Adobe Premiere Clip 1.1.1 Filter Bypass
Posted on 19 November 2015
Document Title: =============== Adobe Premiere Clip v1.1.1 iOS - (cid:x) Filter Bypass & Persistent Software Vulnerability References (Source): ==================== http://www.vulnerability-lab.com/get_content.php?id=1478 PSIRT ID: 3721 Video: http://www.vulnerability-lab.com/get_content.php?id=1479 Bulletin: https://helpx.adobe.com/security/products/premiereclip/apsb15-31.html Acknowledgements: https://helpx.adobe.com/security/acknowledgements.html?t1 CVE-2015-8051 Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/11/18/adobe-premiere-clip-v111-ios-filter-bypass-persistent-software-vulnerability Release Date: ============= 2015-11-18 Vulnerability Laboratory ID (VL-ID): ==================================== 1478 Common Vulnerability Scoring System: ==================================== 5.2 Product & Service Introduction: =============================== Adobe Premiere Clip is a free app that makes it fast and easy to create amazing videos. Capture the moment by shooting video on the go, and then use Premiere Clip to bring clips together and add the finishing touches that make a video look and sound great. Projects sync across your devices, so you can start on your iPhone and pick up where you left off on your iPad—and of course, you can share from anywhere. Connected by the Adobe Creative Cloud, Premiere Clip makes video editing and sharing simple. (Copy of the Vendor Homepage: https://itunes.apple.com/us/app/adobe-premiere-clip/id919399401 ) Abstract Advisory Information: ============================== The Vulnerability Laboratory Research Team discovered an application-side software validation vulnerability and a filter bypass issue in the official Adobe Premiere Clip v1.1.1 iOS mobile web-application. Vulnerability Disclosure Timeline: ================================== 2015-04-29: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH) 2015-04-30: Vendor Notification (Adobe PSIRT Security Team) 2015-05-04: Vendor Response/Feedback (Adobe PSIRT Security Team) 2015-10-16: Vendor Fix/Patch #1 (Adobe Developer Team) 2015-10-22: Security Acknowledgements (Adobe PSIRT Security Team) 2015-11-12: Vendor Fix/Patch #2 (Adobe Developer Team) 2015-11-17: Security Bulletin (Adobe PSIRT Security Team) [Acknowledgements] 2015-11-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Adobe Systems Product: Premiere Clip - iOS Mobile Web Application (API) 1.1.1 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ An application-side input validation web vulnerability has been discovered in the official Adobe Premiere Clip v1.1.1 iOS mobile web-application. The issue affects the validation procedure of the adobe-creative cloud service that is in scope of the program after using the sync function. The vulnerability allows an attacker to bypass the app filter and service validation to execute own malicious codes in a adobe creative cloud module. The vulnerability is located in the project name value of the Adobe Premiere Clips iOS mobile web-application. Attackers are able to inject via POST (remote) or Sync (local) own malicious file names. By usage of the share function in connection with a sync the service generates a link to stream the context inside of the mail. The mail is wrong encoded and the cid:x value executes the malicious context. The adobe creative cloud service requests via the assets.adobe.com all synced file context. Remote attackers can for example include a malicious project by manipulation of the project name. Thus allows remote attackers to inject a malicious project of the connected cloud apps service to the assets library. After the sync via implement the creative cloud allows to share the context by the application itself or via the mobile app. By opening the exchange method to share, the context executes in the mail body next to the adobe ``cid:x``> value. Next to that a link is generated to adobe and can be prepared a second time the same way. The encoding of the share function is broken in case of a sync implementation through another device. The names needs to be encoded and the context that is getting dumped into the mail body needs to be parsed in a secure direction. The requests runs through the adobe clips, mobile api and adobe assets service in the creative cloud app. The bug is located in the input validation of the adobe premier clips app but after the sync the broken context is streamed to the creative cloud service were you have also the ability to share the malicious context again by mail. The main problem is that the data is not getting encoded on sync via cloud. That results in a bypass of the basic filter validation in the app and also