[Security] SketchUp SDK DLL (slapi.dll) leads to Use-After-Free Remote Code Execution Vulnerability

Dear SketchUp team,

I want to report that slapi.dll is subject to a security vulnerability, use-after-free remote code execution.

Primary vulnerability is due to lack of sanitization of 3D model file as input. By loading the corrputed file the attacker can get the application to access memory that has been previously freed. The use of previously-freed memory can have any number of
adverse consequences ranging from the corruption of valid data to the execution of arbitrary code.

Sample POC is attached. poc.skp (653.6 KB)

Any software leverages your SDK will be subject to the same security vulnerability.


File version: 14.0.4900.0

Product

version: 14.0.4900.0

File

flags: 0 (Mask 3F)

File OS:          40004 NT Win32

File type:        2.0 Dll

File date:        00000000.00000000

Translations: 0409.04b0

CompanyName: Trimble Navigation
Limited

ProductName: SketchUp

InternalName: slapi.dll

OriginalFilename: slapi.dll

ProductVersion: 14.0.4900.0

FileVersion: 14.0.4900.0

FileDescription: SketchUp SDK DLL
(32-bit)

LegalCopyright: (c) 2014 Trimble
Navigation Limited

0:005>


Please kindly get in touch with me in case you need further information.

Best regards,
Vic

That is definitely not the latest SDK version !

Go here: http://www.sketchup.com/intl/en/developer/sdk_start.html
and download the latest version (which is 15.3.330.0 as of this posting.)

Please advise if the vulnerability exists in the current release version.

Hi Dan,

Thanks for your advise…unfortunately, the problem persists with the latest version of SDK.

Please see attached screen-shot showing upgrade has been done.

Best regards,
Vic

Dear SketchUp Team,

Is there any update to this report? Is there any feedback?

Best regards,
Vic

Heya Vic,

I’ll follow up with you via the Forum’s messaging system. Hang on for more info…