Wednesday, May 9, 2012

Heap spraying Adobe Illustrator

Due to the recent patched vulnerabilities in Adobe Illustrator (CVE-2012-2023, CVE-2012-2024, CVE-2012-2025, and CVE-2012-2026) it becomes interesting to analyze the exploitability facts of the .ai file format. Early versions of the AI file format are true EPS files with a restricted, compact syntax, with additional semantics represented by Illustrator-specific DSC comments that conform to DSC's Open Structuring Convention. Originally, the AI file format was an augmented subset of postscript/eps and until version 7 its internals are described here. This EPS based file format can still be opened with modern Adobe software but nowadays it is embedded into a PDF shell file. As Postscript is itself a programming language with conditionals, loops and everything else, it may be interesting to research what can be done with it in the different programs that accept this format. For ps detail see thisthis or this.