Vulnerabilities > CVE-2016-1034 - Arbitrary File Read and Write vulnerability in Adobe Creative Cloud

047910
CVSS 9.4 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
NONE
network
low complexity
adobe
critical
nessus

Summary

The Sync Process in the JavaScript API for Creative Cloud Libraries in Adobe Creative Cloud Desktop Application before 3.6.0.244 allows remote attackers to read or write to arbitrary files via unspecified vectors.

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_ADOBE_CREATIVE_CLOUD_3_6_0_244.NASL
    descriptionThe version of Adobe Creative Cloud installed on the remote Mac OS X host is prior or equal to 3.5.1.209. It is, therefore, affected by a flaw in the JavaScript API for Creative Cloud Libraries due to an exposed service. An unauthenticated, remote attacker can exploit this to read or write arbitrary files on the host file system.
    last seen2020-06-01
    modified2020-06-02
    plugin id91387
    published2016-05-31
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91387
    titleAdobe Creative Cloud <= 3.5.1.209 Arbitrary File Read/Write Vulnerability (Mac OS X)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(91387);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/19");
    
      script_cve_id("CVE-2016-1034");
      script_bugtraq_id(86001);
      script_xref(name:"ZDI", value:"ZDI-16-235");
    
      script_name(english:"Adobe Creative Cloud <= 3.5.1.209 Arbitrary File Read/Write Vulnerability (Mac OS X)");
      script_summary(english:"Checks the version of Creative Cloud.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote host is affected by an
    arbitrary file read/write vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Adobe Creative Cloud installed on the remote Mac OS X
    host is prior or equal to 3.5.1.209. It is, therefore, affected by a
    flaw in the JavaScript API for Creative Cloud Libraries due to an
    exposed service. An unauthenticated, remote attacker can exploit this
    to read or write arbitrary files on the host file system.");
      script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/creative-cloud/apsb16-11.html");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-16-235/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Adobe Creative Cloud version 3.6.0.244 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1034");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:creative_cloud");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("macosx_adobe_creative_cloud_installed.nbin");
      script_require_keys("Host/local_checks_enabled", "Host/MacOSX/Version", "installed_sw/Creative Cloud");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("audit.inc");
    include("install_func.inc");
    
    if (!get_kb_item("Host/local_checks_enabled"))
      audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    os = get_kb_item('Host/MacOSX/Version');
    if (!os)
      audit(AUDIT_OS_NOT, 'Mac OS X');
    
    app = 'Creative Cloud';
    
    install=get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
    
    product = install['name'];
    path    = install['path'];
    version = install['version'];
    
    ## For Adobe products, we compare the highest affected product, rather
    # than the "fixed" version, as there is an ambiguous gap between what
    # is considered affected and the fix.
    highest_affected = "3.5.1.209";
    fix = '3.6.0.244';
    
    if (ver_compare(ver:version, fix:highest_affected, strict:FALSE) <= 0)
    {
       items = make_array("Installed version", version,
                         "Fixed version", fix,
                         "Path", path
                        );
    
      order = make_list("Path", "Installed version", "Fixed version");
      report = report_items_str(report_items:items, ordered_fields:order);
    
      security_report_v4(port:0, extra:report, severity:SECURITY_HOLE);
      exit(0);
    }
    else
      audit(AUDIT_INST_VER_NOT_VULN, "Adobe " + app, version, path);
    
  • NASL familyWindows
    NASL idADOBE_CREATIVE_CLOUD_3_6_0_244.NASL
    descriptionThe version of Adobe Creative Cloud installed on the remote Windows host is prior or equal to 3.5.1.209. It is, therefore, affected by a flaw in the JavaScript API for Creative Cloud Libraries due to an exposed service. An unauthenticated, remote attacker can exploit this to read or write arbitrary files on the host file system.
    last seen2020-06-01
    modified2020-06-02
    plugin id91386
    published2016-05-31
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91386
    titleAdobe Creative Cloud <= 3.5.1.209 Arbitrary File Read/Write Vulnerability
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(91386);
      script_version("1.7");
      script_cvs_date("Date: 2019/11/19");
    
      script_cve_id("CVE-2016-1034");
      script_bugtraq_id(86001);
      script_xref(name:"ZDI", value:"ZDI-16-235");
    
      script_name(english:"Adobe Creative Cloud <= 3.5.1.209 Arbitrary File Read/Write Vulnerability");
      script_summary(english:"Checks the version of Creative Cloud.");
    
      script_set_attribute(attribute:"synopsis", value:
    "An application installed on the remote host is affected by an
    arbitrary file read/write vulnerability.");
      script_set_attribute(attribute:"description", value:
    "The version of Adobe Creative Cloud installed on the remote Windows
    host is prior or equal to 3.5.1.209. It is, therefore, affected by a
    flaw in the JavaScript API for Creative Cloud Libraries due to an
    exposed service. An unauthenticated, remote attacker can exploit this
    to read or write arbitrary files on the host file system.");
      script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/creative-cloud/apsb16-11.html");
      script_set_attribute(attribute:"see_also", value:"http://www.zerodayinitiative.com/advisories/ZDI-16-235/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to Adobe Creative Cloud version 3.6.0.244 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-1034");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/04/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/31");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:creative_cloud");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("adobe_creative_cloud_installed.nbin");
      script_require_keys("installed_sw/Adobe Creative Cloud");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("install_func.inc");
    
    app = 'Adobe Creative Cloud';
    
    # Pull the installation information from the KB.
    install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);
    
    path = install['path'];
    version = install['version'];
    
    # For Adobe products, we compare the highest affected product, rather
    # than the "fixed" version, as there is an ambiguous gap between what
    # is considered affected and the fix.
    highest_affected = "3.5.1.209";
    fix = "3.6.0.244";
    
    if (ver_compare(ver:version, fix:highest_affected, strict:FALSE) <= 0)
    {
      port = get_kb_item("SMB/transport");
      if (isnull(port))
        port = 445;
    
      items = make_array("Installed version", version,
                         "Fixed version", fix,
                         "Path", path
                        );
    
      order = make_list("Path", "Installed version", "Fixed version");
      report = report_items_str(report_items:items, ordered_fields:order);
    
      security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);
      exit(0);
    
    }
    else
      audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);