cbcvebase.
CVE-2011-2462
published 2011-12-07

CVE-2011-2462: Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on…

PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
86.24%
99.7th percentile
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.

Affected

3 ranges
VendorProductVersion rangeFixed in
adobeacrobat<= 10.1.1
adobeacrobat_reader<= 10.1.1
adobeacrobat_reader9.0 – 9.4.6

Detection & IOCsextracted from sources · hover to see the quote

hashe3878d541d17b156b7ca447eeb49d96a
hash1eda7e556181e46ba6e36f1a6bfe18ff5566f9d5e51c53b41d08f9459342e26c
mutex@_ZXSHELL_@
registryHKLM\SYSTEM\CurrentControlSet\Control\zxplug
filenamemsf.pdf
  • Detect ZxShell RAT dropper delivered via CVE-2011-2462 exploit by hunting for the mutex @_ZXSHELL_@ in running processes.
  • Monitor for creation of the ZxShell plugin registry key HKLM\SYSTEM\CurrentControlSet\Control\zxplug, which is used to load ZxShell plugins via LoadLibrary.
  • Monitor for svchost service installation using a randomly generated name from the netsvc group, or a fallback name formatted as netsvc_xxxxxxxx (8-digit random hex), as used by ZxShell for persistence.
  • The exploit embeds specially crafted U3D data into a PDF document and uses a heap spray via JavaScript; detect malicious PDFs containing U3D streams combined with JavaScript heap spray patterns targeting address 0x0c0c0c0c.
  • ZxShell DLL unlinks itself from the host process module list after loading; memory forensics or EDR tools should scan for unsigned executable memory regions in svchost.exe not backed by a mapped module.
  • ·The Metasploit exploit module targets specific Adobe Reader versions (9.4.0, 9.4.5, 9.4.6 on Windows XP SP3) with a hardcoded ROP gadget address from icucnv36; the ROP chain and heap spray address (0x0c0c0c0c) are version/platform specific and will not work reliably against other targets.
  • ·The CVE affects Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX; the Metasploit module only implements a Windows target.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.