CVE-2009-1492
published 2009-04-30CVE-2009-1492: The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service…
PriorityP270critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
25.52%
97.7th percentile
The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | 7.0 – 7.1.1 | — |
| adobe | acrobat | 8.0 – 8.1.4 | — |
| adobe | acrobat | 9.0 – 9.1 | — |
| adobe | acrobat_reader | 7.0 – 7.1.1 | — |
| adobe | acrobat_reader | 8.0 – 8.1.4 | — |
| adobe | acrobat_reader | 9.0 – 9.1 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort↗
GID 1, SID 15493
bytes↗
%uc92b%ue983%ud9eb%ud9ee%u2474%u5bf4%u7381%u1313%u2989%u8357%ufceb%uf4e2%u5222%u147a%ue340%u3d2b%ud175%udeb0%u44f2%uc1a9%udb50%u3f4f%ud502%u044f%u689a%u3143%ud94b%u0178%u689a%ud7e4%uefa3%ub4f8%u09de%u057b%uca45%ub6a0%uefa3%ud7e4%ue380%u0e2b%ub6a3%ud7e4%uf05a%ue7d0%udb18%u7841%ufa3c%u3f41%ueb3c%u3940%u6a9a%u047b%u689a%ud7e4
- →Exploit is delivered via a PDF file containing an annotation (e.g., a note) with an OpenAction entry that executes JavaScript calling getAnnots() with crafted integer arguments (e.g., -134217728). ↗
- →Exploit JavaScript uses heap spray: a NOP sled is grown to 0x100000/2 bytes and combined with shellcode, then allocated 0x6ff times in an Array to force execution at address 0x90909090. ↗
- →The exploit requires app.alert() to be called first (e.g., app.alert('Hi')) as a prerequisite step before triggering getAnnots() — this call may appear in PDF JavaScript streams targeting Adobe Reader 9. ↗
- →NOP sled uses the Unicode escape sequence %u9090%u9090 repeated to fill heap memory; presence of this pattern in PDF JavaScript streams is a strong indicator of exploitation. ↗
- ·Adobe recommends disabling JavaScript in Adobe Reader as a mitigation until a patch is applied, since the vulnerability is only exploitable when JavaScript is enabled. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
acroread: multiple vulnerabilities in Adobe Reader 8.1.4
vendor_redhat·2009-04-27·CVSS 9.3
CVE-2009-1492 [CRITICAL] acroread: multiple vulnerabilities in Adobe Reader 8.1.4
acroread: multiple vulnerabilities in Adobe Reader 8.1.4
The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
GHSA
GHSA-mvqm-4f92-4qqc: The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-02
CVE-2009-1492 [HIGH] GHSA-mvqm-4f92-4qqc: The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9
The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
VulnCheck
Adobe Reader and Acrobat getAnnots Doc Method Vulnerability
vulncheck·2009·CVSS 9.3
CVE-2009-1492 [CRITICAL] Adobe Reader and Acrobat getAnnots Doc Method Vulnerability
Adobe Reader and Acrobat getAnnots Doc Method Vulnerability
The getAnnots Doc method in the JavaScript API in Adobe Reader and Acrobat 9.1, 8.1.4, 7.1.1, and earlier allows remote attackers to cause a denial of service (memory corruption) or execute arbitrary code via a PDF file that contains an annotation, and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments.
Affected: Adobe Acrobat and Reader
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/acrobat-javascript-blacklist-framework/; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-
No detection rules found.
Talos
The Acrobat JavaScript Blocklist Framework
blogs_talos·2010-01-20
The Acrobat JavaScript Blocklist Framework
## The Acrobat JavaScript Blocklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blocklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blocklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in Adobe products (Reader, Acrobat, etc...) all together. Personally, I could live without having JavaScript in my documents, but that's a totally different discussion. I understand why some people might want that feature for their PDF documents and why for them at least, turning JavaScript completely off would not be an option. So let's say, for example,
Talos
The Acrobat JavaScript Blocklist Framework
blogs_talos·2010-01-20
The Acrobat JavaScript Blocklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blocklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blocklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in Adobe products (Reader, Acrobat, etc...) all together. Personally, I could live without having JavaScript in my documents, but that's a totally different discussion. I understand why some people might want that feature for their PDF documents and why for them at least, turning JavaScript completely off would not be an option. So let's say, for example, that you are running Adobe Reader 9.2.0 which i
Talos
Rule release for today - May 5th 2009
blogs_talos·2009-05-05·CVSS 9.3
CVE-2009-1492 [CRITICAL] Rule release for today - May 5th 2009
## Rule release for today - May 5th 2009
Adobe Reader Code Execution (CVE-2009-1492): The JavaScript API in Adobe Reader may allow a remote attacker to execute code on an affected system. The problem occurs when specially crafted JavaScript uses the getAnnots method in a PDF document.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15493.
