Security researchers have discovered an arbitrary code injection vulnerability in the adobe systems main lead database management system.
According to Benjamin Kunz Mejri, working at the Vulnerability Laboratory at Evolution Security in Germany, the flaw allows remote attackers to inject own malicious script codes and system specific codes with persistent attack vector to the application-side of
the vulnerable modules context or affected internal services.
The arbitrary code injection vulnerability is located in the external services associated with the content of adobe systems subdomain services.
"Attackers are able to attack the adobe system's lead database by inserting arbitrary code over other database layers. This issue allows an attacker to perform the injection using an external service form," Kunz Mejri said in a security disclosure.
After the content has been delivered, the data is stored in the sub-service database management system.
"Over time, the database contents of the sub services are backed up and synchronised with the main database of the adobe systems. In the case of our research, we identified several external services to attack the sub-services of the adobe system and finally deliver the faulty content within the main lead database," he added.
According to a follow-up blog post, the researcher not only bypassed several layers of security, he as well demonstrated that the contents inside the adobe system database are transmitted without any protection mechanisms. The URLs and the content were delivered by email and executed from the main adobe email postbox the content.
"The content attack is not restricted to the delivery of for example emails, the attack could be used in a larger range. Attacker could start client-side email phishing attempts, inject persistent phishing pages, arbitrary executions in the lead DBMS or subsystems, redirect to malware or scam," said the company in a statement.
According to the firm, the vulnerability was reported in November 2017, with further communications between the security company and Adobe in February to April this year. The final cause of the zero-day vulnerability was identified in May.
Researchers at Vulnerability Laboratory said that Adobe’s CERT team prevented the attack vector temporarily by modification of a specific configuration for the malformed arbitrary requests.
Elliott Thompson, senior cyber-security consultant at SureCloud, told SC Media UK that there appears to be disagreement about the exact nature of the vulnerability.
"If Adobe is correct, the vulnerability could be used to potentially access browser session information of a limited number of users visiting a specific page. However if the vulnerability reporter is correct, the flaw would be extremely critical and could be used to extract personal data from a range of connected internal databases at Adobe," he said.
Paul Edon, director at Tripwire, told SC Media UK that with an arbitrary code injection under the right circumstances this means there is no real limit to what the attacker can achieve.
"They can run anything from a simple "dir" or "ls" command which allows them to view and help navigate your file system, to commands that reconfigure your systems to allow unauthorised port access, or that load a remotely accessible backdoor," he said.
"Defence against this kind of attack requires basic security hygiene. For example, best practise for any code development will require security reviews at several stages before release. Next, ensure you are running the most up-to-date software version, including all patches and bug fixes. Finally, implement a robust System Change Management and Monitoring program to ensure unauthorised changes are identified and dealt with as quickly and effectively as possible."