Wednesday, June 6, 2012

Adobe Illustrator Tx operator Remote Buffer Overflow - CVE-2012-0780

Product: Adobe Illustrator CS5 Version: 15.0.2
Binary affected: Illustrator.exe [98bce5a36f3d6a0b34507d5d9921b257]
CVSS v2 Base Score:10.0 (HIGH)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVE: 2012-0780
BID:  53422


A stack based overflow on the graphic operator 'Tx'.
Adobe Illustrator is a vector graphics editor developed and marketed by Adobe Systems. The issue explained here affects Illustrator CS5 15.0.2 (CS5.5/CS5/CS4) for both Mac and Windows; other versions may also be affected. This corresponds to CVE-2012-0780,  BID-53422 and to apsb12-10

Wednesday, May 9, 2012

Heap spraying Adobe Illustrator

Due to the recent patched vulnerabilities in Adobe Illustrator (CVE-2012-2023, CVE-2012-2024, CVE-2012-2025, and CVE-2012-2026) it becomes interesting to analyze the exploitability facts of the .ai file format. Early versions of the AI file format are true EPS files with a restricted, compact syntax, with additional semantics represented by Illustrator-specific DSC comments that conform to DSC's Open Structuring Convention. Originally, the AI file format was an augmented subset of postscript/eps and until version 7 its internals are described here. This EPS based file format can still be opened with modern Adobe software but nowadays it is embedded into a PDF shell file. As Postscript is itself a programming language with conditionals, loops and everything else, it may be interesting to research what can be done with it in the different programs that accept this format. For ps detail see thisthis or this.