CVE-2011-2462
published 2011-12-07CVE-2011-2462: Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on…
PriorityP192critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-22
Exploited in the wild
EPSS
86.24%
99.7th percentile
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | <= 10.1.1 | — |
| adobe | acrobat_reader | <= 10.1.1 | — |
| adobe | acrobat_reader | 9.0 – 9.4.6 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect ZxShell RAT dropper delivered via CVE-2011-2462 exploit by hunting for the mutex @_ZXSHELL_@ in running processes. ↗
- →Monitor for creation of the ZxShell plugin registry key HKLM\SYSTEM\CurrentControlSet\Control\zxplug, which is used to load ZxShell plugins via LoadLibrary. ↗
- →Monitor for svchost service installation using a randomly generated name from the netsvc group, or a fallback name formatted as netsvc_xxxxxxxx (8-digit random hex), as used by ZxShell for persistence. ↗
- →The exploit embeds specially crafted U3D data into a PDF document and uses a heap spray via JavaScript; detect malicious PDFs containing U3D streams combined with JavaScript heap spray patterns targeting address 0x0c0c0c0c. ↗
- →ZxShell DLL unlinks itself from the host process module list after loading; memory forensics or EDR tools should scan for unsigned executable memory regions in svchost.exe not backed by a mapped module. ↗
- ·The Metasploit exploit module targets specific Adobe Reader versions (9.4.0, 9.4.5, 9.4.6 on Windows XP SP3) with a hardcoded ROP gadget address from icucnv36; the ROP chain and heap spray address (0x0c0c0c0c) are version/platform specific and will not work reliably against other targets. ↗
- ·The CVE affects Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX; the Metasploit module only implements a Windows target. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
cisa·2022-06-08·CVSS 9.8
CVE-2011-2462 [CRITICAL] CWE-787 Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
Vulnerability: Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
Affected: Adobe Reader and Acrobat
The Universal 3D (U3D) component in Adobe Reader and Acrobat contains a memory corruption vulnerability which could allow remote attackers to execute code or cause denial-of-service (DoS).
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2011-2462
Remediation Due Date: 2022-06-22
Red Hat
acroread: U3D memory corruption vulnerability (APSB11-30)
vendor_redhat·2011-12-06·CVSS 9.8
CVE-2011-2462 [CRITICAL] acroread: U3D memory corruption vulnerability (APSB11-30)
acroread: U3D memory corruption vulnerability (APSB11-30)
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
GHSA
GHSA-g2wp-w28c-8vg2: Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10
ghsa_unreviewed·2022-05-17
CVE-2011-2462 [HIGH] CWE-787 GHSA-g2wp-w28c-8vg2: Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
VulnCheck
Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
vulncheck·2011·CVSS 9.8
CVE-2011-2462 [CRITICAL] CWE-787 Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
Adobe Reader and Acrobat Universal 3D Memory Corruption Vulnerability
The Universal 3D (U3D) component in Adobe Reader and Acrobat contains a memory corruption vulnerability which could allow remote attackers to execute code or cause denial-of-service (DoS).
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2011-2462; https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=748f518d-25e3-456c-a623-595f9b5214ef&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments; https://documents.trendmicro.com/assets/wp/wp_luckycat_redux.pdf; https://cybersecurity.att.com/blogs/labs-research/new-sykipot-developments; htt
Suricata
ET MALWARE Backdoor.Win32.Sykipot Put
suricata·2011-12-09
CVE-2011-2462 ET MALWARE Backdoor.Win32.Sykipot Put
ET MALWARE Backdoor.Win32.Sykipot Put
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Put"; flow:established,to_server; http.uri; content:"/kys_allow_put.asp?type="; content:"&hostname="; reference:cve,2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:trojan-activity; sid:2014007; rev:4; metadata:created_at 2011_12_09, cve CVE_2011_2462, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_03_06;)
Suricata
ET MALWARE Backdoor.Win32.Sykipot Get Config Request
suricata·2011-12-09
CVE-2011-2462 ET MALWARE Backdoor.Win32.Sykipot Get Config Request
ET MALWARE Backdoor.Win32.Sykipot Get Config Request
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Get Config Request"; flow:established,to_server; http.method; content:"GET"; nocase; http.uri; content:"/kys_allow_get.asp?"; content:"name=getkys.kys"; reference:cve,2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; classtype:trojan-activity; sid:2014008; rev:6; metadata:created_at 2011_12_09, cve CVE_2011_2462, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2020_04_21;)
Suricata
ET MALWARE Backdoor.Win32.Sykipot Checkin
suricata·2011-12-09
CVE-2011-2462 ET MALWARE Backdoor.Win32.Sykipot Checkin
ET MALWARE Backdoor.Win32.Sykipot Checkin
Rule: alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Backdoor.Win32.Sykipot Checkin"; flow:established,to_server; http.uri; content:"allow_get.asp?name="; fast_pattern; content:"&hostname="; distance:0; http.header_names; to_lowercase; content:!"|0d 0a|referer|0d 0a|"; reference:cve,2011-2462; reference:url,blog.9bplus.com/analyzing-cve-2011-2462; reference:url,contagiodump.blogspot.com/2011/12/adobe-zero-day-cve-2011-2462.html; classtype:command-and-control; sid:2014006; rev:6; metadata:created_at 2011_12_09, cve CVE_2011_2462, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_04_27;)
Exploit-DB
Adobe Reader - U3D Memory Corruption (Metasploit)
exploitdb·2012-01-14
CVE-2011-2462 Adobe Reader - U3D Memory Corruption (Metasploit)
Adobe Reader - U3D Memory Corruption (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'zlib'
class Metasploit3 'Adobe Reader U3D Memory Corruption Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the U3D handling within
versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader.
