CVE-2013-2730
published 2013-05-16CVE-2013-2730: Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via…
PriorityP269critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
78.76%
99.5th percentile
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2733.
Affected
76 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
| adobe | acrobat | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF
- →Detect AdobeCollabSync.exe being spawned from or triggered by a Low Integrity AcroRd32.exe process, which is the exploitation chain for this sandbox bypass. ↗
- →Scan AcroRd32.exe process memory for the byte signature \x56\x68\xBC\x00\x00\x00\xE8\xF5\xFD\xFF\xFF at offset 0x18fa0 from the module base to confirm the vulnerable Adobe Reader X 10.1.4 target is present. ↗
- ·The Metasploit module and byte signature target specifically Adobe Reader X 10.1.4 on Windows 7 SP1 (x86). The trigger offset 0x18fa0 and signature are version-specific and will not match other Reader versions. ↗
- ·CVE-2013-2730 is a distinct buffer overflow from CVE-2013-2733; both affect Adobe Reader/Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03, but detection signatures should not be conflated. ↗
- ·The exploit requires an existing Meterpreter session running as a Low Integrity AcroRd32.exe process; it is a local privilege escalation / sandbox bypass, not a remote code execution vector. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
acroread: multiple code execution flaws (APSB13-15)
vendor_redhat·2013-05-14·CVSS 10.0
CVE-2013-2733 [CRITICAL] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2730.
Red Hat
acroread: multiple code execution flaws (APSB13-15)
vendor_redhat·2013-05-14·CVSS 10.0
CVE-2013-2730 [CRITICAL] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2733.
GHSA
GHSA-43p2-q7g7-857m: Buffer overflow in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-2733 [CRITICAL] CWE-119 GHSA-43p2-q7g7-857m: Buffer overflow in Adobe Reader and Acrobat 9
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2730.
GHSA
GHSA-qw7w-hcqx-mmvj: Buffer overflow in Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-2730 [CRITICAL] CWE-119 GHSA-qw7w-hcqx-mmvj: Buffer overflow in Adobe Reader and Acrobat 9
Buffer overflow in Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2013-2733.
No detection rules found.
Exploit-DB
AdobeCollabSync - Local Buffer Overflow / Adobe Reader X Sandbox Bypass (Metasploit)
exploitdb·2013-05-26
CVE-2013-2730 AdobeCollabSync - Local Buffer Overflow / Adobe Reader X Sandbox Bypass (Metasploit)
AdobeCollabSync - Local Buffer Overflow / Adobe Reader X Sandbox Bypass (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/windows/registry'
require 'msf/core/post/common'
require 'msf/core/post/file'
class Metasploit3 'AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass',
'Description' => %q{
This module exploits a vulnerability on Adobe Reader X Sandbox. The
vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe
process to write register values which can be used to trigger a buffer overflow on
the A
Metasploit
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
metasploit
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
AdobeCollabSync Buffer Overflow Adobe Reader X Sandbox Bypass
This module exploits a vulnerability on Adobe Reader X Sandbox. The vulnerability is due to a sandbox rule allowing a Low Integrity AcroRd32.exe process to write register values which can be used to trigger a buffer overflow on the AdobeCollabSync component, allowing to achieve Medium Integrity Level privileges from a Low Integrity AcroRd32.exe process. This module has been tested successfully on Adobe Reader X 10.1.4 over Windows 7 SP1.
Bugzilla
acroread: multiple code execution flaws (APSB13-15)
bugzilla·2013-05-14·CVSS 7.5
CVE-2013-2718 [HIGH] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Adobe security bulletin APSB13-15 describes multiple security flaws that could cause Adobe Acrobat Reader to crash and potentially allow an attacker to take control of the affected system:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341).
These updates resolve an integer underflow vulnerability that could lead to code execution (CVE-2013-2549).
These updates resolve a stack overflow vulnerability that could lead to code executio
Bugzilla
Spring Framework: Remote code execution with Expression Language injection
bugzilla·2013-01-18·CVSS 7.5
[HIGH] Spring Framework: Remote code execution with Expression Language injection
Spring Framework: Remote code execution with Expression Language injection
It was found that in certain circumstances, Spring framework evaluated Expression Language (EL) expressions twice: once by the container, and once by the tag. A remote attacker could use this flaw to execute arbitrary code in the context of the application server, or to obtain sensitive information from the server, via a specially-crafted HTTP request.
References:
[1] http://www.networkworld.com/news/2013/011713-java-spring-framework-265923.html
[2] http://www.infosecurity-magazine.com/view/30282/remote-code-vulnerability-in-spring-framework-for-java/
Discussion:
SpringSource security team has confirmed that this is NOT a new security flaw (other than original CVE-2011-2730 issue), but rather just a new exploit
http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0826.htmlhttp://security.gentoo.org/glsa/glsa-201308-03.xmlhttp://www.adobe.com/support/security/bulletins/apsb13-15.htmlhttp://www.securityfocus.com/bid/59923https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16631http://lists.opensuse.org/opensuse-security-announce/2013-05/msg00004.htmlhttp://rhn.redhat.com/errata/RHSA-2013-0826.htmlhttp://security.gentoo.org/glsa/glsa-201308-03.xmlhttp://www.adobe.com/support/security/bulletins/apsb13-15.htmlhttp://www.securityfocus.com/bid/59923https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16631
2013-05-16
Published