Adobe Photoshop CS4 Extended 11.0 GRD File Handling Remote Buffer Overflow PoC

Title: Adobe Photoshop CS4 Extended 11.0 GRD File Handling Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4939
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2010
Summary
The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.
Description
Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .GRD (gradients) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

--------------------------------------------------------------------------------

(718.cd4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7efefefe ebx=00414141 ecx=000dbb7f edx=41414141 esi=12fb5368 edi=0b050000
eip=781807f5 esp=0012de64 ebp=05620e10 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
MSVCR80!strncpy+0xa5:
781807f5 8917 mov dword ptr [edi],edx ds:0023:0b050000=????????
0:000> g
(718.af8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffffff ebx=00252178 ecx=41414141 edx=781c3bf8 esi=0afd2420 edi=7c80980a
eip=7c809813 esp=12b8fe04 ebp=12b8fe4c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
kernel32!InterlockedDecrement+0x9:
7c809813 f00fc101 lock xadd dword ptr [ecx],eax ds:0023:41414141=????????

--------------------------------------------------------------------------------

Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
CS4 Extended 11.0.0.0
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[08.08.2009] Vendor notified.
[10.08.2009] Vendor replied.
[14.08.2009] Asked vendor for confirmation.
[14.08.2009] Vendor confirms vulnerability.
[18.05.2010] Vendor reveals patch release date.
[26.05.2010] Coordinated public disclosure.
PoC
psgradient_bof.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Wendy and David
References
[1] http://www.adobe.com/support/security/bulletins/apsb10-13.html
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1296
[3] http://www.exploit-db.com/exploits/12752
[4] http://www.packetstormsecurity.org/filedesc/psgradient-overflow.txt.html
[5] http://securityreason.com/exploitalert/8292
[6] http://www.securityfocus.com/bid/40389
[7] http://secunia.com/advisories/39934
[8] http://www.vupen.com/english/advisories/2010/1252
[9] http://www.securelist.com/en/advisories/39934
[10] http://securitytracker.com/alerts/2010/May/1024042.html
[11] http://www.infosecurity-us.com/view/9762/adobe-update-addresses-photoshop-bugs/
[12] http://www.securitylab.ru/vulnerability/394298.php
[13] http://www.itpro.co.uk/623791/adobe-patches-critical-photoshop-cs4-vulnerability
[14] http://www.nsfocus.net/vulndb/15112
[15] http://www.hackbase.com/tech/2010-05-28/60402.html
[16] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296
[17] http://www.security-database.com/detail.php?alert=CVE-2010-1296
[18] http://xforce.iss.net/xforce/xfdb/58888
[19] http://www.juniper.net/security/auto/vulnerabilities/vuln40389.html
[20] https://www.cert.be/pro/advisory/adobe-photoshop-cs4-multiple-vulnerabilities
[21] http://www.net-security.org/secworld.php?id=9350
[22] http://www.sophos.com/blogs/gc/g/2010/06/01/users-urged-update-photoshop-cs4-vulnerabilities
[23] http://osvdb.org/show/osvdb/65082
Changelog
[26.05.2010] - Initial release
[27.05.2010] - Added reference [4], [5], [6], [7], [8] and [9]
[28.05.2010] - Added reference [10], [11] and [12]
[29.05.2010] - Added reference [13], [14], [15], [16], [17] and [18]
[30.05.2010] - Added reference [19]
[04.06.2010] - Added reference [20], [21], [22] and [23]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk