Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
Title: Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability
Advisory ID: ZSL-2010-4941
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2010
[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.
High five to Wendy and David
[2] http://www.securityfocus.com/bid/40565
[3] http://securityreason.com/exploitalert/8325
[4] http://secunia.com/advisories/40050/
[5] http://www.juniper.net/security/auto/vulnerabilities/vuln40565.html
[6] http://xforce.iss.net/xforce/xfdb/59132
[7] http://www.securelist.com/ru/advisories/40050
[8] http://www.securitylab.ru/poc/394521.php
[9] http://www.vupen.com/english/advisories/2010/1347
[10] http://osvdb.org/show/osvdb/65140
[11] http://www.vfocus.net/art/20100604/7226.html
[12] http://www.exploit-db.com/exploits/13817/
[13] http://net-security.org/vuln.php?id=12889
[14] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2321
[15] https://nvd.nist.gov/vuln/detail/CVE-2010-2321
[05.06.2010] - Added reference [3], [4], [5], [6] and [7]
[06.06.2010] - Added reference [8], [9] and [10]
[07.06.2010] - Added reference [11]
[11.06.2010] - Added reference [12]
[14.06.2010] - Added reference [13]
[25.10.2021] - Added reference [14] and [15]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2010-4941
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 04.06.2010
Summary
Adobe® InDesign® CS3 software provides precise control over typography and built-in creative tools for designing, preflighting, and publishing documents for print, online, or to mobile devices. Include interactivity, animation, video, and sound in page layouts to fully engage readers.Description
When parsing .indd files to the application, it crashes instantly overwriting memory registers. Depending on the offset, EBP, EDI, EDX and ESI gets overwritten. Potential vulnerability use is arbitrary code execution and denial of service.Vendor
Adobe Systems Incorporated - http://www.adobe.comAffected Version
CS3 10.0Tested On
Microsoft Windows XP Professional SP3 (English)Vendor Status
[16.09.2009] Vulnerability discovered.[09.03.2010] Vulnerability reported to vendor with sent PoC files.
[21.03.2010] Asked confirmation from the vendor.
[21.03.2010] Vendor asked for PoC files due to communication errors.
[22.03.2010] Re-sent PoC files to vendor.
[04.04.2010] Vendor confirms vulnerability.
[03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.
[04.06.2010] Public advisory released.
PoC
indesign_bof.plCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>High five to Wendy and David
References
[1] http://www.packetstormsecurity.org/filedesc/indesign-overflow.txt.html[2] http://www.securityfocus.com/bid/40565
[3] http://securityreason.com/exploitalert/8325
[4] http://secunia.com/advisories/40050/
[5] http://www.juniper.net/security/auto/vulnerabilities/vuln40565.html
[6] http://xforce.iss.net/xforce/xfdb/59132
[7] http://www.securelist.com/ru/advisories/40050
[8] http://www.securitylab.ru/poc/394521.php
[9] http://www.vupen.com/english/advisories/2010/1347
[10] http://osvdb.org/show/osvdb/65140
[11] http://www.vfocus.net/art/20100604/7226.html
[12] http://www.exploit-db.com/exploits/13817/
[13] http://net-security.org/vuln.php?id=12889
[14] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2321
[15] https://nvd.nist.gov/vuln/detail/CVE-2010-2321
Changelog
[04.06.2010] - Initial release[05.06.2010] - Added reference [3], [4], [5], [6] and [7]
[06.06.2010] - Added reference [8], [9] and [10]
[07.06.2010] - Added reference [11]
[11.06.2010] - Added reference [12]
[14.06.2010] - Added reference [13]
[25.10.2021] - Added reference [14] and [15]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
