Adobe Photoshop CS4 Extended 11.0 ASL File Handling Remote Buffer Overflow PoC

2010-05-26T00:00:00
ID ZSL-2010-4938
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-05-26T00:00:00

Description

Title: Adobe Photoshop CS4 Extended 11.0 ASL File Handling Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4938
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2010

Summary

The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.

Description

Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ASL (styles) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

--------------------------------------------------------------------------------

(a34.688): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=7efefefe ebx=00004141 ecx=0000015d edx=41414141 esi=107edea0 edi=107f2000 eip=781807f5 esp=0012dd60 ebp=05620e10 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 MSVCR80!strncpy+0xa5: 781807f5 8917 mov dword ptr [edi],edx ds:0023:107f2000=????????
--------------------------------------------------------------------------------

Vendor

Adobe Systems Incorporated - <http://www.adobe.com>

Affected Version

CS4 Extended 11.0.0.0

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[08.08.2009] Vendor notified.
[10.08.2009] Vendor replied.
[14.08.2009] Asked vendor for confirmation.
[14.08.2009] Vendor confirms vulnerability.
[18.05.2010] Vendor reveals patch release date.
[26.05.2010] Coordinated public disclosure.

PoC

psstyle_bof.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Wendy and David

References

[1] <http://www.adobe.com/support/security/bulletins/apsb10-13.html>
[2] <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1296>
[3] <http://www.exploit-db.com/exploits/12753>
[4] <http://www.packetstormsecurity.org/filedesc/psstyle-overflow.txt.html>
[5] <http://securityreason.com/exploitalert/8293>
[6] <http://www.securityfocus.com/bid/40389>
[7] <http://secunia.com/advisories/39934>
[8] <http://www.vupen.com/english/advisories/2010/1252>
[9] <http://www.securelist.com/en/advisories/39934>
[10] <http://securitytracker.com/alerts/2010/May/1024042.html>
[11] <http://www.infosecurity-us.com/view/9762/adobe-update-addresses-photoshop-bugs/>
[12] <http://www.securitylab.ru/vulnerability/394298.php>
[13] <http://www.itpro.co.uk/623791/adobe-patches-critical-photoshop-cs4-vulnerability>
[14] <http://www.nsfocus.net/vulndb/15112>
[15] <http://www.hackbase.com/tech/2010-05-28/60402.html>
[16] <http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296>
[17] <http://www.security-database.com/detail.php?alert=CVE-2010-1296>
[18] <http://xforce.iss.net/xforce/xfdb/58888>
[19] <http://www.juniper.net/security/auto/vulnerabilities/vuln40389.html>
[20] <https://www.cert.be/pro/advisory/adobe-photoshop-cs4-multiple-vulnerabilities>
[21] <http://www.net-security.org/secworld.php?id=9350>
[22] <http://www.sophos.com/blogs/gc/g/2010/06/01/users-urged-update-photoshop-cs4-vulnerabilities>
[23] <http://osvdb.org/show/osvdb/65082>

Changelog

[26.05.2010] - Initial release
[27.05.2010] - Added reference [4], [5], [6], [7], [8] and [9]
[28.05.2010] - Added reference [10], [11] and [12]
[29.05.2010] - Added reference [13], [14], [15], [16], [17] and [18]
[30.05.2010] - Added reference [19]
[04.06.2010] - Added reference [20], [21], [22] and [23]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;