cbcvebase.
CVE-2009-2994
published 2009-10-19

CVE-2009-2994: Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via…

PriorityP357critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
18.45%
96.9th percentile
Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors.

Affected

57 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat<= 9.1.3
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat>= 7.0 < 7.1.47.1.4

Detection & IOCsextracted from sources · hover to see the quote

hash3c9b7a410047cbf5edcd229b0f0f62a5
path*/cygdrive/c/Program Files/Adobe/Reader 9.0/Reader/plug_ins3d/3difr.x3d
path/opt/Adobe/Reader8/Reader/intellinux/plug_ins3d/3difr.x3d
bytes
536f727279206d616e2c206a757374206b696c6c696e6720736f6d6520736b696469657300 55334400180000000000000000010000000000002400000064010000000000006a00000014 ffffffe40000000000000007005468654d65736801000000000000005050500100000031ff ffff710000004b00000007005468654d657368000000000000000001000000595858580400 0000000000000000000000000000010000000000000000000000000000005b5858585c5858 582c0100002c0100002c010000000000000000000000000000000000000000000000000000 000000000000000000000000505050010000000600617574686f7201000000370000004665 6c69706520416e64726573204d616e7a616e6f203c66656c6970652e616e647265732e6d61 6e7a616e6f40676d61696c2e636f6d3e503cffffff410000000000000007005468654d6573 68000000000000000000000000000000000100000001000000010000000100000001000000 0100000001000000010000000100000001000000505050
  • The vulnerability is triggered via a malformed U3D CLODMeshDeclaration block (blocktype 0xFFFFFF31) embedded in a PDF, where the positionCount field defines array length and minimalResolution exceeds positionCount, causing an out-of-bounds array access.
  • Detect PDF files containing a 3D annotation stream with Subtype /U3D (PDF dictionary keys Type=/3D, Subtype=/U3D) as a potential delivery vehicle for this exploit.
  • The vulnerable component is the 3difr.x3d plugin shipped with Adobe Reader/Acrobat. Presence of this plugin in plug_ins3d directories on unpatched versions (Reader 7.x < 7.1.4, 8.x < 8.1.7, 9.x < 9.2) indicates exposure.
  • Workaround/detection opportunity: deletion or absence of the 3difr.x3d plugin prevents exploitation. Monitor for its presence in plug_ins3d directories on vulnerable Reader versions.
  • Exploit uses heap spray with 6500x20-byte chunks to reliably position controlled data adjacent to the overrun array; large allocations of ~130,000 bytes (6500*20) in the Adobe Reader process heap may indicate exploitation attempts.
  • ·The vulnerability only affects Adobe Reader/Acrobat installations that include the default 3D plugin (3difr.x3d). Installations where this plugin has been removed are not vulnerable.
  • ·The exploit was tested specifically against standalone and ActiveX Reader on Windows XP SP3; behavior on other platforms or configurations may differ.
  • ·The same underlying bug was confirmed in Right Hemisphere Deep Exploration 5.5 (CAD Edition) and potentially other RH products using the same U3D parsing library, not just Adobe Reader/Acrobat.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.