cbcvebase.
CVE-2008-2992
published 2008-11-04

CVE-2008-2992: Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the…

PriorityP189high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
98.46%
99.9th percentile
Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file that calls the util.printf JavaScript function with a crafted format string argument, a related issue to CVE-2008-1104.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobeacrobat<= 8.1.2
adobeacrobat_reader<= 8.1.2
oraclesolaris

Detection & IOCsextracted from sources · hover to see the quote

urlhxxp://westcountry.ru:8080/google.com/deviantart.com/google.gr.php
urlfurryentry.ru:8080/index.php?pid=1&home=1
urlfurryentry.ru:8080/jquery.jxx?ver=2.1.5
urlfurryentry.ru:8080/Notes1.pdf
urlhxxp://waxytooth.ru:8080/welcome.php?id=6&pid=1&hello=503
domainwestcountry.ru
domainfurryentry.ru
domainwaxytooth.ru
ip213.186.47.177
ip88.198.49.197
ip94.23.220.163
ip174.137.179.244
ip188.72.212.104
ip67.23.25.78
ip67.223.233.101
ip93.103.5.146
ip86.49.83.234
port8080
filenameNotes1.pdf
commandutil.printf
  • CVE-2008-2992 is exploited via a crafted PDF invoking the util.printf() JavaScript function with a malicious format string argument, triggering a stack-based buffer overflow in Adobe Acrobat/Reader 8.1.2 and earlier.
  • CVE-2008-2992 was bundled in the iPack crimeware exploit kit alongside other PDF exploits (CVE-2009-0927, CVE-2008-0655, CVE-2009-4324); detections should consider co-occurrence of these CVEs in the same malicious PDF.
  • Gumblar-related exploit PDFs used fast-flux DNS infrastructure with short TTLs across multiple providers; correlate DNS TTL anomalies with .ru domains resolving to multiple IPs.
  • Talos/VRT released detection rules for CVE-2008-2992 on 2008-11-11; reference vrt-rules-2008-11-11.html for Snort rule coverage.
  • Shellcode dropped by the CVE-2008-2992 exploit PDF beacons to a C2 URL with parameters id, pid, and hello; monitor for outbound HTTP GET requests matching this pattern from PDF reader processes.
  • Injected obfuscated JavaScript was found appended after the closing HTML tag on compromised pages; inspect page source beyond </html> for obfuscated JS as an indicator of Gumblar-style injection.
  • ·The compromised page (fdotfirstcoastouterbeltway.com/index.asp) serving the Gumblar exploit chain had been cleaned at time of reporting; IOCs from that specific URL may no longer be active.
  • ·VirusTotal detection for the CVE-2008-2992 exploit PDF (Notes1.pdf) was very low at time of analysis (1 of 41 vendors); AV-based detection alone is insufficient for this threat.
  • ·CVE-2008-2992 affects Adobe Acrobat and Reader 8.1.2 and earlier only; detections targeting newer versions are not applicable.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.