Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption

2016.02.09
Credit: Francis Provencher
Risk: Medium
Local: Yes
Remote: No
CVE: CVE-2016-0951
CWE: N/A


CVSS Base Score: 10/10
Impact Subscore: 10/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

##################################################################################### Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption Platforms: Windows Versions: Bridge CC 6.1.1 and earlier versions Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions CVE; 2016-0951 Author: Francis Provencher of COSIG Twitter: @COSIG_ ##################################################################################### 1) Introduction 2) Report Timeline 3) Technical details 4) POC ##################################################################################### =============== 1) Introduction =============== Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X. (https://en.wikipedia.org/wiki/Adobe_Photoshop) ##################################################################################### ============================ 2) Report Timeline ============================ 2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE); 2016-02-09: Adobe release a patch (APSB16-03); 2016-02-09: COSIG release this advisory; ##################################################################################### ============================ 3) Technical details ============================ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invalid uint32 Length, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application. ##################################################################################### =========== 4) POC =========== (Theses files must be in the same folder for Bridge CC) http://protekresearchlab.com/exploits/COSIG-2016-08-1.png http://protekresearchlab.com/exploits/COSIG-2016-08-2.png https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39429.zip ###############################################################################

References:

http://protekresearchlab.com/exploits/COSIG-2016-08-1.png
http://protekresearchlab.com/exploits/COSIG-2016-08-2.png


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top