← Advisories

Adobe Photoshop CS4 Extended 11.0 ABR File Handling Remote Buffer Overflow PoC

High
Advisory ID
ZSL-2010-4940
Release Date
26 May 2010
Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
CS4 Extended 11.0.0.0
CVE
CVE-2010-1296
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.

Description

Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ABR (brushes) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

(990.bc0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=0012da50 ecx=00000065 edx=0000001c esi=0000001c edi=41414141 eip=0102af70 esp=0012d544 ebp=05640f74 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206 *** Defaulted to export symbols for C:\Program Files\Adobe\Adobe Photoshop CS4\Photoshop.exe - Photoshop!AIF::float4::size+0x16b480: 0102af70 3930 cmp dword ptr [eax],esi ds:0023:41414141=????????
Proof of Concept
psbrush_bof.plTXT
Disclosure Timeline
08.08.2009Vendor notified.
10.08.2009Vendor replied.
14.08.2009Asked vendor for confirmation.
14.08.2009Vendor confirms vulnerability.
18.05.2010Vendor reveals patch release date.
26.05.2010Coordinated public disclosure.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Wendy and David
References
[1]http://www.adobe.com/support/security/bulletins/apsb10-13.html
[2]http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1296
[3]http://www.exploit-db.com/exploits/12751
[4]http://www.packetstormsecurity.org/filedesc/psbrush-overflow.txt.html
[5]http://securityreason.com/exploitalert/8291
[6]http://www.securityfocus.com/bid/40389
[7]http://secunia.com/advisories/39934
[8]http://www.vupen.com/english/advisories/2010/1252
[9]http://www.securelist.com/en/advisories/39934
[10]http://securitytracker.com/alerts/2010/May/1024042.html
[11]http://www.infosecurity-us.com/view/9762/adobe-update-addresses-photoshop-bugs/
[12]http://www.securitylab.ru/vulnerability/394298.php
[13]http://www.itpro.co.uk/623791/adobe-patches-critical-photoshop-cs4-vulnerability
[14]http://www.nsfocus.net/vulndb/15112
[15]http://www.hackbase.com/tech/2010-05-28/60402.html
[16]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296
[17]http://www.security-database.com/detail.php?alert=CVE-2010-1296
[18]http://xforce.iss.net/xforce/xfdb/58888
[19]http://www.juniper.net/security/auto/vulnerabilities/vuln40389.html
[20]https://mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=237
[21]https://www.cert.be/pro/advisory/adobe-photoshop-cs4-multiple-vulnerabilities
[22]http://www.net-security.org/secworld.php?id=9350
[23]http://www.sophos.com/blogs/gc/g/2010/06/01/users-urged-update-photoshop-cs4-vulnerabilities
[24]http://osvdb.org/show/osvdb/65082
Changelog
26.05.2010Initial release
27.05.2010Added reference [4], [5], [6], [7], [8] and [9]
28.05.2010Added reference [10], [11] and [12]
29.05.2010Added reference [13], [14], [15], [16], [17] and [18]
30.05.2010Added reference [19]
31.05.2010Added reference [20]
04.06.2010Added reference [21], [22], [23] and [24]