Adobe Photoshop CS4 Extended 11.0 ASL File Handling Remote Buffer Overflow PoC

Title: Adobe Photoshop CS4 Extended 11.0 ASL File Handling Remote Buffer Overflow PoC
Advisory ID: ZSL-2010-4938
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 26.05.2010
Summary
The Adobe® Photoshop® family of products is the ultimate playground for bringing out the best in your digital images, transforming them into anything you can imagine and showcasing them in extraordinary ways.
Description
Adobe Photoshop CS4 Extended suffers from a buffer overflow vulnerability when dealing with .ASL (styles) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

--------------------------------------------------------------------------------

(a34.688): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7efefefe ebx=00004141 ecx=0000015d edx=41414141 esi=107edea0 edi=107f2000
eip=781807f5 esp=0012dd60 ebp=05620e10 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
MSVCR80!strncpy+0xa5:
781807f5 8917 mov dword ptr [edi],edx ds:0023:107f2000=????????

--------------------------------------------------------------------------------

Vendor
Adobe Systems Incorporated - http://www.adobe.com
Affected Version
CS4 Extended 11.0.0.0
Tested On
Microsoft Windows XP Professional SP3 (English)
Vendor Status
[08.08.2009] Vendor notified.
[10.08.2009] Vendor replied.
[14.08.2009] Asked vendor for confirmation.
[14.08.2009] Vendor confirms vulnerability.
[18.05.2010] Vendor reveals patch release date.
[26.05.2010] Coordinated public disclosure.
PoC
psstyle_bof.c
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
High five to Wendy and David
References
[1] http://www.adobe.com/support/security/bulletins/apsb10-13.html
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1296
[3] http://www.exploit-db.com/exploits/12753
[4] http://www.packetstormsecurity.org/filedesc/psstyle-overflow.txt.html
[5] http://securityreason.com/exploitalert/8293
[6] http://www.securityfocus.com/bid/40389
[7] http://secunia.com/advisories/39934
[8] http://www.vupen.com/english/advisories/2010/1252
[9] http://www.securelist.com/en/advisories/39934
[10] http://securitytracker.com/alerts/2010/May/1024042.html
[11] http://www.infosecurity-us.com/view/9762/adobe-update-addresses-photoshop-bugs/
[12] http://www.securitylab.ru/vulnerability/394298.php
[13] http://www.itpro.co.uk/623791/adobe-patches-critical-photoshop-cs4-vulnerability
[14] http://www.nsfocus.net/vulndb/15112
[15] http://www.hackbase.com/tech/2010-05-28/60402.html
[16] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1296
[17] http://www.security-database.com/detail.php?alert=CVE-2010-1296
[18] http://xforce.iss.net/xforce/xfdb/58888
[19] http://www.juniper.net/security/auto/vulnerabilities/vuln40389.html
[20] https://www.cert.be/pro/advisory/adobe-photoshop-cs4-multiple-vulnerabilities
[21] http://www.net-security.org/secworld.php?id=9350
[22] http://www.sophos.com/blogs/gc/g/2010/06/01/users-urged-update-photoshop-cs4-vulnerabilities
[23] http://osvdb.org/show/osvdb/65082
Changelog
[26.05.2010] - Initial release
[27.05.2010] - Added reference [4], [5], [6], [7], [8] and [9]
[28.05.2010] - Added reference [10], [11] and [12]
[29.05.2010] - Added reference [13], [14], [15], [16], [17] and [18]
[30.05.2010] - Added reference [19]
[04.06.2010] - Added reference [20], [21], [22] and [23]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk