CVE-2010-3654
published 2010-10-29CVE-2010-3654: Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka…
PriorityP276critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
69.68%
99.3th percentile
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.
Affected
90 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | acrobat_reader | — | — |
| adobe | flash_player | <= 10.1.85.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, cve CVE_2010_3654, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
bytes
|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|
- →Detect exploit delivery via crafted SWF embedded in PDF: look for the ET flowbit ET.flash.pdf being set followed by the byte sequence |07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E| in HTTP response body (file.data).
- →The exploit embeds a specially crafted SWF movie (CVE-2010-3654.swf) inside a PDF document and uses an AcroJS heap spray to control memory for the invalid pointer issue. ↗
- →The Metasploit module uses a ROP chain with hardcoded gadget addresses from BIB.dll and reads KiFastSystemCall from address 0x7ffe0300 to bypass DEP; this technique is specific to Windows XP SP3 with Adobe Reader 9.4.0 (Flash 10.1.85.3). ↗
- →The Windows 7 exploit variant (17187) uses ActionScript type confusion three times to leak imageBase and shellcode addresses, then constructs a ROP payload string and confuses the return value with uint to read the ROP payload address — enabling ASLR+DEP bypass without third-party modules. ↗
- →The exploit payload must use only alphanumeric characters because the ActionScript toString method converts ASCII to Unicode, rendering non-alphanumeric shellcode unusable. ↗
- ·The Metasploit ROP chain uses hardcoded gadget addresses from BIB.dll and a hardcoded syscall number, making it unreliable across different Windows versions; it was tested specifically against Adobe Reader 9.4.0 on Windows XP SP3 (Flash 10.1.85.3). ↗
- ·Active in-the-wild exploitation was confirmed only against Adobe Reader and Acrobat 9.x at time of disclosure; attacks targeting Adobe Flash Player standalone were not confirmed at that time. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c6x8-9r8h-9jrr: Adobe Flash Player before 9
ghsa_unreviewed·2022-05-17
CVE-2010-3654 [HIGH] CWE-119 GHSA-c6x8-9r8h-9jrr: Adobe Flash Player before 9
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.
VulnCheck
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
vulncheck·2010·CVSS 9.3
CVE-2010-3654 [CRITICAL] Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player Improper Restriction of Operations within the Bounds of a Memory Buffer
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.
Affected: Adobe Flash Player
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2010-3654; https://documents
Red Hat
acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)
vendor_redhat·2010-10-28·CVSS 9.3
CVE-2010-3654 [CRITICAL] acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)
acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)
Adobe Flash Player before 9.0.289.0 and 10.x before 10.1.102.64 on Windows, Mac OS X, Linux, and Solaris and 10.1.95.1 on Android, and authplay.dll (aka AuthPlayLib.bundle or libauthplay.so.0.0.0) in Adobe Reader and Acrobat 9.x through 9.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via crafted SWF content, as exploited in the wild in October 2010.
Suricata
ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt
suricata·2011-07-15
CVE-2010-3654 ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt
ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Player Button Remote Code Execution Attempt"; flow:established,to_client; flowbits:isset,ET.flash.pdf; file.data; content:"|07 07 02 17 07 06 1A 07 1B 1B 07 02 1C 07 07 1E|"; reference:bid,44504; reference:cve,2010-3654; classtype:attempted-user; sid:2013282; rev:5; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2011_07_15, cve CVE_2010_3654, deployment Perimeter, confidence High, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_04_09, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pu
Exploit-DB
Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion (ASLR + DEP Bypass)
exploitdb·2011-04-19·CVSS 9.3
CVE-2010-3654 [CRITICAL] Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion (ASLR + DEP Bypass)
Adobe Flash Player < 10.1.53.64 - Action Script Type Confusion (ASLR + DEP Bypass)
---
Source: http://www.abysssec.com/blog/2011/04/exploiting-adobe-flash-player-on-windows-7/
Adobe Flash player Action script type confusion exploit (DEP+ASLR bypass)
advisory text :
Here is another reliable windows 7 exploit . the main method used for exploitation is based on Haifei-li presentation at CanSecWest.
but as exploit code not relased and a lot of peoples like to see exploit code here is our code .
exploitation detail :
For exploitation purpose on recent protections on windows 7 without any 3rd party (well flash is not 3rd party todays) , it is possible to use the same bug many times to leak the imageBase address and payload address. In our exploit we used three confusion to read String Obje
Exploit-DB
Adobe Flash Player - 'Button' Arbitrary Code Execution (Metasploit)
exploitdb·2010-11-01
CVE-2010-3654 Adobe Flash Player - 'Button' Arbitrary Code Execution (Metasploit)
Adobe Flash Player - 'Button' Arbitrary Code Execution (Metasploit)
---
##
# $Id: adobe_flashplayer_button.rb 10857 2010-11-01 22:34:13Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe Flash Player "Button" Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the handling of certain SWF movies
within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat
are also vulnerable, as are any other applications that may embed Flash player.
Arbitrary code execution is achi
Metasploit
Adobe Flash Player "Button" Remote Code Execution
metasploit
Adobe Flash Player "Button" Remote Code Execution
Adobe Flash Player "Button" Remote Code Execution
This module exploits a vulnerability in the handling of certain SWF movies within versions 9.x and 10.0 of Adobe Flash Player. Adobe Reader and Acrobat are also vulnerable, as are any other applications that may embed Flash player. Arbitrary code execution is achieved by embedding a specially crafted Flash movie into a PDF document. An AcroJS heap spray is used in order to ensure that the memory used by the invalid pointer issue is controlled. NOTE: This module uses a similar DEP bypass method to that used within the adobe_libtiff module. This method is unlikely to work across various Windows versions due to a hardcoded syscall number.
