PNG vulnerabilities detected in Photoshop and Paint Shop Pro [Update]
Images from external sources should not be loaded into image editing programs such as Photoshop or Paint Shop Pro without due caution. Having already discovered vulnerabilities occurring during bitmap file processing, Marsupilami fan Marsu has now also detected a stack based buffer overflow vulnerability when PNG files are opened. In his demo, he uses a program that generates manipulated PNG files, which when opened run the calculator calc.exe or bind a shell to port 4444. Obviously, the French hacker has used shell codes from the Metasploit project, which means it will be quite easy to change the demonstration into real malware. Houba!
According to comments, at least Photoshop CS2, CS3, Elements 5.0 and Corel Paint Shop Pro 11.20 are affected. Marsu has also detected a similar vulnerability in the open-source equivalent graphics tool Gimp, which occurs when RAS files are handled; IrfanView is vulnerable when IFF files are processed. So far, the vendors have not published any comments or updates to fix these bugs. Basically, users are advised to always be very careful when receiving any kind of e-mail attachments without request, since similar vulnerabilities are detected again and again. An introduction to potential risks related to e-mails can be found in the heise Security Emailcheck at heise Security.
The developer of Irfanview has published version 4.01 of the plugins package to fix IFF the loading bug.
- Photoshop CS2/CS3, Paint Shop Pro 11.20 .PNG File Buffer Overflow, demo exploit by Marsu
- Gimp v2.2.14 .RAS File SUNRAS Plugin Buffer Overflow, demo exploit by Marsu
- IrfanView <= 4.00 .IFF File Buffer Overflow, demo exploit by Marsu