cbcvebase.
CVE-2011-0611
published 2011-04-13

CVE-2011-0611: Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and…

PriorityP189high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
99.41%
99.9th percentile
Adobe Flash Player before 10.2.154.27 on Windows, Mac OS X, Linux, and Solaris and 10.2.156.12 and earlier on Android; Adobe AIR before 2.6.19140; and Authplay.dll (aka AuthPlayLib.bundle) in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allow remote attackers to execute arbitrary code or cause a denial of service (application crash) via crafted Flash content; as demonstrated by a Microsoft Office document with an embedded .swf file that has a size inconsistency in a "group of included constants," object type confusion, ActionScript that adds custom functions to prototypes, and Date objects; and as exploited in the wild in April 2011.

Affected

14 ranges
VendorProductVersion rangeFixed in
adobeacrobat>= 10.0 < 10.0.310.0.3
adobeacrobat>= 9.0 < 9.49.4
adobeacrobat_reader>= 10.0 < 10.0.310.0.3
adobeacrobat_reader10.0 – 10.0.1
adobeacrobat_reader>= 9.0 < 9.4.49.4.4
adobeadobe_air< 2.6.191402.6.19140
adobeflash_player< 10.2.154.2710.2.154.27
adobeflash_player<= 10.2.156.12
googlechrome< 10.0.648.20510.0.648.205
opensuseopensuse
opensuseopensuse
opensuseopensuse
suselinux_enterprise_desktop
suselinux_enterprise_desktop

Detection & IOCsextracted from sources · hover to see the quote

hash8587e3a0312a6c4374989cbcca48dc54ddcd3fbd54b48833afda991a6a2dfdea
hash0e317e0fee4eb6c6e81b2a41029a9573d34cebeabab6d661709115c64526bf95
hashf18ddcacfe4a98fb3dd9eaffd0feee5385ffc7f81deac100fdbbabf64233dc68
hash755138308bbaa9fcb9c60f0b089032ed4fa1cece830a954ad574bd0c2fe1f104
hash200a4708afe812989451f5947aed2f30b8e9b8e609a91533984ffa55d02e60a2
hash8a33d1d36d097ca13136832aa10ae5ca
urlhxxp://flightpub.net/l/content/ap1.php?f=97d19::182b5
urlhxxp://flightpub.net/l/content/ap2.php?f=97d19::182b5
pathdata/exploits/CVE-2011-0611.swf
snort
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 3"; flow:established,to_server; content:"/fdp1.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014052; rev:2;)
snort
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;)
  • The exploit is delivered via a crafted .swf embedded in a PDF or Office document; the Flash crash is triggered by an invalid object type use at Flash10o+0xd01f6 (call dword ptr [eax+8] where eax=11111110), indicating heap spray with 0x0c0c0c0c nop sled pattern.
  • CVE-2011-0611 was exploited via both .swf standalone and PDF-embedded vectors; hosts running both Adobe Flash Player and Adobe Reader may be vulnerable through separate update channels, so both products must be checked for patching.
  • The Metasploit module targets IE 6/7 on Windows XP SP3 and Windows Vista; User-Agent filtering in the exploit checks for 'MSIE \d\.\d' — defenders can correlate IDS alerts with these UA strings in proxy/web logs.
  • ·The Metasploit module's exploit SWF is loaded from a static file path on disk (data/exploits/CVE-2011-0611.swf); the HTML and JS variable names are randomized per request, limiting static string-based detection of the JS wrapper.
  • ·The Elirks backdoor retrieves its C2 address dynamically from attacker-controlled microblog/SNS accounts rather than hardcoded IPs, making static C2 IOCs short-lived.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck8.8HIGH
cisa8.8HIGH
vendor_redhat8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.