CVE-2009-2994
published 2009-10-19CVE-2009-2994: Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via…
PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
18.45%
96.9th percentile
Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.
Affected
57 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | <= 9.1.3 | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | >= 7.0 < 7.1.4 | 7.1.4 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
536f727279206d616e2c206a757374206b696c6c696e6720736f6d6520736b696469657300 55334400180000000000000000010000000000002400000064010000000000006a00000014 ffffffe40000000000000007005468654d65736801000000000000005050500100000031ff ffff710000004b00000007005468654d657368000000000000000001000000595858580400 0000000000000000000000000000010000000000000000000000000000005b5858585c5858 582c0100002c0100002c010000000000000000000000000000000000000000000000000000 000000000000000000000000505050010000000600617574686f7201000000370000004665 6c69706520416e64726573204d616e7a616e6f203c66656c6970652e616e647265732e6d61 6e7a616e6f40676d61696c2e636f6d3e503cffffff410000000000000007005468654d6573 68000000000000000000000000000000000100000001000000010000000100000001000000 0100000001000000010000000100000001000000505050
- →The vulnerability is triggered via a malformed U3D CLODMeshDeclaration block (blocktype 0xFFFFFF31) embedded in a PDF, where the positionCount field defines array length and minimalResolution exceeds positionCount, causing an out-of-bounds array access. ↗
- →Detect PDF files containing a 3D annotation stream with Subtype /U3D (PDF dictionary keys Type=/3D, Subtype=/U3D) as a potential delivery vehicle for this exploit. ↗
- →The vulnerable component is the 3difr.x3d plugin shipped with Adobe Reader/Acrobat. Presence of this plugin in plug_ins3d directories on unpatched versions (Reader 7.x < 7.1.4, 8.x < 8.1.7, 9.x < 9.2) indicates exposure. ↗
- →Workaround/detection opportunity: deletion or absence of the 3difr.x3d plugin prevents exploitation. Monitor for its presence in plug_ins3d directories on vulnerable Reader versions. ↗
- →Exploit uses heap spray with 6500x20-byte chunks to reliably position controlled data adjacent to the overrun array; large allocations of ~130,000 bytes (6500*20) in the Adobe Reader process heap may indicate exploitation attempts. ↗
- ·The vulnerability only affects Adobe Reader/Acrobat installations that include the default 3D plugin (3difr.x3d). Installations where this plugin has been removed are not vulnerable. ↗
- ·The exploit was tested specifically against standalone and ActiveX Reader on Windows XP SP3; behavior on other platforms or configurations may differ. ↗
- ·The same underlying bug was confirmed in Right Hemisphere Deep Exploration 5.5 (CAD Edition) and potentially other RH products using the same U3D parsing library, not just Adobe Reader/Acrobat. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-q4f6-24ph-r6rm: The U3D implementation in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2009-3953 [CRITICAL] CWE-119 GHSA-q4f6-24ph-r6rm: The U3D implementation in Adobe Reader and Acrobat 9
The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.
GHSA
GHSA-2gq8-v73v-2x6j: Buffer overflow in Adobe Reader and Acrobat 7
ghsa_unreviewed·2022-05-02
CVE-2009-2994 [HIGH] CWE-119 GHSA-2gq8-v73v-2x6j: Buffer overflow in Adobe Reader and Acrobat 7
Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.
Red Hat
acroread: multiple code execution flaws (APSB10-02)
vendor_redhat·2010-01-12·CVSS 9.3
CVE-2009-3953 [CRITICAL] acroread: multiple code execution flaws (APSB10-02)
acroread: multiple code execution flaws (APSB10-02)
The U3D implementation in Adobe Reader and Acrobat 9.x before 9.3, 8.x before 8.2 on Windows and Mac OS X, and 7.x before 7.1.4 allows remote attackers to execute arbitrary code via malformed U3D data in a PDF document, related to a CLODProgressiveMeshDeclaration "array boundary issue," a different vulnerability than CVE-2009-2994.
Red Hat
acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
vendor_redhat·2009-10-13·CVSS 9.3
CVE-2009-2994 [CRITICAL] acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
acroread: Multiple arbitrary code execution fixes in 8.1.7 (APSB09-15)
Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.
No detection rules found.
http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.securityfocus.com/bid/36638http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/2898https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6156http://securitytracker.com/id?1023007http://www.adobe.com/support/security/bulletins/apsb09-15.htmlhttp://www.securityfocus.com/bid/36638http://www.us-cert.gov/cas/techalerts/TA09-286B.htmlhttp://www.vupen.com/english/advisories/2009/2898https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6156
2009-10-19
Published