Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

Title: Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4941
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2010
Summary
Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.
Description
When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Potential vulnerability use is arbitrary code execution and denial of service.

Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
CS3 10.0
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[16.09.2009] Vulnerability discovered.
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.
PoC
indesign_bof.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Wendy and David
References
[1] http://www.packetstormsecurity.org/filedesc/indesign-overflow.txt.html
[2] http://www.securityfocus.com/bid/40565
[3] http://securityreason.com/exploitalert/8325
[4] http://secunia.com/advisories/40050/
[5] http://www.juniper.net/security/auto/vulnerabilities/vuln40565.html
[6] http://xforce.iss.net/xforce/xfdb/59132
[7] http://www.securelist.com/ru/advisories/40050
[8] http://www.securitylab.ru/poc/394521.php
[9] http://www.vupen.com/english/advisories/2010/1347
[10] http://osvdb.org/show/osvdb/65140
[11] http://www.vfocus.net/art/20100604/7226.html
[12] http://www.exploit-db.com/exploits/13817/
[13] http://net-security.org/vuln.php?id=12889
Changelog
[04.06.2010] - Initial release
[05.06.2010] - Added reference [3], [4], [5], [6] and [7]
[06.06.2010] - Added reference [8], [9] and [10]
[07.06.2010] - Added reference [11]
[11.06.2010] - Added reference [12]
[14.06.2010] - Added reference [13]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk