Aleksandar Nikolic of Cisco Talos discovered these vulnerabilities. Blog by Aleksandar Nikolic and Jon Munshaw.

Pixar OpenUSD contains multiple vulnerabilities that attackers could exploit to carry out a variety of malicious actions.

OpenUSD stands for “Open Universal Scene Descriptor.” Pixar uses this software for several types of animation tasks, including swapping arbitrary 3-D scenes that are composed of many different elements. Aimed at professional animation studios, the software is designed for scalability and speed as a pipeline connecting various aspects of the digital animation process. It is mostly expected to process trusted inputs in most use cases. This stands at odds with security considerations.

The USD file format itself is used as an interchange file format inside Apple’s ARKit (Augmented Reality), SceneKit (3-D scene composition) and ModelIO (3-D modeling and animation) frameworks. Apple’s decision to use USD as the basis of its augmented reality platform makes it a potentially interesting attack surface. With the expansion of AR applications on both macOS and iOS platforms, this becomes more important for researchers to look at.

By default, on macOS, both a thumbnail and a preview handler are registered for USD file formats through QuickLook. The default application to open USD files is the Preview application. On iOS, the AR application is the default handler. A USD file can be embedded in a web page or sent in a message and an AR application is opened when the file is clicked.

This software contains several different vulnerabilities, including some bugs that could corrupt memory in a way that an attacker could carry out additional malicious actions on the victim machine. In accordance with our coordinated disclosure policy, Cisco Talos worked with Pixar and Apple to ensure that these issues are resolved and that an update is available for affected customers.

Vulnerability details

Pixar OpenUSD binary file format compressed value reps code execution vulnerabilities (TALOS-2020-1101/CVE-2020-6155)

A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 while parsing compressed value rep arrays in binary USD files. A specially crafted malformed file can trigger a heap overflow, which can result in remote code execution. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

For more information on this vulnerability, read the complete advisory here.

Pixar OpenUSD binary file format token strings information leak vulnerability (TALOS-2020-1103/CVE-2020-13494)

A heap overflow vulnerability exists in the Pixar OpenUSD 20.05 parsing of compressed string tokens in binary USD files. A specially crafted malformed file can trigger a heap overflow which can result in out-of-bounds memory access which could lead to information disclosure. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

For more information on this vulnerability, read the complete advisory here.

Pixar OpenUSD binary file format offset seek information leak vulnerability (TALOS-2020-1104/CVE-2020-13495)

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.

For more information on this vulnerability, read the complete advisory here.

Pixar OpenUSD binary file format index type values information leak vulnerability (TALOS-2020-1105/CVE-2020-13496 - CVE-2020-13498)

An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles parses certain encoded types. A specially crafted malformed file can trigger an arbitrary out of bounds memory access which could lead to information disclosure. This vulnerability could be used to bypass mitigations and aid further exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

For more information on this vulnerability, read the complete advisory here.

Pixar OpenUSD binary file format decompressed path rebuilding memory corruption (TALOS-2020-1120/CVE-2020-13520)

An out of bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 reconstructs paths from binary USD files. A specially crafted malformed file can trigger an out of bounds memory modification which can result in remote code execution. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

For more information on this vulnerability, read the complete advisory here.

Pixar OpenUSD binary file format specs memory corruption (TALOS-2020-1125/CVE-2020-13524)

An out of bounds memory corruption vulnerability exists in the way Pixar OpenUSD 20.05 reconstructs paths from binary USD files. A specially crafted malformed file can trigger an out of bounds memory modification which can result in remote code execution. To trigger this vulnerability, the victim needs to access an attacker-provided malformed file.

For more information on this vulnerability, read the complete advisory here.

Pixar OpenUSD SDF layer path remote code execution (TALOS-2020-1145/CVE-2020-13531)

A use-after-free vulnerability exists in a way Pixar OpenUSD 20.08 processes reference paths textual USD files. A specially crafted file can trigger the reuse of a freed memory which can result in further memory corruption and arbitrary code execution. To trigger this vulnerability, the victim needs to open an attacker-provided malformed file.

For more information on this vulnerability, read the complete advisory here.

Vulnerability deep dive

USD defines three distinct file types and extensions: “.usdz,” “.usda,” or “.usdc.” Some files can also have the shortened “.usd” extension. USDZ is an uncompressed ZIP archive that can contain USD models or other assets, such as textures:

The above “toy_biplane.usdz” sample file is shown to contain “toy_biplane.usdc,” as well as the accompanying textures in PNG file format.

Both USDA and USDC file formats serve the same purpose but are quite different. “A” in USDA stands for ASCII, as it is a textual representation of the USD model or scene, potentially human readable. USDC, on the other hand, is a binary representation optimized for efficient storage and loading. These two are completely interchangeable and can have a “.usd” extension, in which case, it’s up to the software to determine what file type the file is.

Since its inclusion on macOS and iOS, USD parsers are exposed to potentially untrusted inputs, which was our motivation to take a closer look at these file formats and look for potential vulnerabilities in corresponding software.

We started by analyzing the binary file format which, in short, represents a serialized version of models, scenes or assets otherwise contained in a USD file. At the top level, the file format is very simple. It consists of a header pointing to a table of contents which in turn points to six different sections: tokens, strings, fields, fieldsets, paths and specs. Each of these sections has its own encoding which can be as simple as an array of strings (in the case of tokes) or more complex fields that contain different types of encoded data. When opening a file, all of these are being parsed to reconstruct the model in memory. As can be seen from the vulnerabilities we disclosed, there’s little validation of the data.

As was noted previously, USDC and USDA files are interchangeable and can be converted into one another with no loss of information. There is even a utility in OpenUSD that does this (usdcat), as it is common to use binary file format for previews and text-based format for manual inspection or edits. The textual representation of USD assets is best described in the following example:

This example defines a model of a cube and uses some existing primitives. The textual representation looks like a programming language but is more akin to a markup language. It starts with a header that defines the file type and version (used to distinguish from binary file format) and then proceeds to set various properties whose meaning is defined in other schemas. Following that, we can see a definition of a “prim” or a primitive called “mesh” that in turn contains another, nested, the definition of type Scope, which finally contains a definition of a mesh representing a cube. The cube is then defined as a mesh of faces with a certain number of vertices and so on. This nested structure is typical for USD files. Saved as “cube.usd,” this model can be referenced or imported in other models or scenes or otherwise “composited.” There are a large number of concepts that are expressible in this language which make both its parser and renderer very complex. This makes it an interesting target for grammar-based fuzzing.

Complexities that exist in both these file formats, as well as their expressiveness, can lead to powerful exploitation primitives. The fact that different USD files can reference one another and be packaged into a single file by way of USDZ archive would prove very valuable when bypassing exploitation mitigations present on modern platforms.

Versions tested

Talos tested and confirmed that these vulnerabilities, except for TALOS-2020-1145, affect Pixar OpenUSD, version 20.05 and Apple macOS Catalina, version 10.15.3. TALOS-2020-1145 affects versions 20.08 and 10.15.6, respectively.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules: 54415, 54416, 54467 - 54472, 54488 - 54493, 54922, 54923