the main online-service of adobe. Reference(s): http://www.adobe.com/products/postscript/pdfs/cid.pdf http://www.adobe.com/content/dam/Adobe/en/devnet/font/pdfs/5014.CIDFont_Spec.pdf The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 5.2. Exploitation of the persistent input validation web vulnerability requires a low privileged adobe user account with restricted access and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing, persistent external redirects to malicious source and persistent manipulation of affected or connected application modules (api). Proof of Concept (PoC): ======================= The vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction. For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install a creative adobe account and use a test browser with the proxy credentials 2. Start to login and choose one of the apps to sync you payload 3. Open the adobe premiere clip app 4. Inject as project a script code payload like bkm%20"><img src="cid:x">%20>%20<iframe src=http://www.evolution-sec.com> and save the project 5. Now open the adobe creative cloud with the assets service and sync all projects with the files Note: Use the share function to dump the service data in the mail body context through the stage assets by mobile api 6. Successful reproduce of the security vulnerability! PoC: <html> <head> <title>Benjamin Kunz Mejri has shared an Adobe Premiere Clip video with you!</title> <link rel="important stylesheet" href="chrome://messagebody/skin/messageBody.css"> </head> <body> <table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part1"><tr><td><b>Betreff: </b>Benjamin Kunz Mejri has shared an Adobe Premiere Clip video with you!</td></tr><tr><td><b>Von: </b>VLab <vulnerabilitylab@icloud.com></td></tr><tr><td><b>Datum: </b>28.04.2015 21:59</td></tr></table><table border=0 cellspacing=0 cellpadding=0 width="100%" class="header-part2"><tr><td><b>An: </b>bkm@evolution-sec.com</td></tr></table><br> <html><head><meta http-equiv="content-type" content="text/html; "></head><body dir="auto"><div><p>Benjamin Kunz Mejri has shared the video ""><img src="cid:x">"><iframe src="a">%20"><img src="x">" with you! Click the following link to watch this video now: <a href="<a href="http://premiereclip.adobe.com/videos/ESSguR3c8RY">http://premiereclip.adobe.com/videos/ESSguR3c8RY</a>"><a href="http://premiereclip.adobe.com/videos/ESSguR3c8RY</a></p><p>Do">http://premiereclip.adobe.com/videos/ESSguR3c8RY</a></p><p>Do</a> you have an iPad or iPhone? Create your own Adobe Premiere Clip video by getting the free app here: <a href="<a href="http://www.adobe.com/go/premiereclip">http://www.adobe.com/go/premiereclip</a>"><a href="http://www.adobe.com/go/premiereclip">http://www.adobe.com/go/premiereclip</a></a> Share on social: #MadeWithClip</p></body></iframe></p></div><div><br><br>Von meinem iPhone gesendet</div></body></html> </body> </html> Reference(s): https://assets.adobe.com/files?filter=all http://premiereclip.adobe.com/videos/ESSguR3c8RY PoC Video: In the poc video we demonstrate how to exploit the issue by usage of a ipad that is connected to the creative cloud service. The test account admin@vulnerability-lab.com and bkm@evolution-sec.com was used to test the adobe service with the announced proxy settings. The data is at the end executable in the mail body that comes through a validation lack of the software. The bug is present in several apps that allow us to sync the function in connection with the creative cloud share function. Due to the testings we saw that the service has captured the valid urls by filtering. Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction of the name input in the adobe premiere clip mobile api. Encode and parse the name cid:x input to prevent a persistent script code execution when processing to share the app sync context. Note: The vulnerability in connection with the adobe creative cloud has already been prevented. No interaction is required to the update procedure of the connected cloud systems. Security Risk: ============== The security risk of the filter bypass and persistent mobile web vulnerability in the adobe api is estimated as medium. (CVSS 5.2) Credits & Authors: ================== Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com) [www.vulnerability-lab.com] Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com Section: magazine.vulnerability-db.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register/ Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission. Copyright © 2015 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com CONTACT: research@vulnerability-lab.com PGP KEY: http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt