Adobe Photoshop CS4 Extended 11.0 ABR File Handling Remote Buffer Overflow PoC

Title: Adobe Photoshop CS4 Extended 11.0 ABR File Handling Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4940
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2010
Summary
The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.
Description
Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ABR (brushes) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

--------------------------------------------------------------------------------

(990.bc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=0012da50 ecx=00000065 edx=0000001c esi=0000001c edi=41414141
eip=0102af70 esp=0012d544 ebp=05640f74 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe -
Photoshop!AIF::float4::size+0x16b480:
0102af70 3930 cmp dword ptr [eax],esi ds:0023:41414141=????????

--------------------------------------------------------------------------------

Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
CS4 Extended 11.0.0.0
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[08.08.2009] Vendor notified.
[10.08.2009] Vendor replied.
[14.08.2009] Asked vendor for confirmation.
[14.08.2009] Vendor confirms vulnerability.
[18.05.2010] Vendor reveals patch release date.
[26.05.2010] Coordinated public disclosure.
PoC
psbrush_bof.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Wendy and David
References
[1] http://www.adobe.com/support/security/bulletins/apsb10-13.html
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1296
[3] http://www.exploit-db.com/exploits/12751
[4] http://www.packetstormsecurity.org/filedesc/psbrush-overflow.txt.html
[5] http://securityreason.com/exploitalert/8291
[6] http://www.securityfocus.com/bid/40389
[7] http://secunia.com/advisories/39934
[8] http://www.vupen.com/english/advisories/2010/1252
[9] http://www.securelist.com/en/advisories/39934
[10] http://securitytracker.com/alerts/2010/May/1024042.html
[11] http://www.infosecurity-us.com/view/9762/adobe-update-addresses-photoshop-bugs/
[12] http://www.securitylab.ru/vulnerability/394298.php
[13] http://www.itpro.co.uk/623791/adobe-patches-critical-photoshop-cs4-vulnerability
[14] http://www.nsfocus.net/vulndb/15112
[15] http://www.hackbase.com/tech/2010-05-28/60402.html
[16] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296
[17] http://www.security-database.com/detail.php?alert=CVE-2010-1296
[18] http://xforce.iss.net/xforce/xfdb/58888
[19] http://www.juniper.net/security/auto/vulnerabilities/vuln40389.html
[20] https://mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=237
[21] https://www.cert.be/pro/advisory/adobe-photoshop-cs4-multiple-vulnerabilities
[22] http://www.net-security.org/secworld.php?id=9350
[23] http://www.sophos.com/blogs/gc/g/2010/06/01/users-urged-update-photoshop-cs4-vulnerabilities
[24] http://osvdb.org/show/osvdb/65082
Changelog
[26.05.2010] - Initial release
[27.05.2010] - Added reference [4], [5], [6], [7], [8] and [9]
[28.05.2010] - Added reference [10], [11] and [12]
[29.05.2010] - Added reference [13], [14], [15], [16], [17] and [18]
[30.05.2010] - Added reference [19]
[31.05.2010] - Added reference [20]
[04.06.2010] - Added reference [21], [22], [23] and [24]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk