Adobe InDesign Server SOAP interface RunScript command execution

2013-02-04T00:00:00
ID SAINT:C5ED068EC4945EAC4FCF39910F2361B4
Type saint
Reporter SAINT Corporation
Modified 2013-02-04T00:00:00

Description

Added: 02/04/2013
BID: 56574
OSVDB: 87548

Background

Adobe InDesign is a desktop publishing application. It includes a server interface providing an API for software developers using SOAP.

Problem

The SOAP interface in Adobe InDesign Server allows remote, unauthenticated attackers to run arbitrary commands contained in a RunScript SOAP message.

Resolution

No patches were available at the time of this writing. Disable the Adobe InDesign Server or block access to port 12345/TCP at the firewall.

References

<http://secunia.com/advisories/48572/>

Limitations

Exploit works on Adobe InDesign Server CS6 8.0.0.370 on Windows Server 2008 R2 SP1 (DEP OptOut).

Platforms

Windows