← Advisories

Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

High
Advisory ID
ZSL-2010-4941
Release Date
04 June 2010
Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
CS3 10.0
CVE
CVE-2010-2321
Tested On
Microsoft Windows XP Professional SP3 (English)
Summary

Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.

Description

When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Potential vulnerability use is arbitrary code execution and denial of service.

Proof of Concept
indesign_bof.plTXT
Disclosure Timeline
16.09.2009Vulnerability discovered.
09.03.2010Vulnerability reported to vendor with sent PoC files.
21.03.2010Asked confirmation from the vendor.
21.03.2010Vendor asked for PoC files due to communication errors.
22.03.2010Re-sent PoC files to vendor.
04.04.2010Vendor confirms vulnerability.
03.06.2010Vendor informs that they discontinued support for CS3 since CS5 is out.
04.06.2010Public advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
High five to Wendy and David
References
[1]http://www.packetstormsecurity.org/filedesc/indesign-overflow.txt.html
[2]http://www.securityfocus.com/bid/40565
[3]http://securityreason.com/exploitalert/8325
[4]http://secunia.com/advisories/40050/
[5]http://www.juniper.net/security/auto/vulnerabilities/vuln40565.html
[6]http://xforce.iss.net/xforce/xfdb/59132
[7]http://www.securelist.com/ru/advisories/40050
[8]http://www.securitylab.ru/poc/394521.php
[9]http://www.vupen.com/english/advisories/2010/1347
[10]http://osvdb.org/show/osvdb/65140
[11]http://www.vfocus.net/art/20100604/7226.html
[12]http://www.exploit-db.com/exploits/13817/
[13]http://net-security.org/vuln.php?id=12889
[14]https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2321
[15]https://nvd.nist.gov/vuln/detail/CVE-2010-2321
Changelog
04.06.2010Initial release
05.06.2010Added reference [3], [4], [5], [6] and [7]
06.06.2010Added reference [8], [9] and [10]
07.06.2010Added reference [11]
11.06.2010Added reference [12]
14.06.2010Added reference [13]
25.10.2021Added reference [14] and [15]