CVE-2009-2990
published 2009-10-19CVE-2009-2990: Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code…
PriorityP275critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
68.45%
99.2th percentile
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.
Affected
50 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | <= 9.1.3 | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat_reader | <= 9.1.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandapp.platform == "WIN" heap spray with pointers 0x0f0f0f0f / 0x16161616 / 0x1c1c1c1c; Linux heap spray with 0x75797959 / 0xa2a2a2a2 / 0x9c9c9c9c↗
snort
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, cve CVE_2009_2990, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2019_07_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)bytes↗
\x55\x33\x44\x00\x18\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00 (U3D stream magic header within malicious PDF)
- →Detect malicious PDF files containing a U3D stream with a /U3D/Length value in the range 17200–17599 (matching the Snort pcre pattern for the exploit payload size). ↗
- →The exploit embeds a U3D stream inside a PDF annotation of type 3D (key '3DD'). Inspect PDF files for /Subtype /3D annotations referencing embedded U3D streams as an indicator of exploit delivery. ↗
- →JavaScript heap spray in the exploit uses specific pointer values: Windows targets use 0x0f0f0f0f, 0x16161616, 0x1c1c1c1c; Linux targets use 0x75797959, 0xa2a2a2a2, 0x9c9c9c9c. Presence of these values in PDF-embedded JavaScript is a strong indicator. ↗
- →The exploit uses a CLODProgressiveMeshContinuation block with a crafted Split Position Index. Look for U3D block type 0x3135ff31 (CLODProgressiveMeshContinuation) with an out-of-bounds index value in the U3D stream. ↗
- →The exploit sets the PDF OpenAction to execute embedded JavaScript immediately on document open. Detect PDFs with /OpenAction pointing to a JavaScript action containing heap spray patterns (%u0f0f, %u1616, %u1c1c, %u5979, %ua2a2, %u9c9c). ↗
- →The exploit targets Adobe Reader/Acrobat versions < 9.2, < 8.1.7, and possibly < 7.1.4. Presence of these versions in the environment combined with PDF/U3D file access should trigger investigation. ↗
- ·The Linux exploit page index varies by kernel version (0xb0000 for 2.6.24, 0xbd0000 for 2.6.27, 0xfffffe3c as default), so the Linux heap spray target address is not universal. ↗
- ·The MAC platform is explicitly not exploitable per the PoC code, so detections targeting this CVE on macOS may yield false negatives. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
vendor_redhat·2009-10-13·CVSS 9.3
CVE-2009-2990 [CRITICAL] acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.
GHSA
GHSA-rqh9-p568-89pc: Array index error in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-02
CVE-2009-2990 [HIGH] GHSA-rqh9-p568-89pc: Array index error in Adobe Reader and Acrobat 9
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.
VulnCheck
Adobe Reader and Acrobat Arbitrary Code Execution
vulncheck·2009·CVSS 9.3
CVE-2009-2990 [CRITICAL] Adobe Reader and Acrobat Arbitrary Code Execution
Adobe Reader and Acrobat Arbitrary Code Execution
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors.
Affected: Adobe Acrobat and Reader
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/acrobat-javascript-blacklist-framework/; https://citizenlab.ca/wp-content/uploads/2017/05/shadows-in-the-cloud.pdf; https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/
Suricata
ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt
suricata·2011-01-15
CVE-2009-2990 ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt
ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt
Rule: alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Reader and Acrobat U3D File Invalid Array Index Remote Code Execution Attempt"; flow:established,to_client; content:"/U3D/Length 172"; pcre:"/]*\x2FU3D\x2FLength\x20172[0-5][0-9]{2}/sm"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=827; reference:url,www.adobe.com/support/security/bulletins/apsb09-15.html; reference:bid,36638; reference:cve,2009-2990; classtype:attempted-user; sid:2012179; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_01_15, cve CVE_2009_2990, deployment Perimeter, confidence M
Exploit-DB
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
exploitdb·2010-09-20
CVE-2009-2990 Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
Adobe - U3D CLODProgressiveMeshDeclaration Array Overrun (Metasploit) (1)
---
##
# $Id: adobe_u3d_meshcont.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe U3D CLODProgressiveMeshDeclaration Array Overrun',
'Description' => %q{
This module exploits an array overflow in Adobe Reader and Adobe Acrobat.
