Adobe Premiere Clip v1.1.1 iOS - (cid:x) Filter Bypass & Persistent Software Vulnerability
PSIRT ID: 3721
Vulnerability Magazine: http://magazine.vulnerability-db.com/?q=articles/2015/11/18/adobe-premiere-clip-v111-ios-filter-bypass-persistent-software-vulnerability
Vulnerability Laboratory ID (VL-ID):
Common Vulnerability Scoring System:
Product & Service Introduction:
Adobe Premiere Clip is a free app that makes it fast and easy to create amazing videos. Capture the moment by shooting video on
the go, and then use Premiere Clip to bring clips together and add the finishing touches that make a video look and sound great.
Projects sync across your devices, so you can start on your iPhone and pick up where you left off on your iPad—and of course,
you can share from anywhere. Connected by the Adobe Creative Cloud, Premiere Clip makes video editing and sharing simple.
(Copy of the Vendor Homepage: https://itunes.apple.com/us/app/adobe-premiere-clip/id919399401 )
Abstract Advisory Information:
The Vulnerability Laboratory Research Team discovered an application-side software validation vulnerability and a filter bypass issue in the official Adobe Premiere Clip v1.1.1 iOS mobile web-application.
Vulnerability Disclosure Timeline:
2015-04-29: Researcher Notification & Coordination (Benjamin Kunz Mejri - Evolution Security GmbH)
2015-04-30: Vendor Notification (Adobe PSIRT Security Team)
2015-05-04: Vendor Response/Feedback (Adobe PSIRT Security Team)
2015-10-16: Vendor Fix/Patch #1 (Adobe Developer Team)
2015-10-22: Security Acknowledgements (Adobe PSIRT Security Team)
2015-11-12: Vendor Fix/Patch #2 (Adobe Developer Team)
2015-11-17: Security Bulletin (Adobe PSIRT Security Team) [Acknowledgements]
2015-11-18: Public Disclosure (Vulnerability Laboratory)
Product: Premiere Clip - iOS Mobile Web Application (API) 1.1.1
Technical Details & Description:
An application-side input validation web vulnerability has been discovered in the official Adobe Premiere Clip v1.1.1 iOS mobile web-application.
The issue affects the validation procedure of the adobe-creative cloud service that is in scope of the program after using the sync function.
The vulnerability allows an attacker to bypass the app filter and service validation to execute own malicious codes in a adobe creative cloud module.
The vulnerability is located in the project name value of the Adobe Premiere Clips iOS mobile web-application. Attackers are able
to inject via POST (remote) or Sync (local) own malicious file names. By usage of the share function in connection with a sync the
service generates a link to stream the context inside of the mail. The mail is wrong encoded and the cid:x value executes the
The adobe creative cloud service requests via the assets.adobe.com all synced file context. Remote attackers can for example include
a malicious project by manipulation of the project name. Thus allows remote attackers to inject a malicious project of the connected
cloud apps service to the assets library. After the sync via implement the creative cloud allows to share the context by the application
itself or via the mobile app. By opening the exchange method to share, the context executes in the mail body next to the adobe ``cid:x``>
value. Next to that a link is generated to adobe and can be prepared a second time the same way. The encoding of the share function
is broken in case of a sync implementation through another device. The names needs to be encoded and the context that is getting dumped
into the mail body needs to be parsed in a secure direction. The requests runs through the adobe clips, mobile api and adobe assets
service in the creative cloud app.
The bug is located in the input validation of the adobe premier clips app but after the sync the broken context is streamed to the creative
cloud service were you have also the ability to share the malicious context again by mail. The main problem is that the data is not getting
encoded on sync via cloud. That results in a bypass of the basic filter validation in the app and also the main online-service of adobe.
The security risk of the filter bypass and persistent validation vulnerability is estimated as medium with a cvss (common vulnerability scoring
system) count of 5.2. Exploitation of the persistent input validation web vulnerability requires a low privileged adobe user account with
restricted access and low user interaction. Successful exploitation of the vulnerability results in session hijacking, persistent phishing,
persistent external redirects to malicious source and persistent manipulation of affected or connected application modules (api).
Proof of Concept (PoC):
The vulnerability can be exploited by remote attackers with low privileged application user account and low or medium user interaction.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Install a creative adobe account and use a test browser with the proxy credentials
2. Start to login and choose one of the apps to sync you payload
3. Open the adobe premiere clip app
4. Inject as project a script code payload like bkm%20">%20>%20