cbcvebase.
CVE-2013-3346
published 2013-08-30

CVE-2013-3346: Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service…

PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
78.58%
99.5th percentile
Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.

Affected

6 ranges
VendorProductVersion rangeFixed in
adobeacrobat>= 10.0 < 10.1.710.1.7
adobeacrobat>= 11.0 < 11.0.0311.0.03
adobeacrobat>= 9.0 < 9.5.59.5.5
adobeacrobat_reader>= 10.0 < 10.1.710.1.7
adobeacrobat_reader>= 11.0 < 11.0.0311.0.03
adobeacrobat_reader>= 9.0 < 9.5.59.5.5

Detection & IOCsextracted from sources · hover to see the quote

bytes
call dword ptr [eax+328h] ds:0023:0c0c0c0c
bytes
call dword ptr [eax+364h] ds:0023:0c0c0c0c
  • The exploit delivers a malicious PDF via HTTP with Content-Type 'application/pdf' and Pragma 'no-cache' headers; network sensors can flag PDF delivery with these headers from exploit kit infrastructure.
  • The browser-based exploit targets specifically Windows XP with Internet Explorer as the user-agent; detections should look for IE/Windows XP UA strings fetching PDF content from suspicious sources.
  • The exploit uses a heap spray with the 0x0c0c pattern; memory forensics or crash dumps showing EAX=0c0c08e4 or EAX=0c0c08a8 with a call to [eax+328h] or [eax+364h] at 0c0c0c0c are strong indicators of exploitation.
  • The vulnerability is triggered via the ToolButton object's cEnable callback in Adobe Reader; JavaScript inspection of PDFs for ToolButton object manipulation with cEnable callbacks is a detection opportunity.
  • CVE-2013-3346 was exploited in the wild in November 2013 as part of Turla/Epic Turla campaigns using spear-phishing emails with Adobe PDF exploits; PDF attachments in spear-phishing emails targeting government/military entities should be treated with elevated suspicion.
  • ·The browser exploit module explicitly does not support Adobe Reader 9 targets; the fileformat (PDF drop) variant must be used for Reader 9 exploitation.
  • ·Successful exploitation was confirmed only on Windows XP SP3 with IE; other OS/browser combinations are not confirmed by the Metasploit module.
  • ·The fileformat variant extends confirmed targets to include Adobe Reader 9.5.0 on Windows XP SP3, in addition to 11.0.2 and 10.0.4.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.