CVE-2007-5659
published 2008-02-12CVE-2007-5659: Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to…
PriorityP182high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
94.22%
99.8th percentile
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | < 8.1.2 | 8.1.2 |
| adobe | acrobat_reader | < 8.1.2 | 8.1.2 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
%u9090 (NOP sled via unescape heap spray)
bytes↗
%u0909%u0909 repeated 4096 times in msg argument
- →Detect PDF files containing a JavaScript call to Collab.collectEmailInfo() with an oversized 'msg' argument (e.g., 4096+ repeated units) as the exploit trigger for CVE-2007-5659. ↗
- →Look for heap spray patterns in PDF-embedded JavaScript using unescape('%u9090') NOP sleds combined with Collab.collectEmailInfo() calls. ↗
- →CVE-2007-5659 is exploited via the Collab.collectEmailInfo() JavaScript method in Adobe Reader/Acrobat 8.1.1 and earlier; target platform is Windows. Detections should focus on PDF files embedding this JS method with long string arguments. ↗
- →CVE-2007-5659 is frequently combined with CVE-2008-2992 (Util.printf), CVE-2009-0927 (Collab.getIcon), and CVE-2009-4324 (this.media.newPlayer) in multi-exploit malicious PDF campaigns; detection of any one should prompt scanning for the others. ↗
- →Malicious PDFs exploiting CVE-2007-5659 may use heavily obfuscated JavaScript (XOR encoding, multi-layer eval, String.fromCharCode array substitution) to evade AV; low VirusTotal detection rates (~5%) are reported for such samples. ↗
- ·The Metasploit module targets specifically Adobe Reader v8.1.1 on Windows XP SP0-SP3 English; the exploit may not work reliably against other service pack levels or non-English locales without retargeting the return address. ↗
- ·The payload space is limited to 1024 bytes and null bytes (\x00) are bad characters; shellcode used in exploitation must be encoded to avoid null bytes. ↗
- ·NVD notes this issue might be subsumed by CVE-2008-0655, meaning some vendor advisories and patches may track this vulnerability under the later CVE instead. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xjr9-phw2-2wjx: Multiple buffer overflows in Adobe Reader and Acrobat 8
ghsa_unreviewed·2022-05-01·CVSS 9.8
CVE-2007-5659 [CRITICAL] CWE-119 GHSA-xjr9-phw2-2wjx: Multiple buffer overflows in Adobe Reader and Acrobat 8
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
VulnCheck
Adobe Acrobat and Reader Buffer Overflow Vulnerability
vulncheck·2007·CVSS 7.8
CVE-2007-5659 [HIGH] CWE-119 Adobe Acrobat and Reader Buffer Overflow Vulnerability
Adobe Acrobat and Reader Buffer Overflow Vulnerability
Adobe Acrobat and Reader contain a buffer overflow vulnerability that allows remote attackers to execute code via a PDF file with long arguments to unspecified JavaScript methods.
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Exploitation References: https://web.archive.org/web/20090323012515/http://securitylabs.websense.com/content/Alerts/3326.aspx; https://blog.talosintelligence.com/acrobat-javascript-blacklist-framework/; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/; https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wham-bam-the-cutwailblackhole-combo/; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vu
CISA
Adobe Acrobat and Reader Buffer Overflow Vulnerability
cisa·2022-06-08·CVSS 7.8
CVE-2007-5659 [HIGH] CWE-119 Adobe Acrobat and Reader Buffer Overflow Vulnerability
Vulnerability: Adobe Acrobat and Reader Buffer Overflow Vulnerability
Affected: Adobe Acrobat and Reader
Adobe Acrobat and Reader contain a buffer overflow vulnerability that allows remote attackers to execute code via a PDF file with long arguments to unspecified JavaScript methods.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2007-5659
Remediation Due Date: 2022-06-22
Red Hat
acroread Multiple buffer overflows
vendor_redhat·2008-02-08·CVSS 7.8
CVE-2007-5659 [HIGH] acroread Multiple buffer overflows
acroread Multiple buffer overflows
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
No detection rules found.
Exploit-DB
Adobe - 'Collab.collectEmailInfo()' Local Buffer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2007-5659 Adobe - 'Collab.collectEmailInfo()' Local Buffer Overflow (Metasploit)
Adobe - 'Collab.collectEmailInfo()' Local Buffer Overflow (Metasploit)
---
##
# $Id: adobe_collectemailinfo.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe Collab.collectEmailInfo() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.
By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'A
Exploit-DB
Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities
exploitdb·2008-02-06
CVE-2007-5659 Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities
Adobe Acrobat and Reader 8.1.1 - Multiple Arbitrary Code Execution / Security Vulnerabilities
---
source: https://www.securityfocus.com/bid/27641/info
Adobe Acrobat and Reader are prone to multiple arbitrary remote code-execution and security vulnerabilities.
Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Other attacks are also possible.
Versions prior to Adobe Acrobat and Adobe Reader 8.1.2 are vulnerable to these issues.
function repeat(count,what) {
var v = "";
while (--count >= 0) v += what;
return v;
}
function heapspray(shellcode) {
block='';
fillblock = unescape("%u9090");
while(block.length+20+shellcode.length<0x40000)
block = block+block+fillblock;
arr = new Array();
for (i=0;i<200;i++) arr[i]=block +
Metasploit
Adobe Collab.collectEmailInfo() Buffer Overflow
metasploit
Adobe Collab.collectEmailInfo() Buffer Overflow
Adobe Collab.collectEmailInfo() Buffer Overflow
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1. By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call, an attacker may be able to execute arbitrary code.
arXiv
Machine Learning With Feature Selection Using Principal Component Analysis for Malware Detection: A Case Study
arxiv_fulltext·2019-02-10
Machine Learning With Feature Selection Using Principal Component Analysis for Malware Detection: A Case Study
Jason Zhang, Ph.D.
