Adobe Photoshop CC / Bridge CC - '.png' Parsing Memory Corruption (2)

EDB-ID:

39430




Platform:

Windows

Date:

2016-02-09


#####################################################################################

Application: Adobe Photoshop CC & Bridge CC PNG file parsing memory corruption

Platforms: Windows

Versions: Bridge CC 6.1.1 and earlier versions

Version: Photoshop CC 16.1.1 (2015.1.1) and earlier versions

CVE; 2016-0952

Author: Francis Provencher of COSIG

Twitter: @COSIG_

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-11: Francis Provencher from COSIG report the issue to PSIRT (ADOBE);

2016-02-09: Adobe release a patch (APSB16-03);

2016-02-09: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC. User interaction is required to exploit this vulnerability in that the target must open a malicious file. By providing a malformed PNG file with an invialid uint32 CRC checksum, an attacker can cause an heap memory corruption. An attacker could leverage this to execute arbitrary code under the context of the application.

#####################################################################################

===========

4) POC

===========

(Theses files must be in the same folder for Bridge CC)

http://protekresearchlab.com/exploits/COSIG-2016-09-1.png
http://protekresearchlab.com/exploits/COSIG-2016-09-2.png

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39430.zip

###############################################################################