Adobe Premiere Clip v1.1.1 iOS - (cid:x) Filter Bypass & Persistent Software Vulnerability

[Vulnerability Lab <research () vulnerability-lab com>]

Document Title:
===============
Adobe Premiere Clip v1.1.1 iOS - (cid:x) Filter Bypass & Persistent Software Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1478

PSIRT ID: 3721

Video: http://www.vulnerability-lab.com/get_content.php?id=1479

Bulletin: https://helpx.adobe.com/security/products/premiereclip/apsb15-31.html

Acknowledgements: https://helpx.adobe.com/security/acknowledgements.html?t1

CVE-2015-8051

Vulnerability Magazine: 
http://magazine.vulnerability-db.com/?q=articles/2015/11/18/adobe-premiere-clip-v111-ios-filter-bypass-persistent-software-vulnerability


Release Date:
=============
2015-11-18


Vulnerability Laboratory ID (VL-ID):
====================================
1478


Common Vulnerability Scoring System:
====================================
5.2


Product & Service Introduction:
===============================
Adobe Premiere Clip is a free app that makes it fast and easy to create amazing videos. Capture the moment by shooting 
video on 
the go, and then use Premiere Clip to bring clips together and add the finishing touches that make a video look and 
sound great. 
Projects sync across your devices, so you can start on your iPhone and pick up where you left off on your iPad—and of 
course, 
you can share from anywhere. Connected by the Adobe Creative Cloud, Premiere Clip makes video editing and sharing 
simple. 

(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/adobe-premiere-clip/id919399401 )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered an application-side software validation vulnerability and a 
filter bypass issue in the official Adobe Premiere Clip v1.1.1 iOS mobile web-application.


Vulnerability Disclosure Timeline:
==================================
2015-04-29: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-04-30: Vendor Notification (Adobe PSIRT Security Team)
2015-05-04: Vendor Response/Feedback (Adobe PSIRT Security Team)
2015-10-16: Vendor Fix/Patch #1 (Adobe Developer Team)
2015-10-22: Security Acknowledgements (Adobe PSIRT Security Team)
2015-11-12: Vendor Fix/Patch #2 (Adobe Developer Team)
2015-11-17: Security Bulletin (Adobe PSIRT Security Team) [Acknowledgements]
2015-11-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Adobe Systems
Product: Premiere Clip - iOS Mobile Web Application (API) 1.1.1


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
An application-side input validation web vulnerability has been discovered in the official Adobe Premiere Clip v1.1.1 
iOS mobile web-application.
The issue affects the validation procedure of the adobe-creative cloud service that is in scope of the program after 
using the sync function.
The vulnerability allows an attacker to bypass the app filter and service validation to execute own malicious codes in 
a adobe creative cloud module.

The vulnerability is located in the project name value of the Adobe Premiere Clips iOS mobile web-application. 
Attackers are able 
to inject via POST (remote) or Sync (local) own malicious file names. By usage of the share function in connection with 
a sync the 
service generates a link to stream the context inside of the mail. The mail is wrong encoded and the cid:x value 
executes the 
malicious context. 

The adobe creative cloud service requests via the assets.adobe.com all synced file context. Remote attackers can for 
example include 
a malicious project by manipulation of the project name. Thus allows remote attackers to inject a malicious project of 
the connected 
cloud apps service to the assets library. After the sync via implement the creative cloud allows to share the context 
by the application 
itself or via the mobile app. By opening the exchange method to share, the context executes in the mail body next to 
the adobe ``cid:x``> 
value. Next to that a link is generated to adobe and can be prepared a second time the same way. The encoding of the 
share function 
is broken in case of a sync implementation through another device. The names needs to be encoded and the context that 
is getting dumped 
into the mail body needs to be parsed in a secure direction. The requests runs through the adobe clips, mobile api and 
adobe assets 
service in the creative cloud app.

The bug is located in the input validation of the adobe premier clips app but after the sync the broken context is 
streamed to the creative 
cloud service were you have also the ability to share the malicious context again by mail. The main problem is that the 
data is not getting 
encoded on sync via cloud. That results in a bypass of the basic filter validation in the app and also the main 
online-service of adobe.

Reference(s):
http://www.adobe.com/products/postscript/pdfs/cid.pdf
http://www.adobe.com/content/dam/Adobe/en/devnet/font/pdfs/5014.CIDFont_Spec.pdf

The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss 
(common vulnerability scoring 
system) count of 5.2. Exploitation of the persistent input validation web vulnerability requires a low privileged adobe 
user account with 
restricted access and low user interaction. Successful exploitation of the vulnerability results in session hijacking, 
persistent phishing, 
persistent external redirects to malicious source and persistent manipulation of affected or connected application 
modules (api).


