CVE-2013-3664

Trimble SketchUp < 2013 (13.0.3689) - Remote Code Execution via MAC Pict Texture Color Palette Table

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2013-3664. PoCs published by defrancescojp.

AI-analyzed exploit summary This PoC exploits a stack-based buffer overflow in Trimble SketchUp (CVE-2013-3664) by crafting a malicious MAC Pict file with an oversized color palette, leading to arbitrary code execution. The exploit leverages a boundary error in the palette parsing logic to corrupt stack memory.

Description

Trimble SketchUp (formerly Google SketchUp) before 2013 (13.0.3689) allows remote attackers to execute arbitrary code via a crafted color palette table in a MAC Pict texture, which triggers an out-of-bounds stack write. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-3662. NOTE: this issue was SPLIT due to different affected products and codebases (ADT1); CVE-2013-7388 has been assigned to the paintlib issue.

Exploits (2)

nomisec WORKING POC
by defrancescojp · poc
https://github.com/defrancescojp/CVE-2013-3664_MAC

This PoC exploits a stack-based buffer overflow in Trimble SketchUp (CVE-2013-3664) by crafting a malicious MAC Pict file with an oversized color palette, leading to arbitrary code execution. The exploit leverages a boundary error in the palette parsing logic to corrupt stack memory.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trimble SketchUp (versions prior to the 2013-05-21 patch)
No auth needed
Prerequisites: Victim must open a malicious .skp file containing the crafted MAC Pict payload
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by defrancescojp · poc
https://github.com/defrancescojp/CVE-2013-3664_BMP

This is a working proof-of-concept exploit for CVE-2013-3664, targeting a heap overflow vulnerability in Trimble SketchUp's BMP RLE4 image parsing. The exploit constructs a malicious BMP file to trigger the overflow and includes a return address for potential code execution.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Trimble SketchUp (versions prior to the 2013-05-21 patch)
No auth needed
Prerequisites: Victim must open the malicious BMP file in a vulnerable version of SketchUp
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (6)

Core 6
Core References
Exploit mailing-list x_refsource_bugtraq
http://archives.neohapsis.com/archives/bugtraq/2013-06/0008.html
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/84723
Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/60248
Third Party Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/53635

Scores

EPSS 0.2978
EPSS Percentile 98.0%

Details

CWE
CWE-119
Status published
Products (5)
google/sketchup 6.0 maintenance_6
google/sketchup 7.0 maintenance_1
google/sketchup 7.1 (3 CPE variants)
google/sketchup 8.0 (5 CPE variants)
trimble/sketchup < 8.0
Published Jul 01, 2014
Tracked Since Feb 18, 2026