cbcvebase.
CVE-2013-0640
published 2013-02-14

CVE-2013-0640: Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of…

PriorityP187high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
86.98%
99.7th percentile
Adobe Reader and Acrobat 9.x before 9.5.4, 10.x before 10.1.6, and 11.x before 11.0.02 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted PDF document, as exploited in the wild in February 2013.

Affected

17 ranges
VendorProductVersion rangeFixed in
adobeacrobat>= 10.0 < 10.1.610.1.6
adobeacrobat>= 11.0 < 11.0.0211.0.02
adobeacrobat>= 9.0 < 9.5.49.5.4
adobeacrobat_reader>= 10.0 < 10.1.610.1.6
adobeacrobat_reader>= 11.0 < 11.0.0211.0.02
adobeacrobat_reader>= 9.0 < 9.5.49.5.4
opensuseopensuse
opensuseopensuse
redhatenterprise_linux_desktop
redhatenterprise_linux_eus
redhatenterprise_linux_eus
redhatenterprise_linux_server
redhatenterprise_linux_server_aus
redhatenterprise_linux_server_aus
redhatenterprise_linux_workstation
suselinux_enterprise_desktop
suselinux_enterprise_desktop

Detection & IOCsextracted from sources · hover to see the quote

filenamexfa_MAGIC.rb
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/29881.tar.gz
pathacroform.dll
  • Monitor for outbound connections to Russian IP addresses on nonstandard ports immediately after a PDF is opened — indicative of the Zbot dropper's beaconing activity.
  • Detect use of bcdedit by non-administrative or unexpected processes, which may indicate the Zbot rootkit modifying Windows boot settings for persistence.
  • Alert on creation of new system drivers in the Windows directory spawned by dropped PDF exploit payloads, as the malware drops drivers that execute during the boot sequence.
  • Monitor for kernel callback registration (kernel notifiers) from newly dropped drivers, indicative of the rootkit injecting malicious processes into the kernel.
  • Detect C2 beaconing on a ~10-minute interval to external IPs, characteristic of this Zbot variant receiving commands/tasks.
  • Flag PDF attachments that drop and execute PE executables, particularly targeting Adobe Reader versions 9.x through 11.0.1 on Windows XP/7.
  • Detect manipulation of Windows Mail files by dropped malware, which is used to propagate spear-phishing to the victim's contact list.
  • ·The exploit was tested only on 32-bit and 64-bit Windows 7 and Windows XP; behavior on other platforms is unconfirmed.
  • ·The exploit script is described as a rip of the original and noted to work only most of the time, indicating reliability may vary.
  • ·At time of research, only 18 of 51 AV vendors detected the malicious PDF, indicating low initial AV detection coverage.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.