CVE-2013-3346
published 2013-08-30CVE-2013-3346: Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service…
PriorityP190critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
78.58%
99.5th percentile
Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| adobe | acrobat | >= 10.0 < 10.1.7 | 10.1.7 |
| adobe | acrobat | >= 11.0 < 11.0.03 | 11.0.03 |
| adobe | acrobat | >= 9.0 < 9.5.5 | 9.5.5 |
| adobe | acrobat_reader | >= 10.0 < 10.1.7 | 10.1.7 |
| adobe | acrobat_reader | >= 11.0 < 11.0.03 | 11.0.03 |
| adobe | acrobat_reader | >= 9.0 < 9.5.5 | 9.5.5 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
call dword ptr [eax+328h] ds:0023:0c0c0c0c
bytes↗
call dword ptr [eax+364h] ds:0023:0c0c0c0c
- →The exploit delivers a malicious PDF via HTTP with Content-Type 'application/pdf' and Pragma 'no-cache' headers; network sensors can flag PDF delivery with these headers from exploit kit infrastructure. ↗
- →The browser-based exploit targets specifically Windows XP with Internet Explorer as the user-agent; detections should look for IE/Windows XP UA strings fetching PDF content from suspicious sources. ↗
- →The exploit uses a heap spray with the 0x0c0c pattern; memory forensics or crash dumps showing EAX=0c0c08e4 or EAX=0c0c08a8 with a call to [eax+328h] or [eax+364h] at 0c0c0c0c are strong indicators of exploitation. ↗
- →The vulnerability is triggered via the ToolButton object's cEnable callback in Adobe Reader; JavaScript inspection of PDFs for ToolButton object manipulation with cEnable callbacks is a detection opportunity. ↗
- →CVE-2013-3346 was exploited in the wild in November 2013 as part of Turla/Epic Turla campaigns using spear-phishing emails with Adobe PDF exploits; PDF attachments in spear-phishing emails targeting government/military entities should be treated with elevated suspicion. ↗
- ·The browser exploit module explicitly does not support Adobe Reader 9 targets; the fileformat (PDF drop) variant must be used for Reader 9 exploitation. ↗
- ·Successful exploitation was confirmed only on Windows XP SP3 with IE; other OS/browser combinations are not confirmed by the Metasploit module. ↗
- ·The fileformat variant extends confirmed targets to include Adobe Reader 9.5.0 on Windows XP SP3, in addition to 11.0.2 and 10.0.4. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Adobe Reader and Acrobat Memory Corruption Vulnerability
cisa·2022-03-03·CVSS 9.8
CVE-2013-3346 [CRITICAL] CWE-119 Adobe Reader and Acrobat Memory Corruption Vulnerability
Vulnerability: Adobe Reader and Acrobat Memory Corruption Vulnerability
Affected: Adobe Reader and Acrobat
Adobe Reader and Acrobat contain a memory corruption vulnerability which can allow attackers to execute arbitrary code or cause a denial of service.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2013-3346
Remediation Due Date: 2022-03-24
Red Hat
acroread: multiple code execution flaws (APSB13-15)
vendor_redhat·2013-05-14·CVSS 10.0
CVE-2013-3346 [CRITICAL] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.
GHSA
GHSA-mhw3-773g-72wx: Adobe Reader and Acrobat 9
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2013-3346 [CRITICAL] CWE-119 GHSA-mhw3-773g-72wx: Adobe Reader and Acrobat 9
Adobe Reader and Acrobat 9.x before 9.5.5, 10.x before 10.1.7, and 11.x before 11.0.03 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, and CVE-2013-3341.
VulnCheck
Adobe Reader and Acrobat Memory Corruption Vulnerability
vulncheck·2013·CVSS 9.8
CVE-2013-3346 [CRITICAL] CWE-119 Adobe Reader and Acrobat Memory Corruption Vulnerability
Adobe Reader and Acrobat Memory Corruption Vulnerability
Adobe Reader and Acrobat contain a memory corruption vulnerability which can allow attackers to execute arbitrary code or cause a denial of service.
Affected: Adobe Acrobat and Reader
Required Action: Apply updates per vendor instructions.
Exploitation References: https://securelist.com/the-epic-turla-operation/65545/; https://www.recordedfuture.com/russian-apt-toolkits; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://strapi.eurepoc.eu/uploads/Eu_Repo_C_APT_profile_Turla_c9c7d8ed38.pdf
Remediation Due: 2022-03-24
No detection rules found.
Exploit-DB
Adobe Reader ToolButton - Use-After-Free (Metasploit)
exploitdb·2013-12-17
CVE-2013-3346 Adobe Reader ToolButton - Use-After-Free (Metasploit)
Adobe Reader ToolButton - Use-After-Free (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 "Adobe Reader ToolButton Use After Free",
'Description' => %q{
This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6
and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where
the cEnable callback can be used to early free the object memory. Later use of the object
allows triggering the use after free condition. This module has been tested successfully
on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in
November, 2013. At the moment, this module doesn't su
Metasploit
Adobe Reader ToolButton Use After Free
metasploit
Adobe Reader ToolButton Use After Free
Adobe Reader ToolButton Use After Free
This module exploits a use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2, 10.0.4 and 9.5.0 on Windows XP SP3, as exploited in the wild in November, 2013.
