CVE-2010-2201
published 2010-06-30CVE-2010-2201: Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted…
PriorityP260critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
14.27%
96.1th percentile
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168.
Affected
40 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
|2C E8 88 F0 FF 33|
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, cve CVE_2010_2201, deployment Perimeter, confidence Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; flowbits:set,ET.flash.pdf; flowbits:noalert; file.data; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, cve CVE_2010_1297, deployment Perimeter, performance_impact Significant, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →The exploit embeds a malicious SWF file inside a PDF using the /RichMedia annotation subtype with /Subtype /Flash. Detect PDFs containing both 'PDF-' header and embedded '.swf' references as a precursor flowbit (ET.flash.pdf) before checking for the pushstring payload.
- →The specific malicious pushstring opcode sequence in the crafted SWF is the 6-byte pattern 2C E8 88 F0 FF 33. Match this within HTTP responses to clients where the ET.flash.pdf flowbit is already set. ↗
- →The vulnerability is triggered by the SWF pushstring (0x2C) and debugfile (0xF1) operators in crafted Flash content embedded in a PDF. Inspect SWF bytecode within PDF streams for these opcodes in unexpected contexts. ↗
- →The exploit activates the embedded Flash on page open (/Condition /PO). PDF analysis tools should flag /RichMediaActivation objects with /Condition /PO as suspicious when combined with embedded SWF content. ↗
- ·The Snort rule sid:2011500 requires the flowbit ET.flash.pdf to be set by the companion rule sid:2011499 first. Both rules must be enabled together for the pushstring byte-signature detection to fire; enabling only sid:2011500 alone will never alert.
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-2201 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168.
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-1285 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified manipulations involving the newclass (0x58) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-2168 and CVE-2010-2201.
Red Hat
acroread: multiple code execution flaws (APSB10-15)
vendor_redhat·2010-06-29·CVSS 9.3
CVE-2010-2168 [CRITICAL] acroread: multiple code execution flaws (APSB10-15)
acroread: multiple code execution flaws (APSB10-15)
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content, involving the newfunction (0x44) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2201.
GHSA
GHSA-qm3q-8q36-x3vh: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2010-2201 [CRITICAL] GHSA-qm3q-8q36-x3vh: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content involving the (1) pushstring (0x2C) operator, (2) debugfile (0xF1) operator, and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2168.
GHSA
GHSA-2qrp-v3mf-g36h: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-14·CVSS 9.3
CVE-2010-2168 [CRITICAL] GHSA-2qrp-v3mf-g36h: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via a PDF file with crafted Flash content, involving the newfunction (0x44) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-1285 and CVE-2010-2201.
GHSA
GHSA-96r2-72m9-m58r: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-02·CVSS 9.3
CVE-2010-1285 [CRITICAL] CWE-20 GHSA-96r2-72m9-m58r: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.3.3, and 8.x before 8.2.3 on Windows and Mac OS X, allow attackers to execute arbitrary code via unspecified manipulations involving the newclass (0x58) operator and an "invalid pointer vulnerability" that triggers memory corruption, a different vulnerability than CVE-2010-2168 and CVE-2010-2201.
Suricata
ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt
suricata·2010-09-27
CVE-2010-2201 ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt
ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|2C E8 88 F0 FF 33|"; reference:url,www.exploit-db.com/moaub12-adobe-acrobat-and-reader-pushstring-memory-corruption/; reference:bugtraq,41237; reference:cve,2010-2201; classtype:attempted-user; sid:2011500; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, cve CVE_2010_2201, deployment Perimeter, confidence Low, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09;)
Suricata
ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt
suricata·2010-09-27
CVE-2010-1297 ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt
ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded Adobe Shockwave Flash Possibly Related to Remote Code Execution Attempt"; flow:established,to_client; flowbits:set,ET.flash.pdf; flowbits:noalert; file.data; content:"PDF-"; depth:300; content:".swf"; fast_pattern; nocase; distance:0; reference:url,feliam.wordpress.com/2010/02/11/flash-on-a-pdf-with-minipdf-py/; reference:cve,2010-1297; reference:cve,2010-2201; classtype:bad-unknown; sid:2011499; rev:7; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2010_09_27, cve CVE_2010_1297, deployment Perimeter, performance_impact Signif
http://www.adobe.com/support/security/bulletins/apsb10-15.htmlhttp://www.securityfocus.com/archive/1/512098http://www.securityfocus.com/bid/41237http://www.securitytracker.com/id?1024159http://www.vupen.com/english/advisories/2010/1636https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6854http://www.adobe.com/support/security/bulletins/apsb10-15.htmlhttp://www.securityfocus.com/archive/1/512098http://www.securityfocus.com/bid/41237http://www.securitytracker.com/id?1024159http://www.vupen.com/english/advisories/2010/1636https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6854
2010-06-30
Published