cbcvebase.
CVE-2009-0658
published 2009-02-20

CVE-2009-0658: Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document…

PriorityP180high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
87.72%
99.7th percentile
Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E.

Affected

9 ranges
VendorProductVersion rangeFixed in
adobeacrobat
adobeacrobat7.0 – 7.1.1
adobeacrobat8.0 – 8.1.4
adobeacrobat_reader
adobeacrobat_reader>= 7.0 < 7.1.17.1.1
adobeacrobat_reader7.0 – 7.1.1
adobeacrobat_reader>= 8.0 < 8.1.38.1.3
adobeacrobat_reader8.0 – 8.1.4
adobeacrobat_reader>= 9.0 < 9.19.1

Detection & IOCsextracted from sources · hover to see the quote

url/wrl/first.pdf
ip10.4.4.10
port4444
otherRet = 0x0166B550 (BIB.dll, Adobe Reader v9.0.0 Windows XP SP3 English); Ret*5 = 0x07018A90
otherRet = 0x9B004870 (BIB.dll, Adobe Reader v8.1.2 Windows XP SP2 English); Ret*5 = 0x07017A30
bytes
\x00\x00\x00\x01 + $size (\x40\x00) + $factor (ABCD) + \x13 + 'A' x 8314
  • Detect PDF files containing a JBIG2Decode filter stream with FlateDecode and ASCIIHexDecode encoding layers — the specific filter chain used in CVE-2009-0658 exploitation.
  • Detect PDF files with embedded JavaScript objects whose concatenated variable names exhibit high entropy — a heap-spray obfuscation indicator for this exploit.
  • Detect reverse TCP connect-back shellcode embedded inside unescape() calls within compressed JavaScript objects in PDF files.
  • The exploit PDF uses a crafted JBIG2 stream starting with bytes \x00\x00\x00\x01 followed by a 2-byte size field and a 4-byte factor field; look for this byte pattern inside JBIG2Decode stream objects.
  • The Metasploit module targets BIB.dll return addresses; monitor for PDF-triggered code execution that pivots through BIB.dll at the documented ROP/return addresses.
  • The exploit was delivered in the wild by Trojan.Pidief.E; AV/EDR detections for this family name indicate active exploitation of CVE-2009-0658.
  • ·The Metasploit module's heap-spray uses randomized JavaScript variable names to evade static string matching; signature-based detection on variable names alone will miss obfuscated variants.
  • ·The exploit PDF uses multiple stacked encoding layers (FlateDecode + ASCIIHexDecode + JBIG2Decode); detection engines must inflate and decode all layers before inspecting the JBIG2 stream content.
  • ·The Metasploit JBIG2 module contained a bug that was discovered and fixed during research; older Metasploit-generated samples may differ from current exploit structure.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.