A7002F 058 mov rax, [rbx] .text:0000000001A70032 058 lea rdx, [rsp+58h+data_read_from_file] .text:0000000001A70037 058 mov rcx, rbx .text:0000000001A7003A 058 add rdi, 8 ;  .text:0000000001A7003E 058 call qword ptr [rax+98h] ;  .text:0000000001A70044 058 test eax, eax .text:0000000001A70046 058 jnz short break_loop .text:0000000001A7004D 058 cmp eax, 40 .text:0000000001A70050 058 jnz short break_loop ;  .text:0000000001A70052 058 movsd xmm0, [rsp+58h+new_margin_value] .text:0000000001A70058 058 movsd qword ptr [rdi], xmm0 ;  .text:0000000001A7005C 058 jmp short top_loop
The code above a data block from the file  and checks if the ID of the data read is
40. If it is
40 , then the value of the data block is written to the AcCellMargin object  and the reference in the AcCellMargin is incremented . This process continues until a non-
40 data block is read. If more than six values are read and written, the original AcCellMargin memory region is overflown causing a heap buffer overflow, resulting in code execution with a carefully crafted file.
(1934.be4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Autodesk\AutoCAD 2019\acdb23.dll - acdb23!zapset+0x4118: 00007ffd`44a10058 f20f1107 movsd mmword ptr [rdi],xmm0 ds:000001e1`43985000=????????????????
2018-10-01 - Vendor Disclosure
2019-02-14 - Public Release
Discovered by Cory Duplantis of Cisco Talos.