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by remote attackers with low privileged application user account and low or medium 
user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below 
to continue.

Manual steps to reproduce the vulnerability ...
1. Install a creative adobe account and use a test browser with the proxy credentials
2. Start to login and choose one of the apps to sync you payload
3. Open the adobe premiere clip app 
4. Inject as project a script code payload like bkm%20"><img src="cid:x">%20>%20<iframe 
src=http://www.evolution-sec.com> and save the project
5. Now open the adobe creative cloud with the assets service and sync all projects with the files
Note: Use the share function to dump the service data in the mail body context through the stage assets by mobile api 
6. Successful reproduce of the security vulnerability!


PoC: 
<html>
<head>
<title>Benjamin Kunz Mejri has shared an Adobe Premiere Clip video with you!</title>
<link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css">
</head>
<body>
<table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>Benjamin Kunz 
Mejri has shared an Adobe Premiere Clip video with you!</td></tr><tr><td><b>Von: </b>VLab <vulnerabilitylab () icloud 
com></td></tr><tr><td><b>Datum: </b>28.04.2015 21:59</td></tr></table><table border=0 cellspacing=0 cellpadding=0 
width="100%" class="header-part2"><tr><td><b>An: </b>bkm () evolution-sec com</td></tr></table><br>
<html><head><meta http-equiv="content-type" content="text/html; "></head><body dir="auto"><div><p>Benjamin Kunz Mejri 
has shared the video ""><img src="cid:x">"><iframe src="a">%20"><img src="x">" with you!  Click the following link to 
watch this video now: <a href="<a 
href="http://premiereclip.adobe.com/videos/ESSguR3c8RY";>http://premiereclip.adobe.com/videos/ESSguR3c8RY</a>"><a 
href="http://premiereclip.adobe.com/videos/ESSguR3c8RY</a></p><p>Do">http://premiereclip.adobe.com/videos/ESSguR3c8RY</a></p><p>Do</a>
 you have an iPad or iPhone?  Create your own Adobe Premiere Clip video by getting the free app here: <a href="<a 
href="http://www.adobe.com/go/premiereclip";>http://www.adobe.com/go/premiereclip</a>"><a 
href="http://www.adobe.com/go/premiereclip";>http://www.adobe.com/go/premiereclip</a></a> Share on social: 
#MadeWithClip</p></body></iframe></p></div><div><br><br>Von meinem iPhone gesendet</div></body></html>
</body>
</html>


Reference(s):
https://assets.adobe.com/files?filter=all
http://premiereclip.adobe.com/videos/ESSguR3c8RY


PoC Video: In the poc video we demonstrate how to exploit the issue by usage of a ipad that is connected to the 
creative cloud service.
The test account admin () vulnerability-lab com and bkm () evolution-sec com was used to test the adobe service with 
the announced proxy settings.
The data is at the end executable in the mail body that comes through a validation lack of the software. The bug is 
present in several apps 
that allow us to sync the function in connection with the creative cloud share function. Due to the testings we saw 
that the service has 
captured the valid urls by filtering. 


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure restriction of the name input in the adobe premiere clip mobile api.
Encode and parse the name cid:x input to prevent a persistent script code execution when processing to share the app 
sync context.

Note: The vulnerability in connection with the adobe creative cloud has already been prevented. No interaction is 
required to the update procedure of 
the connected cloud systems.




Security Risk:
==============
The security risk of the filter bypass and persistent mobile web vulnerability in the adobe api is estimated as medium. 
(CVSS 5.2)


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm () evolution-sec com) [www.vulnerability-lab.com]


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all 
warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or 
its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special 
damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody 
to break any vendor licenses, 
policies, deface websites, hack into databases or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com                                      - 
www.evolution-sec.com
Contact:    admin () vulnerability-lab com      - research () vulnerability-lab com                     - admin () 
evolution-sec com
Section:    magazine.vulnerability-db.com       - vulnerability-lab.com/contact.php                     - 
evolution-sec.com/contact
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab                         - 
youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php            - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - vulnerability-lab.com/list-of-bug-bounty-programs.php - 
vulnerability-lab.com/register/

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability 
Laboratory. Permission to 
electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website 
is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit 
our material contact 
(admin () vulnerability-lab com or research () vulnerability-lab com) to get a permission.

                                Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™



-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
CONTACT: research () vulnerability-lab com
PGP KEY: http://www.vulnerability-lab.com/keys/admin () vulnerability-lab com%280x198E9928%29.txt




_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/