exploit-db-mirror/exploits/windows/dos/17918.txt

Title:
------
Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities




Vendor:
-------
Adobe Systems Inc. (http://www.adobe.com)


Product web page:
-----------------
http://www.adobe.com/products/photoshop-elements.html


Affected version:
-----------------
8.0 and 7.0 (20080916r.508356)


Summary:
--------
Adobe Photoshop Elements - the No.1 consumer photo editing software that
helps you turn everyday memories into sensational photos you'll cherish
forever. Easily edit photos and make photo creations using automated
options, share photos with your social network, and view photos virtually
anywhere you are.


Description:
------------
Photoshop Elements 8 suffers from a buffer overflow vulnerability when
dealing with .ABR (brushes) and .GRD (gradients) format files. The
application fails to sanitize the user input resulting in a memory
corruption, overwriting several memory registers which can aid the
atacker to gain the power of executing arbitrary code on the affected
system or denial of service scenario.


WinDBG output:
--------------------------------------------------------------------
.abr:
-----
(cd8.d98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0de318d0 ebx=41414141 ecx=06260000 edx=00004141 esi=0de318c8 edi=41414141
eip=7c919064 esp=0012d784 ebp=0012d9a0 iopl=0         nv up ei ng nz na pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210287
ntdll!RtlDosSearchPath_Ustr+0x473:
7c919064 8b0b            mov     ecx,dword ptr [ebx]  ds:0023:41414141=????????

.grd:
-----
(d1c.404): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7efefefe ebx=00414141 ecx=00104d35 edx=41414141 esi=0f0e0c90 edi=0de5d000
eip=781807f5 esp=0012d9e8 ebp=033052a0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246

--------------------------------------------------------------------


Tested on:
----------
Microsoft Windows XP Professional Service Pack 3 (English)


Vulnerability discovered by:
----------------------------
Gjoko 'LiquidWorm' Krstic
Zero Science Lab (http://www.zeroscience.mk)
liquidworm gmail com


Vendor status:
--------------
[22.09.2009] Vulnerabilities discovered.
[09.03.2010] Sent detailed info to the vendor with PoC files.
[09.03.2010] Vendor responds with assigned tracking numbers of the issues.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor replies confirming the vulnerabilities.
[03.06.2011] Asked vendor for scheduled patch release date.
[05.06.2011] Vendor replies with a scheduled timeframe.
[02.09.2011] Asked vendor for an exact patch release date.
[03.09.2011] Vendor replies.
[09.09.2011] Asked vendor for assigned advisory ID.
[10.09.2011] Vendor tags their Adobe Advisory ID: APSA11-03.
[01.10.2011] Coordinated public security advisory released.


Advisory details:
-----------------
Advisory ID: ZSL-2011-5049
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php

Adobe Advisory ID: APSA11-03
Adobe Advisory URL: http://www.adobe.com/support/security/advisories/apsa11-03.html
Adobe PSIRT ID: 447,448

CVE ID: CVE-2011-2443
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443

CWE ID: CWE-120
CWE URL: http://cwe.mitre.org/data/definitions/120.html

REF #1: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
REF #2: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php


Proof Of Concept:
-----------------
http://www.zeroscience.mk/codes/brush_gradiently.rar (11071 bytes)
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17918.rar (brush_gradiently.rar)