CVE-2024-11577
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on Luxion KeyShot installations by tricking users into opening malicious SKP files. The flaw exists in SKP file parsing where improper data validation enables out-of-bounds writes. All users of affected KeyShot versions who open untrusted SKP files are at risk.
💻 Affected Systems
- Luxion KeyShot
📦 What is this software?
Keyshot by Luxion
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with attacker gaining full control of the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within the network.
Likely Case
Local privilege escalation leading to installation of malware, data exfiltration, or persistence mechanisms on the compromised system.
If Mitigated
Limited impact with proper application sandboxing and user privilege restrictions, potentially resulting in application crash but no code execution.
🎯 Exploit Status
Exploitation requires user interaction (opening malicious file) but the vulnerability is well-documented and file format parsing bugs are commonly weaponized.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: KeyShot 2024.1 and later
Vendor Advisory: https://download.keyshot.com/cert/ksa-655925/ksa-655925.pdf
Restart Required: Yes
Instructions:
1. Download KeyShot 2024.1 or later from official Luxion website
2. Run the installer and follow on-screen instructions
3. Restart the system after installation completes
🔧 Temporary Workarounds
Restrict SKP file handling
allConfigure system to open SKP files with a different application or in sandboxed environment
Windows: assoc .skp=Notepad
macOS: defaults write com.apple.LaunchServices LSHandlers -array-add '{LSHandlerContentType=public.data;LSHandlerRoleAll=com.apple.TextEdit;}'
Application sandboxing
allRun KeyShot in restricted environment using application sandboxing tools
Windows: Use Windows Sandbox or third-party sandboxing software
macOS: Use built-in sandbox-exec or third-party solutions
🧯 If You Can't Patch
- Implement strict file handling policies to prevent opening untrusted SKP files
- Deploy endpoint protection with memory corruption exploit prevention capabilities
🔍 How to Verify
Check if Vulnerable:
Check KeyShot version in Help > About menu. Versions prior to 2024.1 are vulnerable.Check Version:
Windows: "C:\Program Files\KeyShot\bin\keyshot.exe" --version (if available) or check Help > About in GUIVerify Fix Applied:
Verify version is 2024.1 or later in Help > About menu and check that SKP files open without crashes from known test files.📡 Detection & Monitoring
Log Indicators:
- Application crashes with memory access violation errors
- Unusual process creation from KeyShot executable
- Failed file parsing attempts in application logs
Network Indicators:
- Outbound connections from KeyShot process to unknown IPs
- DNS requests for suspicious domains following SKP file opening
SIEM Query:
Process Creation where (Image contains 'keyshot.exe' OR ParentImage contains 'keyshot.exe') AND CommandLine contains suspicious patterns