CVE-2010-0188
published 2010-02-22CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash)…
PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
88.25%
99.7th percentile
Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | >= 8.0 < 8.2.1 | 8.2.1 |
| adobe | acrobat | >= 9.0 < 9.3.1 | 9.3.1 |
| adobe | acrobat_reader | >= 8.0 < 8.2.1 | 8.2.1 |
| adobe | acrobat_reader | >= 9.0 < 9.3.1 | 9.3.1 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
49 49 2a 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 01 03 00 01 00 00 00 08 00 00 00 01 01 03 00 01 00 00 00 08 00 00 00 03 01 03 00 01 00 00 00 aa 00 00 00 06 01 03 00 01 00 00 00 bb 00 00 00
- →The exploit delivers a malicious TIFF embedded inside a PDF file. Detection should look for PDF files containing embedded TIFF image data (especially with LibTIFF integer overflow trigger patterns) delivered as file attachments or via drive-by download. ↗
- →The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration will occur immediately after shellcode execution. Monitor for Adobe Reader/Acrobat spawning unexpected child processes or injecting into other processes. ↗
- →The exploit payload is embedded in a Zlib-deflate compressed XML stream within the PDF. Detection should flag PDF files with deflate-compressed streams containing embedded TIFF structures. ↗
- →RedKit EK used CVE-2010-0188 as one of its initial two exploits. Successful exploitation dropped bot software and the ZeroAccess trojan. Investigate for ZeroAccess indicators on hosts where Adobe Reader crashes or behaves anomalously. ↗
- →The exploit targets indirect control-flow transfers in Adobe Acrobat Reader. Dynamic analysis using Intel PT or similar CFI monitoring can detect anomalous indirect calls characteristic of this exploit family (pdfka malware family). ↗
- →The default output filename for the Metasploit exploit module is 'msf.pdf'. Presence of this filename in email attachments or web downloads is a strong indicator of exploit delivery. ↗
- ·The Metasploit module hardcodes offsets for the DEP bypass targeting Adobe Reader 9.3.0 on Windows XP SP3 English only. The exploit may not work reliably against other versions or OS configurations without modification. ↗
- ·The exploit sets EXITFUNC to 'process', meaning the exploited Adobe Reader process will terminate after payload execution. This may cause noticeable application crashes that could alert users. ↗
- ·Payload space is limited to 1024 bytes with null bytes as bad characters and NOPs disabled, constraining the choice of shellcode for exploitation. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g5pc-j3x2-5p8p: Unspecified vulnerability in Adobe Reader and Acrobat 8
ghsa_unreviewed·2022-05-02
CVE-2010-0188 [HIGH] CWE-94 GHSA-g5pc-j3x2-5p8p: Unspecified vulnerability in Adobe Reader and Acrobat 8
Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.
VulnCheck
Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
vulncheck·2010·CVSS 7.8
CVE-2010-0188 [HIGH] CWE-94 Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
Unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code.
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Known Ransomware Campaign Use: Known
Exploitation References: https://www.virusbulletin.com/virusbulletin/2010/05/exploit-kit-explosion-part-two-vectors-attack/; https://www.hkcert.org/blog/large-scale-injection-incidents-targeting-oscommerce-websites; https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf; https://1vx.ug/archive/Symantec/luckycat-hackers-12-en.pdf; https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/wham-bam-the-cutwailblackhole
CISA
Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2010-0188 [HIGH] CWE-94 Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
Vulnerability: Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
Affected: Adobe Reader and Acrobat
Unspecified vulnerability in Adobe Reader and Acrobat allows attackers to cause a denial of service or possibly execute arbitrary code.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-0188
Remediation Due Date: 2022-03-24
Red Hat
acroread: unspecified code execution flaw
vendor_redhat·2010-02-16·CVSS 7.8
CVE-2010-0188 [HIGH] acroread: unspecified code execution flaw
acroread: unspecified code execution flaw
Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.
Suricata
ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
suricata·2013-01-15
CVE-2010-0188 ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request
Rule: alert http1 $HOME_NET any -> $EXTERNAL_NET any (msg:"ET EXPLOIT_KIT Redkit Exploit Kit Three Numerical Character Naming Convention PDF Request"; flow:established,to_server; urilen:8; http.uri; pcre:"/\x2F[0-9]{3}\.pdf$/"; http.request_line; content:".pdf HTTP/1."; fast_pattern; reference:url,blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack; reference:cve,2010-0188; classtype:exploit-kit; sid:2016210; rev:4; metadata:created_at 2013_01_15, cve CVE_2010_0188, performance_impact Moderate, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_07;)
Exploit-DB
Apple iOS Mobile Safari - LibTIFF Buffer Overflow (Metasploit)
exploitdb·2012-10-09
CVE-2010-0188 Apple iOS Mobile Safari - LibTIFF Buffer Overflow (Metasploit)
Apple iOS Mobile Safari - LibTIFF Buffer Overflow (Metasploit)
---
##
# $Id: safari_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apple iOS MobileSafari LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision: 1595
Exploit-DB
Apple iOS Mobile Mail - LibTIFF Buffer Overflow (Metasploit)
exploitdb·2012-10-09
CVE-2010-0188 Apple iOS Mobile Mail - LibTIFF Buffer Overflow (Metasploit)
Apple iOS Mobile Mail - LibTIFF Buffer Overflow (Metasploit)
---
##
# $Id: mobilemail_libtiff.rb 15950 2012-10-09 18:31:08Z rapid7 $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 'Apple iOS MobileMail LibTIFF Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in the version of
libtiff shipped with firmware versions 1.00, 1.01, 1.02, and
1.1.1 of the Apple iPhone. iPhones which have not had the BSD
tools installed will need to use a special payload.
},
'License' => MSF_LICENSE,
'Author' => ['hdm', 'kf'],
'Version' => '$Revision: 1595
Exploit-DB
Adobe Acrobat - Bundled LibTIFF Integer Overflow (Metasploit)
exploitdb·2010-09-25
CVE-2010-0188 Adobe Acrobat - Bundled LibTIFF Integer Overflow (Metasploit)
Adobe Acrobat - Bundled LibTIFF Integer Overflow (Metasploit)
---
##
# $Id: adobe_libtiff.rb 10477 2010-09-25 11:59:02Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe Acrobat Bundled LibTIFF Integer Overflow',
'Description' => %q{
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat
Professional versions 8.0 through 8.2 and 9.0 through 9.3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Microsoft', # reported to Adobe
'villy ', # public exploit
# Metasploit version by:
'jduck'
],
'
Exploit-DB
Adobe Reader PDF - LibTiff Integer Overflow Code Execution
exploitdb·2010-03-17
CVE-2010-0188 Adobe Reader PDF - LibTiff Integer Overflow Code Execution
Adobe Reader PDF - LibTiff Integer Overflow Code Execution
---
__doc__='''
Title: Adobe PDF LibTiff Integer Overflow Code Execution.
Product: Adobe Acrobat Reader
Version:
1.65
1
1
*
pdf
'''+self.tiff64 +'''
'''
return xml
def gen_pdf(self):
xml = zlib.compress(self.gen_xml())
pdf='''%PDF-1.6
1 0 obj
>
stream
''' + xml+'''
endstream
endobj
2 0 obj
>
endobj
3 0 obj
>
endobj
4 0 obj
>/TP 1>>/P 5 0 R/FT /Btn/TU (ImageField1)/Ff 65536/Parent 3 0 R/F 4/DA (/CourierStd 10 Tf 0 g)/Subtype /Widget/Type /Annot/T (ImageField1[0])/Rect [107.385 705.147 188.385 709.087]>>
endobj
5 0 obj
>/Parent 6 0 R/Type /Page/PieceInfo null>>
endobj
6 0 obj
>
endobj
7 0 obj
>/Lang (en-us)/AcroForm 8 0 R/Type /Catalog>>
endobj
8 0 obj
>
endobj xref
trailer
>
startxref
14765
%%EOF'''
return pdf
if __na
Metasploit
Adobe Acrobat Bundled LibTIFF Integer Overflow
metasploit
Adobe Acrobat Bundled LibTIFF Integer Overflow
Adobe Acrobat Bundled LibTIFF Integer Overflow
This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3.
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
## Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu , Martin Lee , Emmanuel Tacheau , and Angel Villegas .
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig , Angler and Styx exploit kits and and how they are a serious threat if machines wi
Talos
Evolution of the Nuclear Exploit Kit
blogs_talos·2014-10-09
Evolution of the Nuclear Exploit Kit
This post is co-authored by Alex Chiu, Martin Lee, Emmanuel Tacheau, and Angel Villegas.
Exploit kits remain an efficient mechanism for cyber criminals to distribute malware. Such kits include exploits for multiple vulnerabilities within a single malicious webpage. Criminals can check operating systems, web browsers and browser plugins for anything that is not fully patched and launch an exploit specific to the out of date software. Using this technique criminals can maximise their chances of infecting visitors but reduce their exposure to only infect those who are vulnerable; presumably in order to remain inconspicuous.
We have previously written about the Rig, Angler and Styx exploit kits and and how they are a serious threat if machines with vulnerable third-party software are left un
Recorded Future
Visualizing RedKit Exploits
blogs_recorded_future·CVSS 7.8
[HIGH] Visualizing RedKit Exploits
## Visualizing RedKit Exploits
The private but popular RedKit exploit kit appears to be experiencing a resurgence based on a report by Kahu Security. Initially spotted back in May 2012 , the exploit kit drew attention after cybercriminals used it in drive-by-download attacks from NBC’s compromised website in January 2013 and spam campaigns immediately after the Boston Marathon bombings .