Affected versions include MSF_LICENSE,
'Author' =>
[
'Felipe Andres Manzano ',
'jduck'
],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2009-2990' ],
[ 'OSVDB', '58920'
Exploit-DB
Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Overflow
exploitdb·2009-11-09
CVE-2009-2990 Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Overflow
Adobe Reader / Acrobat - '.U3D' File Invalid Array Index Overflow
---
#########################################################################
#### Felipe Andres Manzano * [email protected] ####
#### http://twitter/feliam ####
#########################################################################
__doc__='''
Title: U3D CLODProgressiveMeshContinuation Split Position Index arbitrary dereference.
Product: Adobe Acrobat Reader
Version: >"
return s
class PDFName(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
return "/%s"%self.s
class PDFString(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self.s=s
def __str__(self):
return "(%s)"%self.s
class PDFHexString(PDFObject):
def __init__(self,s):
PDFObject.__init__(self)
self
Metasploit
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
metasploit
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
This module exploits an array overflow in Adobe Reader and Adobe Acrobat. Affected versions include < 7.1.4, < 8.1.7, and < 9.2. By creating a specially crafted pdf that a contains malformed U3D data, an attacker may be able to execute arbitrary code.
Talos
The Acrobat JavaScript Blocklist Framework
blogs_talos·2010-01-20
The Acrobat JavaScript Blocklist Framework
## The Acrobat JavaScript Blocklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blocklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blocklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in Adobe products (Reader, Acrobat, etc...) all together. Personally, I could live without having JavaScript in my documents, but that's a totally different discussion. I understand why some people might want that feature for their PDF documents and why for them at least, turning JavaScript completely off would not be an option. So let's say, for example,
Talos
The Acrobat JavaScript Blocklist Framework
blogs_talos·2010-01-20
The Acrobat JavaScript Blocklist Framework
Adobe recently announced and released the Adobe Reader and Acrobat JavaScript Blocklist Framework. I've had a little bit of time to play with it and would just like to share my thoughts. First of all, I am very pleased with this new blocklisting feature. Until now, when we knew about 0-day being actively exploited in the wild using JavaScript in some manner, we would just turn off JavaScript in Adobe products (Reader, Acrobat, etc...) all together. Personally, I could live without having JavaScript in my documents, but that's a totally different discussion. I understand why some people might want that feature for their PDF documents and why for them at least, turning JavaScript completely off would not be an option. So let's say, for example, that you are running Adobe Reader 9.2.0 which i
Bugzilla
acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
bugzilla·2009-10-13·CVSS 7.2
CVE-2009-2564 [HIGH] acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
Adobe has published a security bulletin APSB09-15 for security issues,
leading to arbitrary code execution, addressed in Adobe Reader and Acrobat products:
http://www.adobe.com/support/security/bulletins/apsb09-15.html
Quoting Adobe bulletin APSB09-15 for issues descriptions:
This update resolves a third party web download product that Adobe Reader
uses that could potentially lead to code execution (CVE-2009-2564).
This update resolves an integer overflow that leads to a Denial of Service
(DoS); arbitrary code execution has not been demonstrated, but may be
possible (CVE-2009-2980).
This update resolves a memory corruption issue that leads to a Denial of
Service (DoS); arbitrary code execution has not been demonst
http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.securityfocus.com/bid/36638http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/2898https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6371http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.securityfocus.com/bid/36638http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/2898https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6371
2009-10-19
Published
Exploited in the wild