Vulnerabilities > CVE-2016-6935 - Unquoted Search Path or Element vulnerability in Adobe Creative Cloud

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

adobe

CWE-428

nessus

NVD

Published: 2016-10-13

Updated: 2016-11-28

Summary

Unquoted Windows search path vulnerability in Adobe Creative Cloud Desktop Application before 3.8.0.310 on Windows allows local users to gain privileges via a Trojan horse executable file in the %SYSTEMDRIVE% directory.

Vulnerable Configurations

Part	Description	Count
Application	Adobe Adobe Creative Cloud - Adobe Creative Cloud 1.0.0.183 Adobe Creative Cloud 1.0.2.189 Adobe Creative Cloud 1.1.0.213 Adobe Creative Cloud 1.1.1.220 Adobe Creative Cloud 1.1.2.232 Adobe Creative Cloud 1.2.0.248 Adobe Creative Cloud 1.2.1.260 Adobe Creative Cloud 1.3.0.322 Adobe Creative Cloud 1.4.0.348 Adobe Creative Cloud 1.4.1.351 Adobe Creative Cloud 1.5.0.367 Adobe Creative Cloud 1.5.1.369 Adobe Creative Cloud 1.6.0.393 Adobe Creative Cloud 1.7.0.413 Adobe Creative Cloud 1.7.1.418 Adobe Creative Cloud 1.8.0.447 Adobe Creative Cloud 1.9.0.465 Adobe Creative Cloud 1.9.1.474 Adobe Creative Cloud 2.0.0.74 Adobe Creative Cloud 2.0.1.88 Adobe Creative Cloud 2.1 Adobe Creative Cloud 2.1.1.110 Adobe Creative Cloud 2.1.3.121 Adobe Creative Cloud 2.2.0.129 Adobe Creative Cloud 2.3.0.151 Adobe Creative Cloud 3.4.1.181 Adobe Creative Cloud 3.4.2.187 Adobe Creative Cloud 3.4.3.189 Adobe Creative Cloud 3.5.0.206 Adobe Creative Cloud 3.5.1.209 Adobe Creative Cloud 3.6.0.244 Adobe Creative Cloud 3.6.0.248 Adobe Creative Cloud 3.7.0.272	34

Common Weakness Enumeration (CWE)

CWE-428 - Unquoted Search Path or Element

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	Windows
NASL id	ADOBE_CREATIVE_CLOUD_3_8_0_310.NASL
description	The version of Adobe Creative Cloud Desktop installed on the remote Windows host is prior to 3.8.0.310. It is, therefore, affected by a privilege escalation vulnerability due to an unquoted search path. A local attacker can exploit this, via a malicious executable in the root path, to elevate privileges. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-06-01
modified	2020-06-02
plugin id	94055
published	2016-10-13
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/94055
title	Adobe Creative Cloud Desktop < 3.8.0.310 Unquoted Search Path Local Privilege Escalation (APSB16-34)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(94055); script_version("1.8"); script_cvs_date("Date: 2019/11/14"); script_cve_id("CVE-2016-6935"); script_bugtraq_id(93489); script_name(english:"Adobe Creative Cloud Desktop < 3.8.0.310 Unquoted Search Path Local Privilege Escalation (APSB16-34)"); script_summary(english:"Checks the version of Creative Cloud."); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The version of Adobe Creative Cloud Desktop installed on the remote Windows host is prior to 3.8.0.310. It is, therefore, affected by a privilege escalation vulnerability due to an unquoted search path. A local attacker can exploit this, via a malicious executable in the root path, to elevate privileges. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://helpx.adobe.com/security/products/creative-cloud/apsb16-34.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7c9d5190"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Creative Cloud Desktop version 3.8.0.310 or later."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6935"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:creative_cloud"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("adobe_creative_cloud_installed.nbin"); script_require_keys("installed_sw/Adobe Creative Cloud"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); app = 'Adobe Creative Cloud'; # Pull the installation information from the KB. install = get_single_install(app_name:app, exit_if_unknown_ver:TRUE); path = install['path']; version = install['version']; # For Adobe products, we compare the highest affected product, rather # than the "fixed" version, as there is an ambiguous gap between what # is considered affected and the fix. highest_affected = "3.7.0.272"; fix = "3.8.0.310"; if (ver_compare(ver:version, fix:highest_affected, strict:FALSE) <= 0) { port = get_kb_item("SMB/transport"); if (isnull(port)) port = 445; items = make_array("Installed version", version, "Fixed version", fix, "Path", path ); order = make_list("Path", "Installed version", "Fixed version"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(port:port, extra:report, severity:SECURITY_HOLE); exit(0); } else audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

References