Metasploit
Adobe Reader ToolButton Use After Free
metasploit
Adobe Reader ToolButton Use After Free
Adobe Reader ToolButton Use After Free
This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn't support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used.
Trendmicro
Examining the Activities of the Turla APT Group
blogs_trendmicro·2023-09-22·CVSS 9.8
[CRITICAL] Examining the Activities of the Turla APT Group
APT & Targeted Attacks
# Examining the Activities of the Turla APT Group
We examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
By: Srivathsa Sharma
2023/09/22
Read time: ( words)
Save to Folio
In this blog entry, we examine the campaigns of the cyberespionage group known as Turla over the years, with a special focus on the key MITRE techniques and the corresponding IDs associated with the threat actor group.
An introduction to Turla
Regarded as a highly sophisticated advanced persistent threat (APT) group, the Russian-based Turla has been suspected to be operational since at least 2004.
Turla’s group names are infamously titled after its
Talos
Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
blogs_talos·2014-01-14·CVSS 9.8
CVE-2014-0258 [CRITICAL] Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.
The first bulletin, MS14-001, is for Word and Office Web Apps, this bulletin covers 3 CVEs (CVE-2014-0258, CVE-2014-0259 and CVE-2014-0260. They are memory corruption vulnerabilities in Word, which could result in remote code execution.
MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability (CVE-2013-5065) that was being exploited in the wild in tandem with the Adobe Reader vulnerability (CVE-2013-3346). Here an attacker would convince the user to o
Talos
Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
blogs_talos·2014-01-14·CVSS 9.8
CVE-2014-0258 [CRITICAL] Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
## Microsoft Update Tuesday: January 2014, fix for the XP/2003 0-day vulnerability
The first Microsoft Update Tuesday of 2014 is here and it’s a very light month this time around. We’ve got 4 bulletins covering 6 CVEs. What’s remarkable is that there’s no Internet Explorer bulletin this month. There are also no bulletins that are marked critical, all 4 bulletins are marked as important.
The first bulletin, MS14-001 , is for Word and Office Web Apps, this bulletin covers 3 CVEs ( CVE-2014-0258 , CVE-2014-0259 and CVE-2014-0260 . They are memory corruption vulnerabilities in Word, which could result in remote code execution.
MS14-002 is a fix for the Windows XP/2003 0-day kernel escalation of privilege vulnerability ( CVE-2013-5065 ) that was being exploited in the wild in tandem with the
Talos
Microsoft Update Tuesday: December 2013, some 0-day fixes
blogs_talos·2013-12-10·CVSS 5.5
CVE-2013-5045 [MEDIUM] Microsoft Update Tuesday: December 2013, some 0-day fixes
## Microsoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097 . This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities ( CVE-2013-5045 and CVE-2013-5046 ), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096 . This one fixes the 0-day vulnerability ( C
Talos
Microsoft Update Tuesday: December 2013, some 0-day fixes
blogs_talos·2013-12-10·CVSS 5.5
CVE-2013-5045 [MEDIUM] Microsoft Update Tuesday: December 2013, some 0-day fixes
Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097. This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities (CVE-2013-5045 and CVE-2013-5046), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096. This one fixes the 0-day vulnerability (CVE-2013-3906) that is being exploited in the wild. The vulnerabilit
Bugzilla
acroread: multiple code execution flaws (APSB13-15)
bugzilla·2013-05-14·CVSS 7.5
CVE-2013-2718 [HIGH] acroread: multiple code execution flaws (APSB13-15)
acroread: multiple code execution flaws (APSB13-15)
Adobe security bulletin APSB13-15 describes multiple security flaws that could cause Adobe Acrobat Reader to crash and potentially allow an attacker to take control of the affected system:
These updates resolve memory corruption vulnerabilities that could lead to code execution (CVE-2013-2718, CVE-2013-2719, CVE-2013-2720, CVE-2013-2721, CVE-2013-2722, CVE-2013-2723, CVE-2013-2725, CVE-2013-2726, CVE-2013-2731, CVE-2013-2732, CVE-2013-2734, CVE-2013-2735, CVE-2013-2736, CVE-2013-3337, CVE-2013-3338, CVE-2013-3339, CVE-2013-3340, CVE-2013-3341).
These updates resolve an integer underflow vulnerability that could lead to code execution (CVE-2013-2549).
These updates resolve a stack overflow vulnerability that could lead to code executio
http://www.adobe.com/support/security/bulletins/apsb13-15.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19054http://www.adobe.com/support/security/bulletins/apsb13-15.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19054https://github.com/cisagov/vulnrichment/issues/199https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2013-3346
2013-08-30
Published
2022-03-03
Added to CISA KEV
Exploited in the wild