CVE-2010-3154

Vulnerability

Adobe Extension Manager CS5 version 5.0.298 suffers from an untrusted search path vulnerability [1]. When loading a .mxi or .mxp extension file, the application searches for and loads the dwmapi.dll library from the current working directory before the system directory. If an attacker can place a malicious dwmapi.dll in the same folder as a crafted extension file, the DLL will be loaded, leading to arbitrary code execution.

Exploitation

Exploitation requires the attacker to create a malicious dwmapi.dll (compiled as a DLL that executes arbitrary code) and a .mxi or .mxp file, then place both in the same directory [1]. The victim must open the extension file using Adobe Extension Manager CS5 from that directory. The vulnerability is local; however, it could be triggered remotely if the victim downloads an extension package containing the malicious DLL and opens it.

Impact

Successful exploitation allows the attacker to execute arbitrary code in the context of the user running Adobe Extension Manager CS5 [1]. This can lead to full compromise of the affected system, depending on user privileges.

Mitigation

As of the publication date (August 2010), no official patch from Adobe is mentioned in the available references [1]. Users should avoid opening extension files from untrusted sources and ensure that the dwmapi.dll loaded by the application is from a trusted system directory. Workarounds include placing extension files in a trusted location or using a tool like Microsoft's Application Compatibility Toolkit to fix the DLL load order.