Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
talosblog[email protected] (Warren Mercer)TALOSBLOG:8DA4B49CA7D267AD1451D69EB77163CC
HistoryFeb 23, 2018 - 7:22 a.m.

Vulnerability Spotlight: Adobe Acrobat Reader DC Document ID Remote Code Execution Vulnerability

2018-02-2307:22:00
[email protected] (Warren Mercer)
feedproxy.google.com
149

0.216 Low

EPSS

Percentile

96.0%

JSON

Discovered by Aleksandar Nikolic of Cisco Talos

Overview

Today, Talos is releasing details of a new vulnerability within Adobe Acrobat Reader DC. Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.

A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader DC 2018.009.20044. This stack overflow can lead to return address overwrite which can result in arbitrary code execution. In order to trigger this vulnerability, the victim would need to open the malicious file or access a malicious web page.

TALOS-2017-0505 - Adobe Acrobat Reader DC Document ID Remote Code Execution Vulnerability (CVE-2018-4901)

Adobe Acrobat Reader DC supports embedded Javascript scripts in the PDF to allow for interactive PDF forms. This give the potential attacker the ability to precisely control memory layout and poses additional attack surface.

When parsing a PDF file with overly large Document ID field specified in the trailer, it is parsed correctly initially, but when it’s referenced in JavaScript, a stack-based buffer overflow can occur when encoding the bytes to a hex string. Detailed vulnerability information can be found here.

Known vulnerable versions

Adobe Acrobat Reader DC 2018.009.20044

Coverage

The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 45102-3

Related

zdi 1
prion 1
checkpoint_advisories 1
threatpost 1
talos 1
cve 1
openvas 12
adobe 1
nessus 4
zdi
zdi
Adobe Acrobat Pro DC ImageConversion EMF Parsing Out-Of-Bounds Read Information Disclosure Vulnerability
2018-06-26 00:00:00
prion
prion
Buffer overflow
2018-02-27 05:29:00
checkpoint_advisories
checkpoint_advisories
Adobe Acrobat and Reader Out-of-bounds write (APSB18-02: CVE-2018-4901)
2018-02-13 00:00:00
threatpost
threatpost
Remote Code Execution Bug Patched in Adobe Acrobat Reader DC
2018-02-27 12:46:07
talos
talos
Adobe Acrobat Reader DC Document ID Remote Code Execution Vulnerability
2018-02-23 00:00:00
cve
cve
CVE-2018-4901
2018-02-27 05:29:00
openvas
openvas
Adobe Acrobat DC (Classic Track) Multiple Vulnerabilities (APSB18-02) - Windows
2018-02-15 00:00:00
Adobe Acrobat Reader DC (Classic Track) Multiple Vulnerabilities (APSB18-02) - Windows
2018-02-15 00:00:00
Adobe Acrobat 2017 Multiple Vulnerabilities (APSB18-02) - Mac OS X
2018-02-15 00:00:00
adobe
adobe
APSB18-02 Security Updates available for Adobe Acrobat and Reader
2018-02-08 00:00:00
nessus
nessus
Adobe Acrobat < 2015.006.30413 / 2017.011.30078 / 2018.011.20035 Multiple Vulnerabilities (APSB18-02)
2018-02-15 00:00:00
Adobe Reader <= 2015.006.30394 / 2017.011.30070 / 2018.009.20050 Multiple Vulnerabilities (APSB18-02)
2018-02-15 00:00:00
Adobe Reader < 2015.006.30416 / 2017.011.30078 / 2018.011.20035 Multiple Vulnerabilities (APSB18-02) (macOS)
2018-02-15 00:00:00

0.216 Low

EPSS

Percentile

96.0%

JSON
Related for TALOSBLOG:8DA4B49CA7D267AD1451D69EB77163CC
zdi1prion1checkpoint_advisories1threatpost1talos1cve1openvas12adobe1nessus4