ed0e1e4d44
1979 changes to exploits/shellcodes Couchdb 1.5.0 - 'uuids' Denial of Service Apache CouchDB 1.5.0 - 'uuids' Denial of Service Beyond Remote 2.2.5.3 - Denial of Service (PoC) udisks2 2.8.0 - Denial of Service (PoC) Termite 3.4 - Denial of Service (PoC) SoftX FTP Client 3.3 - Denial of Service (PoC) Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection Silverstripe CMS 3.0.2 - Multiple Vulnerabilities SilverStripe CMS 3.0.2 - Multiple Vulnerabilities Silverstripe CMS 2.4 - File Renaming Security Bypass SilverStripe CMS 2.4 - File Renaming Security Bypass Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload Silverstripe CMS 2.4.x - 'BackURL' Open Redirection SilverStripe CMS 2.4.x - 'BackURL' Open Redirection Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure Silverstripe CMS - Multiple HTML Injection Vulnerabilities SilverStripe CMS - Multiple HTML Injection Vulnerabilities Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation Monstra CMS before 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (2) Monstra CMS < 3.0.4 - Cross-Site Scripting Monstra CMS < 3.0.4 - Cross-Site Scripting (1) Navigate CMS 2.8 - Cross-Site Scripting Collectric CMU 1.0 - 'lang' SQL injection Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection LG SuperSign EZ CMS 2.5 - Remote Code Execution MyBB Visual Editor 1.8.18 - Cross-Site Scripting Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection RICOH Aficio MP 301 Printer - Cross-Site Scripting Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection RICOH MP C6003 Printer - Cross-Site Scripting Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes) Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
117 lines
No EOL
3.9 KiB
Text
117 lines
No EOL
3.9 KiB
Text
Title:
|
|
------
|
|
Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities
|
|
|
|
|
|
|
|
|
|
Vendor:
|
|
-------
|
|
Adobe Systems Inc. (http://www.adobe.com)
|
|
|
|
|
|
Product web page:
|
|
-----------------
|
|
http://www.adobe.com/products/photoshop-elements.html
|
|
|
|
|
|
Affected version:
|
|
-----------------
|
|
8.0 and 7.0 (20080916r.508356)
|
|
|
|
|
|
Summary:
|
|
--------
|
|
Adobe Photoshop Elements - the No.1 consumer photo editing software that
|
|
helps you turn everyday memories into sensational photos you'll cherish
|
|
forever. Easily edit photos and make photo creations using automated
|
|
options, share photos with your social network, and view photos virtually
|
|
anywhere you are.
|
|
|
|
|
|
Description:
|
|
------------
|
|
Photoshop Elements 8 suffers from a buffer overflow vulnerability when
|
|
dealing with .ABR (brushes) and .GRD (gradients) format files. The
|
|
application fails to sanitize the user input resulting in a memory
|
|
corruption, overwriting several memory registers which can aid the
|
|
atacker to gain the power of executing arbitrary code on the affected
|
|
system or denial of service scenario.
|
|
|
|
|
|
WinDBG output:
|
|
--------------------------------------------------------------------
|
|
.abr:
|
|
-----
|
|
(cd8.d98): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=0de318d0 ebx=41414141 ecx=06260000 edx=00004141 esi=0de318c8 edi=41414141
|
|
eip=7c919064 esp=0012d784 ebp=0012d9a0 iopl=0 nv up ei ng nz na pe cy
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210287
|
|
ntdll!RtlDosSearchPath_Ustr+0x473:
|
|
7c919064 8b0b mov ecx,dword ptr [ebx] ds:0023:41414141=????????
|
|
|
|
.grd:
|
|
-----
|
|
(d1c.404): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=7efefefe ebx=00414141 ecx=00104d35 edx=41414141 esi=0f0e0c90 edi=0de5d000
|
|
eip=781807f5 esp=0012d9e8 ebp=033052a0 iopl=0 nv up ei pl zr na pe nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
|
|
|
|
--------------------------------------------------------------------
|
|
|
|
|
|
Tested on:
|
|
----------
|
|
Microsoft Windows XP Professional Service Pack 3 (English)
|
|
|
|
|
|
Vulnerability discovered by:
|
|
----------------------------
|
|
Gjoko 'LiquidWorm' Krstic
|
|
Zero Science Lab (http://www.zeroscience.mk)
|
|
liquidworm gmail com
|
|
|
|
|
|
Vendor status:
|
|
--------------
|
|
[22.09.2009] Vulnerabilities discovered.
|
|
[09.03.2010] Sent detailed info to the vendor with PoC files.
|
|
[09.03.2010] Vendor responds with assigned tracking numbers of the issues.
|
|
[21.03.2010] Asked vendor for confirmation.
|
|
[21.03.2010] Vendor replies confirming the vulnerabilities.
|
|
[03.06.2011] Asked vendor for scheduled patch release date.
|
|
[05.06.2011] Vendor replies with a scheduled timeframe.
|
|
[02.09.2011] Asked vendor for an exact patch release date.
|
|
[03.09.2011] Vendor replies.
|
|
[09.09.2011] Asked vendor for assigned advisory ID.
|
|
[10.09.2011] Vendor tags their Adobe Advisory ID: APSA11-03.
|
|
[01.10.2011] Coordinated public security advisory released.
|
|
|
|
|
|
Advisory details:
|
|
-----------------
|
|
Advisory ID: ZSL-2011-5049
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php
|
|
|
|
Adobe Advisory ID: APSA11-03
|
|
Adobe Advisory URL: http://www.adobe.com/support/security/advisories/apsa11-03.html
|
|
Adobe PSIRT ID: 447,448
|
|
|
|
CVE ID: CVE-2011-2443
|
|
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443
|
|
|
|
CWE ID: CWE-120
|
|
CWE URL: http://cwe.mitre.org/data/definitions/120.html
|
|
|
|
REF #1: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
|
|
REF #2: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php
|
|
|
|
|
|
Proof Of Concept:
|
|
-----------------
|
|
http://www.zeroscience.mk/codes/brush_gradiently.rar (11071 bytes)
|
|
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17918.rar (brush_gradiently.rar) |