cbcvebase.
CVE-2010-3654
published 2010-10-29

CVE-2010-3654: Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka…

PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.68%
99.3th percentile
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.

Affected

90 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeacrobat_reader
adobeflash_player<= 10.1.85.3

Detection & IOCsextracted from sources · hover to see the quote

pathdata/exploits/CVE-2010-3654.swf
filenameCVE-2010-3654_Win7.zip
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17187.zip
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, cve CVE_2010_3654, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|
  • Detect exploit delivery via crafted SWF embedded in PDF: look for the ET flowbit ET.flash.pdf being set followed by the byte sequence |07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E| in HTTP response body (file.data).
  • The exploit embeds a specially crafted SWF movie (CVE-2010-3654.swf) inside a PDF document and uses an AcroJS heap spray to control memory for the invalid pointer issue.
  • The Metasploit module uses a ROP chain with hardcoded gadget addresses from BIB.dll and reads KiFastSystemCall from address 0x7ffe0300 to bypass DEP; this technique is specific to Windows XP SP3 with Adobe Reader 9.4.0 (Flash 10.1.85.3).
  • The Windows 7 exploit variant (17187) uses ActionScript type confusion three times to leak imageBase and shellcode addresses, then constructs a ROP payload string and confuses the return value with uint to read the ROP payload address — enabling ASLR+DEP bypass without third-party modules.
  • The exploit payload must use only alphanumeric characters because the ActionScript toString method converts ASCII to Unicode, rendering non-alphanumeric shellcode unusable.
  • ·The Metasploit ROP chain uses hardcoded gadget addresses from BIB.dll and a hardcoded syscall number, making it unreliable across different Windows versions; it was tested specifically against Adobe Reader 9.4.0 on Windows XP SP3 (Flash 10.1.85.3).
  • ·Active in-the-wild exploitation was confirmed only against Adobe Reader and Acrobat 9.x at time of disclosure; attacks targeting Adobe Flash Player standalone were not confirmed at that time.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.