Adobe Illustrator EPS/DSC Comment BO

December 4, 2009

The Adobe Illustrator is a comprehensive vector graphics environment. It supports numerous vector file formats such as CDR, PDF, and PS/EPS, among others. PostScript (PS) is a programming language that is mostly utilized as a page description language in electronic and desktop publishing fields. Document Structuring Conventions (DSC) is a set of standards for PS that specifies a way to structure a PostScript file. A DSC conforming PostScript document is called an Encapsulated PostScript (EPS) file which is also used as a graphics file format. The EPS file can contain any combination of text, graphics, and images.

In EPS files, there are two required DSC comments, some conditionally required comments, and several programming guidelines. Each DSC comment in an EPS file starts with a '%' character and ends with the newline characters 'rn'. A snippet of an EPS file follows:

%!PS-Adobe-3.1 EPSF-3.0 %%Title: test.eps [...truncated...] 0 0 mo 0 140 li 140 140 li 140 0 li

A buffer overflow vulnerability exists in Adobe Illustrator when parsing EPS files. The vulnerability exists due to a boundary error while processing DSC comments in an EPS file. The vulnerable code fails to verify the length of the comment string while it's being copied into a static size buffer. As a result of this flaw, if a comment string is longer than a certain length, the copy operation can result in a function pointer being overwritten. A carefully constructed exploit can be made to divert the process flow of the vulnerable application.

Remote attackers can exploit this vulnerability by enticing target users to open a malicious EPS file with a vulnerable version of the affected product. Successful exploitation may allow execution of arbitrary code on the target host with the privileges of the logged in user.

SonicWALL has released two IPS signatures that detect and block known exploits that are targeting this vulnerability. The following signatures have been released:

  • 4152 - Adobe Illustrator EPS File DSC Comment BO Exploit
  • 4153 - Adobe Illustrator EPS File DSC Comment BO Exploit 2

The vulnerability has been assigned CVE-2009-4195 by Mitre.