cbcvebase.
CVE-2010-0188
published 2010-02-22

CVE-2010-0188: Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash)…

PriorityP184high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
88.25%
99.7th percentile
Unspecified vulnerability in Adobe Reader and Acrobat 8.x before 8.2.1 and 9.x before 9.3.1 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via unknown vectors.

Affected

4 ranges
VendorProductVersion rangeFixed in
adobeacrobat>= 8.0 < 8.2.18.2.1
adobeacrobat>= 9.0 < 9.3.19.3.1
adobeacrobat_reader>= 8.0 < 8.2.18.2.1
adobeacrobat_reader>= 9.0 < 9.3.19.3.1

Detection & IOCsextracted from sources · hover to see the quote

filenamemsf.pdf
otherContent-Type: image/tiff
bytes
49 49 2a 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 00 01 03 00 01 00 00 00 08 00 00 00 01 01 03 00 01 00 00 00 08 00 00 00 03 01 03 00 01 00 00 00 aa 00 00 00 06 01 03 00 01 00 00 00 bb 00 00 00
  • The exploit delivers a malicious TIFF embedded inside a PDF file. Detection should look for PDF files containing embedded TIFF image data (especially with LibTIFF integer overflow trigger patterns) delivered as file attachments or via drive-by download.
  • The Metasploit module uses 'migrate -f' as InitialAutoRunScript, meaning post-exploitation process migration will occur immediately after shellcode execution. Monitor for Adobe Reader/Acrobat spawning unexpected child processes or injecting into other processes.
  • The exploit payload is embedded in a Zlib-deflate compressed XML stream within the PDF. Detection should flag PDF files with deflate-compressed streams containing embedded TIFF structures.
  • RedKit EK used CVE-2010-0188 as one of its initial two exploits. Successful exploitation dropped bot software and the ZeroAccess trojan. Investigate for ZeroAccess indicators on hosts where Adobe Reader crashes or behaves anomalously.
  • The exploit targets indirect control-flow transfers in Adobe Acrobat Reader. Dynamic analysis using Intel PT or similar CFI monitoring can detect anomalous indirect calls characteristic of this exploit family (pdfka malware family).
  • The default output filename for the Metasploit exploit module is 'msf.pdf'. Presence of this filename in email attachments or web downloads is a strong indicator of exploit delivery.
  • ·The Metasploit module hardcodes offsets for the DEP bypass targeting Adobe Reader 9.3.0 on Windows XP SP3 English only. The exploit may not work reliably against other versions or OS configurations without modification.
  • ·The exploit sets EXITFUNC to 'process', meaning the exploited Adobe Reader process will terminate after payload execution. This may cause noticeable application crashes that could alert users.
  • ·Payload space is limited to 1024 bytes with null bytes as bad characters and NOPs disabled, constraining the choice of shellcode for exploitation.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.