← Advisories

Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities

High
Advisory ID
ZSL-2011-5049
Release Date
01 October 2011
Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
8.0 and 7.0 (20080916r.508356)
CVE
CVE-2011-2443
Tested On
Microsoft Windows XP Professional Service Pack 3 (English)
Summary

Adobe Photoshop Elements - the No.1 consumer photo editing software that helps you turn everyday memories into sensational photos you'll cherish forever. Easily edit photos and make photo creations using automated options, share photos with your social network, and view photos virtually anywhere you are.

Description

Photoshop Elements 8 suffers from a buffer overflow vulnerability when dealing with .ABR (brushes) and .GRD (gradients) format files. The application fails to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code on the affected system or denial of service scenario.

.abr: ----- (cd8.d98): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0de318d0 ebx=41414141 ecx=06260000 edx=00004141 esi=0de318c8 edi=41414141 eip=7c919064 esp=0012d784 ebp=0012d9a0 iopl=0 nv up ei ng nz na pe cy cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210287 ntdll!RtlDosSearchPath_Ustr+0x473: 7c919064 8b0b mov ecx,dword ptr [ebx] ds:0023:41414141=???????? .grd: ----- (d1c.404): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=7efefefe ebx=00414141 ecx=00104d35 edx=41414141 esi=0f0e0c90 edi=0de5d000 eip=781807f5 esp=0012d9e8 ebp=033052a0 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
Proof of Concept
pselements_bof.txtTXT
brush_gradiently.rarRAR
Disclosure Timeline
22.09.2009Vulnerabilities discovered.
09.03.2010Sent detailed info to the vendor with PoC files.
09.03.2010Vendor responds with assigned tracking numbers of the issues.
21.03.2010Asked vendor for confirmation.
21.03.2010Vendor replies confirming the vulnerabilities.
03.06.2011Asked vendor for scheduled patch release date.
05.06.2011Vendor replies with a scheduled timeframe.
02.09.2011Asked vendor for an exact patch release date.
03.09.2011Vendor replies.
09.09.2011Asked vendor for assigned advisory ID.
10.09.2011Vendor tags their Adobe Advisory ID: APSA11-03.
01.10.2011Coordinated public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://www.adobe.com/support/security/advisories/apsa11-03.html
[2]http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443
[3]https://www.zeroscience.mk/#/advisories/ZSL-2010-4939
[4]https://www.zeroscience.mk/#/advisories/ZSL-2010-4940
[5]http://securityreason.com/wlb_show/WLB-2011100016
[6]http://www.exploit-db.com/exploits/17918/
[7]http://packetstormsecurity.org/files/105482
[8]http://www.securityfocus.com/bid/49905
[9]http://isc.sans.edu/diary.html?storyid=11707
[10]http://www.auscert.org.au/render.html?it=14912
[11]https://www.hkcert.org/my_url/en/alert/11100302
[12]http://secunia.com/advisories/46277
[13]http://securityreason.com/exploitalert/10896
[14]http://www.securelist.com/en/advisories/46277
[15]http://securitytracker.com/id/1026132
[16]http://www.net-security.org/secworld.php?id=11726
[17]http://www.h-online.com/security/news/item/Adobe-warns-of-critcial-vulnerabilities-in-Photoshop-Elements-1353677.html
[18]http://www.hispasec.com/unaaldia/4726
[19]http://noticias.seguridadpc.net/?p=5408
[20]http://www.csirtcv.gva.es/es/alertas/dos-vulnerabilidades-en-adobe-photoshop-elements.html
[21]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2443
[22]http://osvdb.org/show/osvdb/76001
[23]http://osvdb.org/show/osvdb/76002
[24]http://securityreason.com/securityalert/8410
[25]https://www.cert.be/pro/node/9302
Changelog
01.10.2011Initial release
02.10.2011Added reference [5] and [6]
03.10.2011Added reference [7], [8], [9], [10], [11] and [12]
04.10.2011Added reference [13], [14], [15], [16], [17], [18], [19] and [20]
05.10.2011Added reference [21], [22] and [23]
08.10.2011Added reference [24] and [25]