COSIG-2016-09

COSIG-2016-09

#####################################################################################

# Application: Adobe Photoshop CC & Bridge CC
# Platforms: Windows
# Versions: Bridge CC 6.1.1 and earlier versions, Photoshop CC 16.1.1 (2015.1.1) and earlier versions
# Author: Francis Provencher of COSIG
# Website: https://cosig.gouv.qc.ca/en/advisory/
# Twitter: @COSIG_
# Date: February 09, 2016
# CVE: CVE-2016-0952
# COSIG-2016-09

#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Adobe Photoshop is a raster graphics editor developed and published by Adobe Systems for Windows and OS X.

(https://en.wikipedia.org/wiki/Adobe_Photoshop)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-11: Francis Provencher of COSIG report the issue to Adobe PSIRT;
2016-02-09: Adobe release a patch (APSB16-03);
2016-02-09: COSIG release this advisory;

#####################################################################################

============================
3) Technical details
============================

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Photoshop CC & Bridge CC.
User interaction is required to exploit this vulnerability in that the target must open a malicious file.
By providing a malformed PNG file with an invalid uint32 Length, an attacker can cause an heap memory corruption.
An attacker could leverage this to execute arbitrary code under the context of the application.

#####################################################################################

===========
4) POC
===========

COSIG-2016-09

######################################################################################