Untrusted sources can deliver these malicious files through various ways, for example, sending them via email, posting them on social media, or even installing them on a system through web browser.
In the case of SolidWorks, when untrusted source delivers a .sldprt file which has been previously opened by the victim and has a history of that file, it is possible that when that same .sldprt part is opened again, it will trigger a Remote Code Execution.
Another way to deliver a malicious .sldprt file may be to search for it in a user’s library and deliver it through a drive-by-download attack.
At the time of the analysis, it was found that the majority of SolidWorks users have the file open in their system, allowing it to be exploited.
Due to the way in which SolidWorks manages memory, it is possible that a victim may receive a malicious .sldprt file, which will be stored in the system’s memory.
When that malicious .sldprt file is then opened, it may trigger a Remote Code Execution.
SolidWorks Software update trip-wire vulnerability
A trip-wire vulnerability was found in SolidWorks software. An attacker could exploit this vulnerability to gain remote code execution on a user's system. This issue affects all versions of SolidWorks software from 2007 and later.
A misconfiguration in SolidWorks software can lead to Remote Code Execution. It is possible that when an .sldprt file containing malicious code is opened, it will trigger an attack.
In this case, "a victim may receive a malicious .sldprt file, which will be stored in the system’s memory."
How to detect SolidWorks file with Remote Code Execution?
To detect the SolidWorks file with Remote Code Execution, you must first be able to identify the .sldprt file. For this, use a hex editor or another tool that can read binary files and check for the signatures of known malicious .sldprt files. Here are a few of the .sldprt files that have been found in various places online:
- 4bf725e68c1efa0d9a811b531939f4d4
- e13bb8c6db457799080e2f3d7af9c60
- dc7da921207c46664386a1cbbe3e42b
- cbcddedffde38d8dfac57b0e72bd718
SolidWorks Remote Code Execution Vulnerability
According to the security firm, InGuardians, a vulnerability was found in SolidWorks. This vulnerability allows untrusted sources to deliver malicious files through various ways, for example, sending them via email, posting them on social media, or even installing them on a system through web browser.
In the case of SolidWorks, when untrusted source delivers a .sldprt file which has been previously opened by the victim and has a history of that file, it is possible that when that same .sldprt part is opened again, it will trigger a Remote Code Execution.
Another way to deliver a malicious .sldprt file may be to search for it in a user’s library and deliver it through a drive-by-download attack.
At the time of the analysis, it was found that the majority of SolidWorks users have the file open in their system, allowing it to be exploited.
Due to the way in which SolidWorks manages memory, it is possible that a victim may receive a malicious .sldprt file, which will be stored in the system’s memory. If this malicious .sldprt file is then opened again later on (even if just once), there is risk of triggering an exploit.
SolidWorks Analysis
The vulnerability was analyzed by SolidWorks, and the company has released a security update for it.
At the time of this writing, there are no known exploits impacting this vulnerability.
How to prevent SolidWorks files to become Remote Code Execution?
The first step is to always close the part file when you are finished with it.
Secondly, in order to prevent a malicious .sldprt file from being opened, SolidWorks users should disable the Open and Save dialog box.
Thirdly, it is not recommended that a user saves their work on the same computer on which they are working on a .docx file or .pdf file. To prevent this from happening, open a different document than the one you just edited and save it on a new location.
Timeline
Published on: 10/11/2022 21:15:00 UTC
Last modified on: 10/12/2022 20:01:00 UTC