cbcvebase.
CVE-2009-2990
published 2009-10-19

CVE-2009-2990: Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code…

PriorityP275critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.45%
99.2th percentile
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.

Affected

50 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat<= 9.1.3
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat_reader<= 9.1.3

Detection & IOCsextracted from sources · hover to see the quote

commandapp.platform == "WIN" heap spray with pointers 0x0f0f0f0f / 0x16161616 / 0x1c1c1c1c; Linux heap spray with 0x75797959 / 0xa2a2a2a2 / 0x9c9c9c9c
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, cve CVE_2009_2990, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
\x55\x33\x44\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00 (U3D stream magic header within malicious PDF)
  • Detect malicious PDF files containing a U3D stream with a /U3D/Length value in the range 17200–17599 (matching the Snort pcre pattern for the exploit payload size).
  • The exploit embeds a U3D stream inside a PDF annotation of type 3D (key '3DD'). Inspect PDF files for /Subtype /3D annotations referencing embedded U3D streams as an indicator of exploit delivery.
  • JavaScript heap spray in the exploit uses specific pointer values: Windows targets use 0x0f0f0f0f, 0x16161616, 0x1c1c1c1c; Linux targets use 0x75797959, 0xa2a2a2a2, 0x9c9c9c9c. Presence of these values in PDF-embedded JavaScript is a strong indicator.
  • The exploit uses a CLODProgressiveMeshContinuation block with a crafted Split Position Index. Look for U3D block type 0x3135ff31 (CLODProgressiveMeshContinuation) with an out-of-bounds index value in the U3D stream.
  • The exploit sets the PDF OpenAction to execute embedded JavaScript immediately on document open. Detect PDFs with /OpenAction pointing to a JavaScript action containing heap spray patterns (%u0f0f, %u1616, %u1c1c, %u5979, %ua2a2, %u9c9c).
  • The exploit targets Adobe Reader/Acrobat versions < 9.2, < 8.1.7, and possibly < 7.1.4. Presence of these versions in the environment combined with PDF/U3D file access should trigger investigation.
  • ·The Linux exploit page index varies by kernel version (0xb0000 for 2.6.24, 0xbd0000 for 2.6.27, 0xfffffe3c as default), so the Linux heap spray target address is not universal.
  • ·The MAC platform is explicitly not exploitable per the PoC code, so detections targeting this CVE on macOS may yield false negatives.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.