Photoshop CC2014 / Bridge CC 2014 - '.png' Parsing Memory Corruption

#####################################################################################

Application:   Adobe Photoshop CC 2014 & Bridge CC 2014

Platforms:   Windows

Versions:   The vulnerability is confirmed in version Photoshop CC 2014 and Bridge CC 2014.

Secunia:

{PRL}:   2015-08

Author:   Francis Provencher (Protek Research Lab’s)

Website:   http://www.protekresearchlab.com/

Twitter:   @ProtekResearch

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

Photoshop was created in 1988 by Thomas and John Knoll. Since then, it has become the de facto industry standard in raster graphics editing, such that the word “photoshop” has become a verb as in “to photoshop an image,” “photoshopping,” and “photoshop contest,” etc. It can edit and compose raster images in multiple layers and supports masks, alpha compositing and several colour models including RGB,CMYK, Lab colour space (with capital L), spot colour and duotone. Photoshop has vast support for graphic file formats but also uses its own PSD and PSB file formats which support all the aforementioned features. In addition to raster graphics, it has limited abilities to edit or render text, vector graphics (especially through clipping path), 3D graphics and video. Photoshop’s featureset can be expanded by Photoshop plug-ins, programs developed and distributed independently of Photoshop that can run inside it and offer new or enhanced features.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-03-15: Francis Provencher from Protek Research Lab’s found the issue;
2015-03-19: Francis Provencher From Protek Research Lab’s report vulnerability to PSIRT;
2015-05-16: Adobe release a patch (APSB15-12)

#####################################################################################

============================
3) Technical details
============================

An error in the the PNG parser, could lead to a memory corruption when processing a crafted PNG image with an oversize value in the “Length” into the “CHUNK” Structure.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code, but requires

tricking a user into opening or previewing a malicious file.

#####################################################################################

===========

4) POC

===========

http://protekresearchlab.com/exploits/PRL-2015-08.png
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/37348.png

###############################################################################