cbcvebase.
CVE-2007-5659
published 2008-02-12

CVE-2007-5659: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to…

PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
94.22%
99.8th percentile
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.

Affected

2 ranges
VendorProductVersion rangeFixed in
adobeacrobat< 8.1.28.1.2
adobeacrobat_reader< 8.1.28.1.2

Detection & IOCsextracted from sources · hover to see the quote

commandCollab.collectEmailInfo()
commandCollab.collectEmailInfo({msg:repeat(4096, unescape("%u0909%u0909"))})
bytes
%u9090 (NOP sled via unescape heap spray)
bytes
%u0909%u0909 repeated 4096 times in msg argument
  • Detect PDF files containing a JavaScript call to Collab.collectEmailInfo() with an oversized 'msg' argument (e.g., 4096+ repeated units) as the exploit trigger for CVE-2007-5659.
  • Look for heap spray patterns in PDF-embedded JavaScript using unescape('%u9090') NOP sleds combined with Collab.collectEmailInfo() calls.
  • CVE-2007-5659 is exploited via the Collab.collectEmailInfo() JavaScript method in Adobe Reader/Acrobat 8.1.1 and earlier; target platform is Windows. Detections should focus on PDF files embedding this JS method with long string arguments.
  • CVE-2007-5659 is frequently combined with CVE-2008-2992 (Util.printf), CVE-2009-0927 (Collab.getIcon), and CVE-2009-4324 (this.media.newPlayer) in multi-exploit malicious PDF campaigns; detection of any one should prompt scanning for the others.
  • Malicious PDFs exploiting CVE-2007-5659 may use heavily obfuscated JavaScript (XOR encoding, multi-layer eval, String.fromCharCode array substitution) to evade AV; low VirusTotal detection rates (~5%) are reported for such samples.
  • ·The Metasploit module targets specifically Adobe Reader v8.1.1 on Windows XP SP0-SP3 English; the exploit may not work reliably against other service pack levels or non-English locales without retargeting the return address.
  • ·The payload space is limited to 1024 bytes and null bytes (\x00) are bad characters; shellcode used in exploitation must be encoded to avoid null bytes.
  • ·NVD notes this issue might be subsumed by CVE-2008-0655, meaning some vendor advisories and patches may track this vulnerability under the later CVE instead.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.