Adobe Illustrator EPS/DSC Comment BO (Dec 04, 2009)

By

The Adobe Illustrator is a comprehensive vector graphics environment. It supports numerous vector file formats such as CDR, PDF, and PS/EPS, among others. PostScript (PS) is a programming language that is mostly utilized as a page description language in electronic and desktop publishing fields. Document Structuring Conventions (DSC) is a set of standards for PS that specifies a way to structure a PostScript file. A DSC conforming PostScript document is called an Encapsulated PostScript (EPS) file which is also used as a graphics file format. The EPS file can contain any combination of text, graphics, and images.

In EPS files, there are two required DSC comments, some conditionally required comments, and several programming guidelines. Each DSC comment in an EPS file starts with a ‘%’ character and ends with the newline characters ‘rn’. A snippet of an EPS file follows:

%!PS-Adobe-3.1 EPSF-3.0 %%Title: test.eps [...truncated...] 0 0 mo 0 140 li 140 140 li 140 0 li

A buffer overflow vulnerability exists in Adobe Illustrator when parsing EPS files. The vulnerability exists due to a boundary error while processing DSC comments in an EPS file. The vulnerable code fails to verify the length of the comment string while it’s being copied into a static size buffer. As a result of this flaw, if a comment string is longer than a certain length, the copy operation can result in a function pointer being overwritten. A carefully constructed exploit can be made to divert the process flow of the vulnerable application.

Remote attackers can exploit this vulnerability by enticing target users to open a malicious EPS file with a vulnerable version of the affected product. Successful exploitation may allow execution of arbitrary code on the target host with the privileges of the logged in user.

SonicWALL has released two IPS signatures that detect and block known exploits that are targeting this vulnerability. The following signatures have been released:

  • 4152 – Adobe Illustrator EPS File DSC Comment BO Exploit
  • 4153 – Adobe Illustrator EPS File DSC Comment BO Exploit 2

The vulnerability has been assigned CVE-2009-4195 by Mitre.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.