Bug: Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities ( Ascii Version )

Search:
WLB2

Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities

Published
Credit
Risk
2011.10.02
Gjoko 'LiquidWorm' Krstic
High
CWE
CVE
Local
Remote
CWE-119
CVE-2011-2443
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
9.3/10
10/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Complete
Complete
Complete



Title:

------

Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities






Vendor:

-------

Adobe Systems Inc. (http://www.adobe.com)





Product web page:

-----------------

http://www.adobe.com/products/photoshop-elements.html





Affected version:

-----------------

8.0 and 7.0 (20080916r.508356)





Summary:

--------

Adobe Photoshop Elements - the No.1 consumer photo editing software that

helps you turn everyday memories into sensational photos you'll cherish

forever. Easily edit photos and make photo creations using automated

options, share photos with your social network, and view photos virtually

anywhere you are.





Description:

------------

Photoshop Elements 8 suffers from a buffer overflow vulnerability when

dealing with .ABR (brushes) and .GRD (gradients) format files. The

application fails to sanitize the user input resulting in a memory

corruption, overwriting several memory registers which can aid the

atacker to gain the power of executing arbitrary code on the affected

system or denial of service scenario.





WinDBG output:

--------------------------------------------------------------------

.abr:

-----

(cd8.d98): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=0de318d0 ebx=41414141 ecx=06260000 edx=00004141 esi=0de318c8 edi=41414141

eip=7c919064 esp=0012d784 ebp=0012d9a0 iopl=0 nv up ei ng nz na pe cy

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210287

ntdll!RtlDosSearchPath_Ustr+0x473:

7c919064 8b0b mov ecx,dword ptr [ebx] ds:0023:41414141=????????



.grd:

-----

(d1c.404): Access violation - code c0000005 (first chance)

First chance exceptions are reported before any exception handling.

This exception may be expected and handled.

eax=7efefefe ebx=00414141 ecx=00104d35 edx=41414141 esi=0f0e0c90 edi=0de5d000

eip=781807f5 esp=0012d9e8 ebp=033052a0 iopl=0 nv up ei pl zr na pe nc

cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246



--------------------------------------------------------------------





Tested on:

----------

Microsoft Windows XP Professional Service Pack 3 (English)





Vulnerability discovered by:

----------------------------

Gjoko 'LiquidWorm' Krstic

Zero Science Lab (http://www.zeroscience.mk)

liquidworm gmail com





Vendor status:

--------------

[22.09.2009] Vulnerabilities discovered.

[09.03.2010] Sent detailed info to the vendor with PoC files.

[09.03.2010] Vendor responds with assigned tracking numbers of the issues.

[21.03.2010] Asked vendor for confirmation.

[21.03.2010] Vendor replies confirming the vulnerabilities.

[03.06.2011] Asked vendor for scheduled patch release date.

[05.06.2011] Vendor replies with a scheduled timeframe.

[02.09.2011] Asked vendor for an exact patch release date.

[03.09.2011] Vendor replies.

[09.09.2011] Asked vendor for assigned advisory ID.

[10.09.2011] Vendor tags their Adobe Advisory ID: APSA11-03.

[01.10.2011] Coordinated public security advisory released.





Advisory details:

-----------------

Advisory ID: ZSL-2011-5049

Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php



Adobe Advisory ID: APSA11-03

Adobe Advisory URL: http://www.adobe.com/support/security/advisories/apsa11-03.html

Adobe PSIRT ID: 447,448



CVE ID: CVE-2011-2443

CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443



CWE ID: CWE-120

CWE URL: http://cwe.mitre.org/data/definitions/120.html



REF #1: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php

REF #2: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php





Proof Of Concept:

-----------------

http://www.zeroscience.mk/codes/brush_gradiently.rar (11071 bytes)



References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php
http://www.exploit-db.com/exploits/17918/
http://www.adobe.com/support/security/advisories/apsa11-03.html

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version