cbcvebase.
CVE-2010-2201
published 2010-06-30

CVE-2010-2201: Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted…

PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
14.27%
96.1th percentile
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168.

Affected

40 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader

Detection & IOCsextracted from sources · hover to see the quote

commandpushstring (0x2C) operator
commanddebugfile (0xF1) operator
bytes
|2C E8 88 F0 FF 33|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, cve CVE_2010_2201, deployment Perimeter, confidence Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; flowbits:set,ET.flash.pdf; flowbits:noalert; file.data; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, cve CVE_2010_1297, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • The exploit embeds a malicious SWF file inside a PDF using the /RichMedia annotation subtype with /Subtype /Flash. Detect PDFs containing both 'PDF-' header and embedded '.swf' references as a precursor flowbit (ET.flash.pdf) before checking for the pushstring payload.
  • The specific malicious pushstring opcode sequence in the crafted SWF is the 6-byte pattern 2C E8 88 F0 FF 33. Match this within HTTP responses to clients where the ET.flash.pdf flowbit is already set.
  • The vulnerability is triggered by the SWF pushstring (0x2C) and debugfile (0xF1) operators in crafted Flash content embedded in a PDF. Inspect SWF bytecode within PDF streams for these opcodes in unexpected contexts.
  • The exploit activates the embedded Flash on page open (/Condition /PO). PDF analysis tools should flag /RichMediaActivation objects with /Condition /PO as suspicious when combined with embedded SWF content.
  • ·The Snort rule sid:2011500 requires the flowbit ET.flash.pdf to be set by the companion rule sid:2011499 first. Both rules must be enabled together for the pushstring byte-signature detection to fire; enabling only sid:2011500 alone will never alert.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.