Adobe Reader Buffer Overflow (CVE-2009-1493): The JavaScript API in Adobe Reader may allow a remote attacker to execute code on an affected system. The problem occurs when specially crafted JavaScript uses the customDictionaryOpen method in a PDF document.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15492.
Additi
Talos
Rule release for today - May 5th 2009
blogs_talos·2009-05-05·CVSS 9.3
CVE-2009-1492 [CRITICAL] Rule release for today - May 5th 2009
Adobe Reader Code Execution (CVE-2009-1492):
The JavaScript API in Adobe Reader may allow a remote attacker to execute code on an affected system. The problem occurs when specially crafted JavaScript uses the getAnnots method in a PDF document.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15493.
Adobe Reader Buffer Overflow (CVE-2009-1493):
The JavaScript API in Adobe Reader may allow a remote attacker to execute code on an affected system. The problem occurs when specially crafted JavaScript uses the customDictionaryOpen method in a PDF document.
A rule to detect attacks targeting this vulnerability is included in this release and is identified with GID 1, SID 15492.
Additionally as a result of ongoing research, th
Bugzilla
CVE-2009-1492, CVE-2009-1493 acroread: multiple vulnerabilities in Adobe Reader 8.1.4
bugzilla·2009-04-29·CVSS 9.3
CVE-2009-1492 [CRITICAL] CVE-2009-1492, CVE-2009-1493 acroread: multiple vulnerabilities in Adobe Reader 8.1.4
CVE-2009-1492, CVE-2009-1493 acroread: multiple vulnerabilities in Adobe Reader 8.1.4
Two vulnerabilities have been reported in Adobe Acrobat Reader 8.1.4 and 9.1.0 that can allow for the execution of arbitrary code as the user running Reader if javascript is enabled.
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://www.securityfocus.com/bid/34736
The first is a flaw in the getAnnots() function. The second is a flaw in the customDictionaryOpen() function.
Adobe is recommending that users disable javascript until an update becomes available.
Discussion:
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1492 to
the following vulnerability:
Name: CVE-2009-1492
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1492
Assigned: 2009
http://blogs.adobe.com/psirt/2009/04/potential_adobe_reader_issue.htmlhttp://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.htmlhttp://blogs.adobe.com/psirt/2009/05/adobe_reader_issue_update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-05/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://osvdb.org/54130http://packetstorm.linuxsecurity.com/0904-exploits/getannots.txthttp://secunia.com/advisories/34924http://secunia.com/advisories/35055http://secunia.com/advisories/35096http://secunia.com/advisories/35152http://secunia.com/advisories/35358http://secunia.com/advisories/35416http://secunia.com/advisories/35734http://security.gentoo.org/glsa/glsa-200907-06.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-66-259028-1http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=926953http://www.adobe.com/support/security/bulletins/apsb09-06.htmlhttp://www.kb.cert.org/vuls/id/970180http://www.redhat.com/support/errata/RHSA-2009-0478.htmlhttp://www.securityfocus.com/bid/34736http://www.securitytracker.com/id?1022139http://www.us-cert.gov/cas/techalerts/TA09-133B.htmlhttp://www.vupen.com/english/advisories/2009/1189http://www.vupen.com/english/advisories/2009/1317https://exchange.xforce.ibmcloud.com/vulnerabilities/50145https://www.exploit-db.com/exploits/8569http://blogs.adobe.com/psirt/2009/04/potential_adobe_reader_issue.htmlhttp://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.htmlhttp://blogs.adobe.com/psirt/2009/05/adobe_reader_issue_update.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-05/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2009-06/msg00003.htmlhttp://osvdb.org/54130http://packetstorm.linuxsecurity.com/0904-exploits/getannots.txthttp://secunia.com/advisories/34924http://secunia.com/advisories/35055http://secunia.com/advisories/35096http://secunia.com/advisories/35152http://secunia.com/advisories/35358http://secunia.com/advisories/35416http://secunia.com/advisories/35734http://security.gentoo.org/glsa/glsa-200907-06.xmlhttp://sunsolve.sun.com/search/document.do?assetkey=1-66-259028-1http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=926953http://www.adobe.com/support/security/bulletins/apsb09-06.htmlhttp://www.kb.cert.org/vuls/id/970180http://www.redhat.com/support/errata/RHSA-2009-0478.htmlhttp://www.securityfocus.com/bid/34736http://www.securitytracker.com/id?1022139http://www.us-cert.gov/cas/techalerts/TA09-133B.htmlhttp://www.vupen.com/english/advisories/2009/1189http://www.vupen.com/english/advisories/2009/1317https://exchange.xforce.ibmcloud.com/vulnerabilities/50145https://www.exploit-db.com/exploits/8569
2009-04-30
Published
Exploited in the wild