Dear SketchUp team,
I want to report that slapi.dll is subject to a security vulnerability, use-after-free remote code execution.
Primary vulnerability is due to lack of sanitization of 3D model file as input. By loading the corrputed file the attacker can get the application to access memory that has been previously freed. The use of previously-freed memory can have any number of
adverse consequences ranging from the corruption of valid data to the execution of arbitrary code.
Sample POC is attached. poc.skp (653.6 KB)
Any software leverages your SDK will be subject to the same security vulnerability.
File version: 14.0.4900.0
flags: 0 (Mask 3F)
File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000
CompanyName: Trimble Navigation
FileDescription: SketchUp SDK DLL
LegalCopyright: © 2014 Trimble
Please kindly get in touch with me in case you need further information.