cbcvebase.
CVE-2009-1492
published 2009-04-30

CVE-2009-1492: The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service…

PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.52%
97.7th percentile
The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.

Affected

6 ranges
VendorProductVersion rangeFixed in
adobeacrobat7.0 – 7.1.1
adobeacrobat8.0 – 8.1.4
adobeacrobat9.0 – 9.1
adobeacrobat_reader7.0 – 7.1.1
adobeacrobat_reader8.0 – 8.1.4
adobeacrobat_reader9.0 – 9.1

Detection & IOCsextracted from sources · hover to see the quote

commandthis.getAnnots(-134217728,-134217728,-134217728,-134217728)
snort
GID 1, SID 15493
bytes
%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4
  • Exploit is delivered via a PDF file containing an annotation (e.g., a note) with an OpenAction entry that executes JavaScript calling getAnnots() with crafted integer arguments (e.g., -134217728).
  • Exploit JavaScript uses heap spray: a NOP sled is grown to 0x100000/2 bytes and combined with shellcode, then allocated 0x6ff times in an Array to force execution at address 0x90909090.
  • The exploit requires app.alert() to be called first (e.g., app.alert('Hi')) as a prerequisite step before triggering getAnnots() — this call may appear in PDF JavaScript streams targeting Adobe Reader 9.
  • NOP sled uses the Unicode escape sequence %u9090%u9090 repeated to fill heap memory; presence of this pattern in PDF JavaScript streams is a strong indicator of exploitation.
  • ·Adobe recommends disabling JavaScript in Adobe Reader as a mitigation until a patch is applied, since the vulnerability is only exploitable when JavaScript is enabled.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.