CVE-2010-2168
published 2010-06-30CVE-2010-2168: Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
14.27%
96.1th percentile
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content, involving the newfunction (0x44) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2201.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
|40 E8 D4 F1 FF 33|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, cve CVE_2010_2168, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →The exploit triggers via the newfunction (0x44) SWF operator embedded in a PDF. Detect the 6-byte sequence 40 E8 D4 F1 FF 33 inside Flash content delivered within a PDF (flowbit ET.flash.pdf must be set).
- →The exploit embeds a crafted SWF (poc.swf) as a RichMedia annotation inside a PDF, activated on page-open (/Condition /PO). Inspect PDF RichMedia annotations containing embedded SWF files for the malicious newfunction opcode. ↗
- →CVE-2010-2168 specifically involves the newfunction (0x44) Flash operator causing an invalid pointer / memory corruption. Differentiate from CVE-2010-1285 (newclass 0x58) and CVE-2010-2201 (pushstring 0x2C / debugfile 0xF1). ↗
- ·The Snort/ET rule requires the flowbit ET.flash.pdf to be set (i.e., a prior rule must have identified Flash content inside a PDF). Ensure the prerequisite flowbit-setting rule is active, otherwise this rule will not fire.
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-2201 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168.
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-1285 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified manipulations involving the newclass (0x58) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-2168 and CVE-2010-2201.
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-2168 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content, involving the newfunction (0x44) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2201.
GHSA
GHSA-qm3q-8q36-x3vh: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2010-2201 [CRITICAL] GHSA-qm3q-8q36-x3vh: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168.
GHSA
GHSA-2qrp-v3mf-g36h: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2010-2168 [CRITICAL] GHSA-2qrp-v3mf-g36h: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content, involving the newfunction (0x44) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2201.
GHSA
GHSA-96r2-72m9-m58r: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2010-1285 [CRITICAL] CWE-20 GHSA-96r2-72m9-m58r: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified manipulations involving the newclass (0x58) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-2168 and CVE-2010-2201.
Suricata
ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt
suricata·2010-09-29
CVE-2010-2168 ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt
ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat newfunction Remote Code Execution Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|40 E8 D4 F1 FF 33|"; reference:url,www.adobe.com/support/security/bulletins/apsb10-15.html; reference:url,www.exploit-db.com/moaub-23-adobe-acrobat-and-reader-newfunction-remote-code-execution-vulnerability/; reference:bid,41236; reference:cve,2010-2168; classtype:attempted-user; sid:2011575; rev:6; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_29, cve CVE_2010_2168, deployment Perimeter, confidence Medium, signature_severity Major, ta
http://www.adobe.com/support/security/bulletins/apsb10-15.htmlhttp://www.securityfocus.com/archive/1/512096http://www.securityfocus.com/bid/41236http://www.securitytracker.com/id?1024159http://www.vupen.com/english/advisories/2010/1636https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7167http://www.adobe.com/support/security/bulletins/apsb10-15.htmlhttp://www.securityfocus.com/archive/1/512096http://www.securityfocus.com/bid/41236http://www.securitytracker.com/id?1024159http://www.vupen.com/english/advisories/2010/1636https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7167
2010-06-30
Published