These attacks featured iframes on the compromised websites performing simultaneous actions when rendered in a victim’s web browser. The exploit kit competes against and leverages some of the same exploits as CritXPack, Gong Da, Nuclear Pack, Cool, and Blackhole 2.0. Monitoring developments and adoption of RedKit may be of particular interest given the recent arrest in Russia of Blackhole’s creator .
Cyb
Recorded Future
Tracking Moving Targets: Exploit Kits and CVEs
blogs_recorded_future
Tracking Moving Targets: Exploit Kits and CVEs
# Tracking Moving Targets: Exploit Kits and CVEs
One year ago a notorious programmer Paunch, who coded the Blackhole exploit kit, was arrested and charged for the distribution and sale of his wares. Blackhole was an epic Russian exploit kit, rented and used by thousands for their successful campaigns against a range of targets.
Since Paunch’s arrest, the exploit kit threat landscape has changed significantly as malicious actors have sought out new tool kits. Recorded Future undertook the task of analyzing over 600,000 unique web sources to identify the most prevalent exploit kits, what CVEs they commonly leverage, and what the most vulnerable products are.
To get started, let’s craft a simple query looking for mentions of any exploit kit over the last six months.
###### Click image for
Recorded Future
Visualizing RedKit Exploits
blogs_recorded_future·CVSS 7.8
[HIGH] Visualizing RedKit Exploits
# Visualizing RedKit Exploits
The private but popular RedKit exploit kit appears to be experiencing a resurgence based on a report by Kahu Security. Initially spotted back in May 2012, the exploit kit drew attention after cybercriminals used it in drive-by-download attacks from NBC’s compromised website in January 2013 and spam campaigns immediately after the Boston Marathon bombings.
These attacks featured iframes on the compromised websites performing simultaneous actions when rendered in a victim’s web browser. The exploit kit competes against and leverages some of the same exploits as CritXPack, Gong Da, Nuclear Pack, Cool, and Blackhole 2.0. Monitoring developments and adoption of RedKit may be of particular interest given the recent arrest in Russia of Blackhole’s creator.
Cybercr
Bugzilla
CVE-2010-0188 acroread: unspecified code execution flaw
bugzilla·2010-02-17·CVSS 7.8
CVE-2010-0188 [HIGH] CVE-2010-0188 acroread: unspecified code execution flaw
CVE-2010-0188 acroread: unspecified code execution flaw
Adobe Reader 9.3.1 fixes a critical security issue:
http://www.adobe.com/support/security/bulletins/apsb10-07.html
In addition, a critical vulnerability (CVE-2010-0188) has been identified
that could cause the application to crash and could potentially allow an
attacker to take control of the affected system.
Discussion:
This issue has been addressed in following products:
Extras for RHEL 4
Extras for Red Hat Enterprise Linux 5
Via RHSA-2010:0114 https://rhn.redhat.com/errata/RHSA-2010-0114.html
arXiv
To believe or not to believe: Validating explanation fidelity for dynamic malware analysis
arxiv_fulltext·2019-04-30
To believe or not to believe: Validating explanation fidelity for dynamic malware analysis
To believe or not to believe:
Validating explanation fidelity for dynamic malware analysis
Li Chen
[email protected]
Intel Labs
Carter Yagemann
[email protected]
Georgia Institute of Technology
Evan Downing
[email protected]
Georgia Institute of Technology
## Abstract
Converting malware into images followed by vision-based deep learning algorithms has shown superior threat detection efficacy compared with classical machine learning algorithms. When malware are visualized as images, visual-based interpretation schemes can also be applied to extract insights of why individual samples are classified as malicious. In this work, via two case studies of dynamic malware classification, we extend the local interpretable model-agnostic explanation algorithm to explain image-based dy
http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.htmlhttp://secunia.com/advisories/38639http://secunia.com/advisories/38915http://securitytracker.com/id?1023601http://www.adobe.com/support/security/bulletins/apsb10-07.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0114.htmlhttp://www.securityfocus.com/bid/38195http://www.vupen.com/english/advisories/2010/0399https://exchange.xforce.ibmcloud.com/vulnerabilities/56297https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8697http://lists.opensuse.org/opensuse-security-announce/2010-03/msg00004.htmlhttp://secunia.com/advisories/38639http://secunia.com/advisories/38915http://securitytracker.com/id?1023601http://www.adobe.com/support/security/bulletins/apsb10-07.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0114.htmlhttp://www.securityfocus.com/bid/38195http://www.vupen.com/english/advisories/2010/0399https://exchange.xforce.ibmcloud.com/vulnerabilities/56297https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8697https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0188
2010-02-22
Published
2022-03-03
Added to CISA KEV
Exploited in the wild