Bugzilla
flash-plugin: security bulletin APSB10-26
bugzilla·2010-11-04·CVSS 9.3
CVE-2010-3654 [CRITICAL] flash-plugin: security bulletin APSB10-26
flash-plugin: security bulletin APSB10-26
On 2011-11-04 Aboe plans to release an update for Adobe Flash Player, providing 10.1.102.64 and 9.0.289.0 to address multiple security issues allowing code execution. The flaws are described in the Adobe Security Bulletin ASPB10-26:
http://www.adobe.com/support/security/bulletins/apsb10-26.html
* This update resolves a memory corruption vulnerability that could lead to code execution (CVE-2010-3654).
* This update resolves an input validation issue vulnerability that could lead to a bypass of cross-domain policy file restrictions with certain server encodings (CVE-2010-3636).
* This update resolves a memory corruption vulnerability that could lead to code execution (ActiveX only) (CVE-2010-3637).
* This update resolves an information disclosu
Bugzilla
CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)
bugzilla·2010-10-28·CVSS 9.3
CVE-2010-3654 [CRITICAL] CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)
CVE-2010-3654 acroread/flash-plugin: critical vulnerablility (APSA10-05, APSB10-26)
From the Adobe security bulletin APSA10-05:
A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.
This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Rea
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
- Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
1. Was our software used outside of its intended functionality to pull classified information from a person’s c
Securelist
Investigation Report for the September 2014 Equation malware detection incident in the US
blogs_securelist·2017-11-16
Investigation Report for the September 2014 Equation malware detection incident in the US
Authors
Kaspersky
## Background
In early October, a story was published by the Wall Street Journal alleging Kaspersky Lab software was used to siphon classified data from an NSA employee’s home computer system. Given that Kaspersky Lab has been at the forefront of fighting cyberespionage and cybercriminal activities on the Internet for over 20 years now, these allegations were treated very seriously. To assist any independent investigators and all the people who have been asking us questions whether those allegations were true, we decided to conduct an internal investigation to attempt to answer a few questions we had related to the article and some others that followed it:
Was our software used outside of its intended functionality to pull classified information from a person’s comput
http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash1http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.htmlhttp://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-11/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00001.htmlhttp://secunia.com/advisories/41917http://secunia.com/advisories/42030http://secunia.com/advisories/42183http://secunia.com/advisories/42401http://secunia.com/advisories/42926http://secunia.com/advisories/43025http://secunia.com/advisories/43026http://security.gentoo.org/glsa/glsa-201101-08.xmlhttp://security.gentoo.org/glsa/glsa-201101-09.xmlhttp://securityreason.com/securityalert/8210http://support.apple.com/kb/HT4435http://www.adobe.com/support/security/advisories/apsa10-05.htmlhttp://www.adobe.com/support/security/bulletins/apsb10-26.htmlhttp://www.adobe.com/support/security/bulletins/apsb10-28.htmlhttp://www.kb.cert.org/vuls/id/298081http://www.redhat.com/support/errata/RHSA-2010-0829.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0834.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0867.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0934.htmlhttp://www.securityfocus.com/bid/44504http://www.securitytracker.com/id?1024659http://www.securitytracker.com/id?1024660http://www.turbolinux.co.jp/security/2011/TLSA-2011-2j.txthttp://www.vupen.com/english/advisories/2010/2903http://www.vupen.com/english/advisories/2010/2906http://www.vupen.com/english/advisories/2010/2918http://www.vupen.com/english/advisories/2010/3111http://www.vupen.com/english/advisories/2011/0173http://www.vupen.com/english/advisories/2011/0191http://www.vupen.com/english/advisories/2011/0192http://www.vupen.com/english/advisories/2011/0344https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13294http://blogs.sun.com/security/entry/multiple_vulnerabilities_in_adobe_flash1http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.htmlhttp://lists.apple.com/archives/security-announce/2010//Nov/msg00000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-11/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00001.htmlhttp://secunia.com/advisories/41917http://secunia.com/advisories/42030http://secunia.com/advisories/42183http://secunia.com/advisories/42401http://secunia.com/advisories/42926http://secunia.com/advisories/43025http://secunia.com/advisories/43026http://security.gentoo.org/glsa/glsa-201101-08.xmlhttp://security.gentoo.org/glsa/glsa-201101-09.xmlhttp://securityreason.com/securityalert/8210http://support.apple.com/kb/HT4435http://www.adobe.com/support/security/advisories/apsa10-05.htmlhttp://www.adobe.com/support/security/bulletins/apsb10-26.htmlhttp://www.adobe.com/support/security/bulletins/apsb10-28.htmlhttp://www.kb.cert.org/vuls/id/298081http://www.redhat.com/support/errata/RHSA-2010-0829.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0834.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0867.htmlhttp://www.redhat.com/support/errata/RHSA-2010-0934.htmlhttp://www.securityfocus.com/bid/44504http://www.securitytracker.com/id?1024659http://www.securitytracker.com/id?1024660http://www.turbolinux.co.jp/security/2011/TLSA-2011-2j.txthttp://www.vupen.com/english/advisories/2010/2903http://www.vupen.com/english/advisories/2010/2906http://www.vupen.com/english/advisories/2010/2918http://www.vupen.com/english/advisories/2010/3111http://www.vupen.com/english/advisories/2011/0173http://www.vupen.com/english/advisories/2011/0191http://www.vupen.com/english/advisories/2011/0192http://www.vupen.com/english/advisories/2011/0344https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13294
2010-10-29
Published
Exploited in the wild