SAP 3D Visual Enterprise Viewer rh.x3d RH File 0x000A Chunk Type Handling Array Indexing Error Arbitrary Code Execution
Vendor / Product information
“Product visualization is an integral component in modern business software solutions. SAP 3D Visual Enterprise Viewer provides visualization as a permanently available and fully-integrated solution component. The viewing functionality is always available to enable the visualization of parts and assemblies when working on tasks within a business process.”
Source: https://help.sap.com/doc/saphelp_ve-viewer80/8.0/en-US/be/df68d83eae430f892ed29522bf6744/content.htm
Vulnerable program details
Details for tested products and versions:
Vendor: SAP
Product: 3D Visual Enterprise Viewer (CA-VE-VEV)
Version: 9.9.2
NOTE: Other versions than the one listed above are likely affected.
Credits
Carsten Eiram, Risk Based Security
Twitter: @RiskBased
Vulnerability details
SAP 3D Visual Enterprise Viewer contains an array indexing error in rh.x3d that is triggered when handling 0x000A chunk types in Right Hemisphere (RH) format files. The problem occurs as a size value is taken from a 0x000D chunk type and used when calling into an array of objects while handling the 0x000A chunk type. As no size check is performed to ensure that the array is large enough, the code may end up dereferencing memory contents outside of the array bounds as if a legitimate object virtual table.
With a specially crafted RH file, a context-dependent attacker can deference invalid memory as a virtual function pointer and potentially execute arbitrary code.
Please note that SAP downplays this issue in their security advisory and describes an application crash as the only impact.
Solution
The vendor has addressed the vulnerability in version 9.9.3.
References
- VulnDB: 239638
- SAP Advisory: https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=558632196
- SAP Notes: https://launchpad.support.sap.com/#/notes/2949173, https://launchpad.support.sap.com/#/notes/2973497
- SAP Vulnerability Report Submission ID: SR-20-00321
CVE: CVE-2020-6376
Timeline
- 2020-09-16: Vulnerability discovered.
- 2020-09-24: Vendor contacted.
- 2020-09-25: Vendor response.
- 2020-09-30: Vendor states that vulnerability has already been addressed in the upcoming 9.9.3 release.
- 2020-10-01: Alert sent to RBS VulnDB clients.
- 2020/10/13: SAP publishes updated version and their advisory (no credit to RBS and impact downplayed).
- 2021/01/09: Publication of this research report.