Senior Threat Researcher
Sophos, Abingdon OX14 3YP, U.K.
[email protected]
plain
plain
## Abstract
Cyber security threats have been growing significantly in both volume and sophistication over the past decade. This poses great challenges to malware detection without considerable automation. In this paper, we have proposed a novel approach by extending our recently suggested artificial neural network (ANN) based model with feature selection using the principal component analysis (PCA) technique for malware detection. The effectiveness of the approach has been successfully demonstrated with the application in PDF malware detection. A varying number of principal components is examined in the comparative study. Our evaluation shows that the model with PCA can signif
arXiv
MLPdf: An Effective Machine Learning Based Approach for PDF Malware Detection
arxiv_fulltext·2018-08-21
MLPdf: An Effective Machine Learning Based Approach for PDF Malware Detection
Jason Zhang, Ph.D.
Senior Threat Researcher
Sophos, Abingdon OX14 3YP, U.K.
[email protected]
plain
plain
## Abstract
Due to the popularity of portable document format (PDF) and increasing number of vulnerabilities in major PDF viewer applications, malware writers continue to use it to deliver malware via web downloads, email attachments and other methods in both targeted and non-targeted attacks. The topic on how to effectively block malicious PDF documents has received huge research interests in both cyber security industry and academia with no sign of slowing down. In this paper, we propose a novel approach based on a multilayer perceptron (MLP) neural network model, termed MLP_df, for the detection of PDF based malware. More specifically, the MLP_df model uses a backpropagatio
Zscaler
PDF Exploit: Number Of Pages Is The Key | Zscaler
blogs_zscaler·2010-08-04
PDF Exploit: Number Of Pages Is The Key | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
ATECH-SAGADE Badness - Malicious .IN Campaign | Zscaler Blog
blogs_zscaler·2010-07-15
ATECH-SAGADE Badness - Malicious .IN Campaign | Zscaler Blog
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
More And More Obfuscation Being Used In The Malicious Script
blogs_zscaler·2010-05-07
More And More Obfuscation Being Used In The Malicious Script
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Zscaler
Malicious JavaScript targets 3 Old Vulnerabilities | Zscaler
blogs_zscaler·2010-03-08·CVSS 7.8
[HIGH] Malicious JavaScript targets 3 Old Vulnerabilities | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Talos
The Acrobat JavaScript Blocklist Framework
blogs_talos·2010-01-20
The Acrobat JavaScript Blocklist Framework
## The Acrobat JavaScript Blocklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blocklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blocklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in Adobe products (Reader, Acrobat, etc...) all together. Personally, I could live without having JavaScript in my documents, but that's a totally different discussion. I understand why some people might want that feature for their PDF documents and why for them at least, turning JavaScript completely off would not be an option. So let's say, for example,
Talos
The Acrobat JavaScript Blocklist Framework
blogs_talos·2010-01-20
The Acrobat JavaScript Blocklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blocklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blocklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in Adobe products (Reader, Acrobat, etc...) all together. Personally, I could live without having JavaScript in my documents, but that's a totally different discussion. I understand why some people might want that feature for their PDF documents and why for them at least, turning JavaScript completely off would not be an option. So let's say, for example, that you are running Adobe Reader 9.2.0 which i
Bugzilla
CVE-2007-5659 acroread Multiple buffer overflows
bugzilla·2008-02-13·CVSS 7.8
CVE-2007-5659 [HIGH] CVE-2007-5659 acroread Multiple buffer overflows
CVE-2007-5659 acroread Multiple buffer overflows
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5659 to the following vulnerability:
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
References:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657
http://www.adobe.com/support/security/advisories/apsa08-01.html
Discussion:
This issue was addressed in:
Red Hat Enterprise Linux Extras:
http://rhn.redhat.com/errata/RHSA-2008-0144.html
---
Reporter changed to [email protected] by request of Jay Turner.
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657http://secunia.com/advisories/29065http://secunia.com/advisories/29205http://secunia.com/advisories/30840http://security.gentoo.org/glsa/glsa-200803-01.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-239286-1http://www.adobe.com/support/security/advisories/apsa08-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb08-13.htmlhttp://www.kb.cert.org/vuls/id/666281http://www.redhat.com/support/errata/RHSA-2008-0144.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-043A.htmlhttp://www.vupen.com/english/advisories/2008/1966/referenceshttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9813http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657http://secunia.com/advisories/29065http://secunia.com/advisories/29205http://secunia.com/advisories/30840http://security.gentoo.org/glsa/glsa-200803-01.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-239286-1http://www.adobe.com/support/security/advisories/apsa08-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb08-13.htmlhttp://www.kb.cert.org/vuls/id/666281http://www.redhat.com/support/errata/RHSA-2008-0144.htmlhttp://www.us-cert.gov/cas/techalerts/TA08-043A.htmlhttp://www.vupen.com/english/advisories/2008/1966/referenceshttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9813https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2007-5659
2008-02-12
Published
2022-06-08
Added to CISA KEV
Exploited in the wild