An attacker can exploit this issue by enticing an unsuspecting victim to open a specially crafted '.blend' file. The following proof of concept demonstrates this issue: . Open the "Text Editor" Panel. . Right click on the canvas and select "New". . Write your python code there. For instance: /----- import os os.system("calc.exe") -----/ . In the text name field (TX:Text.001) input a name for your script, e.g.: TX:myscript. . Open the "Buttons Window" panel. . From the "panel" dropdown choose "Script". . Check that "enable script links" is active. . Click on "new". . Select the script you created (e.g. myscript). . Choose "OnLoad" from the event dropdown list. . In the "User Preferences" panel, select File->Save, and save your project. NOTE: Core Security Technologies has developed a working commercial exploit for its CORE IMPACT product. This exploit is not otherwise publicly available or known to be circulating in the wild.
Related ExploitsOther Possible E-DB Search Terms: Blender 2.49b, Blender
|2009-11-05||Blender 2.34 / 2.35a / 2.4 / 2.49b - '.blend' Command Injection||Core Security|
|2006-04-24||Blender 2.36 - '.BVF' File Import Python Code Execution||Joxean Koret|
|2005-12-20||Blender BlenLoader 2.x - File Processing Integer Overflow||Damian Put|