The vulnerability is due to the use of uninitialized memory.
Arbitrary code execution is achieved by embedding specially crafted U3D
data into a PDF document. A heap spray via JavaScript is used in order to
ensure that the memo
Metasploit
Adobe Reader U3D Memory Corruption Vulnerability
metasploit
Adobe Reader U3D Memory Corruption Vulnerability
Adobe Reader U3D Memory Corruption Vulnerability
This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled.
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
- Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
- Internet Explorer: MS14-021 for CVE-2014-1776, Qualys ID: 100191
- MS14-012 for CVE-201
Qualys
US-CERT: Top 30 Vulnerabilities | Qualys
blogs_qualys·2015-05-01·CVSS 2.6
[LOW] US-CERT: Top 30 Vulnerabilities | Qualys
On April 29, 2015 US-CERT published TA15-119A which describes the Top 30 vulnerabilities that critical infrastructure organizations should focus on because they are under attack all the time. The list contains Windows, Internet Explorer, Adobe Software from Reader, Flash to Cold Fusion, Java from Oracle and others and is quite similar to the more generic set of software packages published by the German BSI last December.
Here is a list of the vulnerabilities in the advisory. I have reordered and optimized where possible for efficient scanning with Qualys, for example listing the most recent patch first to take advantage of superseding patches:
Windows: MS14-060 for CVE-2014-4114, Qualys ID: 90979
MS14-012 for CVE-2014-0322
MS13-038 for CVE-2013-1347
MS13-008 for CVE-2012-4792
MS10-01
Talos
Threat Spotlight: Group 72, Opening the ZxShell
blogs_talos·2014-10-28
Threat Spotlight: Group 72, Opening the ZxShell
## Threat Spotlight: Group 72, Opening the ZxShell
This post was authored by Andrea Allievi , Douglas Goddard , Shaun Hurley , and Alain Zidouemba .
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the ta
Talos
Threat Spotlight: Group 72, Opening the ZxShell
blogs_talos·2014-10-28
Threat Spotlight: Group 72, Opening the ZxShell
This post was authored by Andrea Allievi, Douglas Goddard, Shaun Hurley, and Alain Zidouemba.
Recently, there was a blog post on the takedown of a botnet used by threat actor group known as Group 72 and their involvement in Operation SMN. This group is sophisticated, well funded, and exclusively targets high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sector. The primary attack vectors are watering-hole, spear phishing, and other web-based attacks.
Frequently, a remote administration tool (RAT) is used to maintain persistence within a victim’s organization. These tools are used to further compromise the organization by attacking other hosts inside the targets network.
ZxShell (aka Sensocode) is a Remote Admi
Bugzilla
CVE-2011-2462 acroread: U3D memory corruption vulnerability (APSB11-30)
bugzilla·2011-12-07·CVSS 9.8
CVE-2011-2462 [CRITICAL] CVE-2011-2462 acroread: U3D memory corruption vulnerability (APSB11-30)
CVE-2011-2462 acroread: U3D memory corruption vulnerability (APSB11-30)
Adobe has published an advisory, describing the presence of a critical vulnerability:
This U3D memory corruption vulnerability (CVE-2011-2462) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that the vulnerability is being actively exploited in the wild in limited, targeted attacks against Adobe Reader 9.x on Windows. Adobe Reader X Protected Mode and Acrobat X Protected View mitigations would prevent an exploit of this kind from executing.
in versions of Adobe Reader v9.4.6 and earlier versions for UNIX operating system.
According to the advisory [1], the Adobe Reader 9.x update for UNIX operating system is planned for January 10, 2012.
References:
[
http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00020.htmlhttp://www.adobe.com/support/security/advisories/apsa11-04.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-30.htmlhttp://www.adobe.com/support/security/bulletins/apsb12-01.htmlhttp://www.redhat.com/support/errata/RHSA-2012-0011.htmlhttp://www.us-cert.gov/cas/techalerts/TA11-350A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14562http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2012-01/msg00020.htmlhttp://www.adobe.com/support/security/advisories/apsa11-04.htmlhttp://www.adobe.com/support/security/bulletins/apsb11-30.htmlhttp://www.adobe.com/support/security/bulletins/apsb12-01.htmlhttp://www.redhat.com/support/errata/RHSA-2012-0011.htmlhttp://www.us-cert.gov/cas/techalerts/TA11-350A.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14562https://github.com/cisagov/vulnrichment/issues/199https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-2462
2011-12-07
Published
2022-06-08
Added to CISA KEV
Exploited in the wild