cbcvebase.
CVE-2013-2729
published 2013-05-16

CVE-2013-2729: Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomware
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
66.55%
99.2th percentile
Integer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2727.

Affected

91 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat

Detection & IOCsextracted from sources · hover to see the quote

hash2562f92cc72a0217ab58f402d529098246a57267940dc53783ae9a71c8717425
hash8e0fc0c6f206b84e265cc3076c4b9841
otherSig ID 35811 - Adobe Reader Embedded BMP Parsing Integer Overflow Vulnerability
pathAcroForm.api
  • CVE-2013-2729 is exploited via a malicious embedded BMP/RLE image inside a PDF. The vulnerable binary is AcroForm.api in Adobe Reader 10.x (confirmed version 10.1.4.38). Deleting AcroForm.api is a documented workaround.
  • Exploit delivery observed via spear-phishing emails with PDF attachments. Subject lines follow the pattern 'inovice <random_number>.pdf' (note deliberate misspelling of 'invoice'). From headers contain unusual strings such as 'EOF', 'endobj', and 'endstream'.
  • Post-exploitation: dropped files immediately beacon to a Russian IP and download additional malicious PE files. C2 communications use nonstandard ports. Monitor for outbound connections on nonstandard ports following PDF opens.
  • Post-exploitation persistence: malware uses bcdedit to modify Windows boot settings, drops a system driver that executes at boot, spawns drivers in the Windows directory, creates a randomly-named autostart registry key, and injects into the kernel. Monitor for bcdedit execution and new driver creation in the Windows directory.
  • CryptoWall 2.0 delivered via this CVE communicates exclusively over Tor. Blocking the Tor application at the network perimeter will disrupt C2 for this payload.
  • Malware manipulates Windows Mail files to use the victim as a node in further spear-phishing campaigns against the victim's contact list. Monitor for unexpected modification of Windows Mail data files.
  • ·The exploit affects Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03. The exploit-db PoC was written against version 10.1.4.38 specifically. Default configuration is sufficient for exploitation — no special settings required.
  • ·The workaround of deleting AcroForm.api will break AcroForm functionality but prevents exploitation of this vulnerability.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.