cbcvebase.
CVE-2013-2730
published 2013-05-16

CVE-2013-2730: Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via…

PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.76%
99.5th percentile
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2733.

Affected

76 ranges· showing 25
VendorProductVersion rangeFixed in
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat
adobeacrobat

Detection & IOCsextracted from sources · hover to see the quote

registryHKCU\Software\Adobe\Adobe Synchronizer\10.0\DBRecoveryOptions\shellcode
registryHKCU\Software\Adobe\Adobe Synchronizer\10.0\DBRecoveryOptions\bDeleteDB
registryHKCU\Software\Adobe\Adobe Synchronizer\10.0\DBRecoveryOptions
processAcroRd32.exe
processAdobeCollabSync.exe
bytes
\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF
  • Detect AdobeCollabSync.exe being spawned from or triggered by a Low Integrity AcroRd32.exe process, which is the exploitation chain for this sandbox bypass.
  • Scan AcroRd32.exe process memory for the byte signature \x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF at offset 0x18fa0 from the module base to confirm the vulnerable Adobe Reader X 10.1.4 target is present.
  • ·The Metasploit module and byte signature target specifically Adobe Reader X 10.1.4 on Windows 7 SP1 (x86). The trigger offset 0x18fa0 and signature are version-specific and will not match other Reader versions.
  • ·CVE-2013-2730 is a distinct buffer overflow from CVE-2013-2733; both affect Adobe Reader/Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03, but detection signatures should not be conflated.
  • ·The exploit requires an existing Meterpreter session running as a Low Integrity AcroRd32.exe process; it is a local privilege escalation / sandbox bypass, not a remote code execution vector.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.