Adobe Photoshop CC / Bridge CC – ‘.png’ Parsing Memory Corruption (2)

• Exploit Database
• 16 阅读

• 作者： Francis Provencher
  日期： 2016-02-09
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39430/

• #####################################################################################
  
  Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption
  
  Platforms: Windows
  
  Versions: Bridge CC 6.1.1 and earlier versions
  
  Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions
  
  CVE; 2016-0952
  
  Author: Francis Provencher of COSIG
  
  Twitter: @COSIG_
  
  #####################################################################################
  
  1) Introduction
  2) Report Timeline
  3) Technical details
  4) POC
  
  #####################################################################################
  
  ===============
  1) Introduction
  ===============
  
  Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.
  
  (https://en.wikipedia.org/wiki/Adobe_Photoshop)
  
  #####################################################################################
  
  ============================
  2) Report Timeline
  ============================
  
  2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);
  
  2016-02-09: Adobe release a patch (APSB16-03);
  
  2016-02-09: COSIG release this advisory;
  
  #####################################################################################
  
  ============================
  3) Technical details
  ============================
  
  This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invialid uint32 CRC checksum, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.
  
  #####################################################################################
  
  ===========
  
  4) POC
  
  ===========
  
  (Theses files must be in the same folder for Bridge CC)
  
  http://protekresearchlab.com/exploits/COSIG-2016-09-1.png
  http://protekresearchlab.com/exploits/COSIG-2016-09-2.png
  
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39430.zip
  
  ###############################################################################