CVE-2012-2052
published 2014-06-19CVE-2012-2052: Stack-based buffer overflow in the U3D.8BI library plugin in Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12.1.x before 12.1.1 allows remote attackers to…
PriorityP265critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
23.32%
97.5th percentile
Stack-based buffer overflow in the U3D.8BI library plugin in Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12.1.x before 12.1.1 allows remote attackers to execute arbitrary code via a long Collada asset element in a DAE file, as demonstrated by the cameraYFov value in the contributor comments element.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | photoshop_cs5 | — | — |
| adobe | photoshop_cs5 | — | — |
| adobe | photoshop_cs5 | — | — |
| adobe | photoshop_cs5 | — | — |
| adobe | photoshop_cs5 | — | — |
| adobe | photoshop_cs5.1 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
aaaabbbA<EIP>ccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwwwxxxxyyyy
- →Detect DAE (Collada) files with abnormally long contributor comment strings, specifically oversized cameraYFov values, as these trigger the stack overflow in U3D.8BI when opened in Adobe Photoshop CS5/CS5.1. ↗
- →Flag DAE files where the contributor comments element contains a string of 170+ repeated characters immediately preceding 'cameraYFov=1;', followed by ~1400 bytes of padding — a pattern consistent with stack-smashing exploit construction. ↗
- →Monitor Photoshop process for stack-based EIP overwrite patterns; the exploit overwrites the return address (EIP) after a fixed 170-byte prefix followed by 'cameraYFov=1;' and ~1400 bytes of controlled data. ↗
- →Inspect DAE files for the Collada Maya export options header string as a delivery vehicle; malicious files mimic legitimate Maya/ColladaMaya exports to appear benign. ↗
- ·Vulnerable versions are strictly Adobe Photoshop CS5 12.x before 12.0.5 and CS5.1 12.1.x before 12.1.1; patched versions are not affected. ↗
- ·The overflow is triggered specifically through the U3D.8BI plugin; disabling or removing this plugin on unpatched systems reduces attack surface. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/81832http://retrogod.altervista.org/9sg_photoshock_adv.htmhttp://retrogod.altervista.org/9sg_photoshock_u3d.htmhttp://seclists.org/bugtraq/2012/May/58http://secunia.com/advisories/49160http://www.adobe.com/support/security/bulletins/apsb12-11.htmlhttp://www.securityfocus.com/bid/53464http://osvdb.org/show/osvdb/81832http://retrogod.altervista.org/9sg_photoshock_adv.htmhttp://retrogod.altervista.org/9sg_photoshock_u3d.htmhttp://seclists.org/bugtraq/2012/May/58http://secunia.com/advisories/49160http://www.adobe.com/support/security/bulletins/apsb12-11.htmlhttp://www.securityfocus.com/bid/53464
2014-06-19
Published