Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability
download url of a test version:
http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop
Note:
Found three weeks before the CS6 release.
I could not reproduce against CS6, cannot say if there is
a CVE for this, I think is also possible they patched silently.
Description:
DynPG is used to upload and manage dynamic web content similar to other content management systems.
DynPG however differs from other CMS, because it is embedded directly into websites.
The software was originally developed to realize designs that are created with Adobe Photoshop, Adobe Fireworks, Adobe Illustrator or any other graphics software.
The layout is created with an editor like Adobe Dreamweaver or Adobe GoLive or even as simple code.
After that, code snippets are placed at those points, where dynamically generated content (like articles, galleries, blogs or other dynamic content) shall be generated.
It provides a convenient way to extend existing websites with dynamic content. DynPG provides a template engine, but also supports existing CSS layouts.
########################################################
The client provides graphical and command line tools for a large
number of operating systems. Also available is a suite of plugins
that integrate with various programming IDEs and third party
applications, such as XCode, Autodesk 3D Studio Max, Alias Maya,
Adobe Photoshop, Microsoft Office, Eclipse and Emacs.
Other features of the system include support for reporting
(i.e. notifying users when a file has changed), branching and
merging, and defect tracking."
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
by Nine:Situations:Group::bellick
site: http://retrogod.altervista.org/
Tested on Microsoft Windows XP SP3
The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.
A malicious user of the Users group (which on xp means a "limited account") can stop the service,
then invoke the "sc config" command to replace the binary path with a value of choice, then restart
the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:
test@ubuntu:~$ cat > clam.c
const char crashstr[] = "\xff\xd8" // jpg marker
"\xff\xed" // exif data
"\x00\x02" // length
"Photoshop 3.0\x00"
"8BIM"
"\x04\x0c" // thumbnail id
"\x00"
"\x01"
"\x01\x01\x01\x01"
