Vulnerabilities > CVE-2010-0195 - Code Injection vulnerability in Adobe Acrobat and Acrobat Reader
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, do not properly handle fonts, which allows attackers to execute arbitrary code via unspecified vectors.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leverage Executable Code in Non-Executable Files An attack of this type exploits a system's trust in configuration and resource files, when the executable loads the resource (such as an image file or configuration file) the attacker has modified the file to either execute malicious code directly or manipulate the target process (e.g. application server) to execute based on the malicious configuration parameters. Since systems are increasingly interrelated mashing up resources from local and remote sources the possibility of this attack occurring is high. The attack can be directed at a client system, such as causing buffer overrun through loading seemingly benign image files, as in Microsoft Security Bulletin MS04-028 where specially crafted JPEG files could cause a buffer overrun once loaded into the browser. Another example targets clients reading pdf files. In this case the attacker simply appends javascript to the end of a legitimate url for a pdf (http://www.gnucitizen.org/blog/danger-danger-danger/) http://path/to/pdf/file.pdf#whatever_name_you_want=javascript:your_code_here The client assumes that they are reading a pdf, but the attacker has modified the resource and loaded executable javascript into the client's browser process. The attack can also target server processes. The attacker edits the resource or configuration file, for example a web.xml file used to configure security permissions for a J2EE app server, adding role name "public" grants all users with the public role the ability to use the administration functionality. The server trusts its configuration file to be correct, but when they are manipulated, the attacker gains full control.
- Manipulating User-Controlled Variables This attack targets user controlled variables (DEBUG=1, PHP Globals, and So Forth). An attacker can override environment variables leveraging user-supplied, untrusted query variables directly used on the application server without any data sanitization. In extreme cases, the attacker can change variables controlling the business logic of the application. For instance, in languages like PHP, a number of poorly set default configurations may allow the user to override variables.
Nessus
NASL family Windows NASL id ADOBE_READER_APSB10-09.NASL description The version of Adobe Reader installed on the remote host is earlier than 9.3.2 / 8.2.2. Such versions are reportedly affected by multiple vulnerabilities : - A cross-site scripting issue could lead to code execution. (CVE-2010-0190) - A prefix protocol handler vulnerability could lead to code execution. (CVE-2010-0191) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0192) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0193) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0194) - A font handling vulnerability could lead to code execution. (CVE-2010-0195) - A denial of service vulnerability could potentially lead lead to code execution. (CVE-2010-0196) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0197) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0198) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0199) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0201) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0202) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0203) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0204) - A heap-based buffer overflow vulnerability could lead to code execution. (CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 45505 published 2010-04-13 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45505 title Adobe Reader < 9.3.2 / 8.2.2 Multiple Vulnerabilities (APSB10-09) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(45505); script_version("1.20"); script_cvs_date("Date: 2018/06/27 18:42:27"); script_name(english:"Adobe Reader < 9.3.2 / 8.2.2 Multiple Vulnerabilities (APSB10-09)"); script_summary(english:"Checks version of Adobe Reader"); script_cve_id( "CVE-2010-0190", "CVE-2010-0191", "CVE-2010-0192", "CVE-2010-0193", "CVE-2010-0194", "CVE-2010-0195", "CVE-2010-0196", "CVE-2010-0197", "CVE-2010-0198", "CVE-2010-0199", "CVE-2010-0201", "CVE-2010-0202", "CVE-2010-0203", "CVE-2010-0204", "CVE-2010-1241" ); script_bugtraq_id( 39227, 39417, 39469, 39470, 39505, 39507, 39511, 39514, 39515, 39517, 39518, 39520, 39521, 39522, 39523, 39524 ); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Reader on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description",value: "The version of Adobe Reader installed on the remote host is earlier than 9.3.2 / 8.2.2. Such versions are reportedly affected by multiple vulnerabilities : - A cross-site scripting issue could lead to code execution. (CVE-2010-0190) - A prefix protocol handler vulnerability could lead to code execution. (CVE-2010-0191) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0192) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0193) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0194) - A font handling vulnerability could lead to code execution. (CVE-2010-0195) - A denial of service vulnerability could potentially lead lead to code execution. (CVE-2010-0196) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0197) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0198) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0199) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0201) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0202) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0203) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0204) - A heap-based buffer overflow vulnerability could lead to code execution. (CVE-2010-1241)"); script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb10-09.html"); script_set_attribute(attribute:"solution", value:"Upgrade to Adobe Reader 9.3.2 / 8.2.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date",value:"2010/04/13"); script_set_attribute(attribute:"patch_publication_date",value:"2010/04/13"); script_set_attribute(attribute:"plugin_publication_date",value:"2010/04/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:'Windows'); script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc."); script_dependencies('adobe_reader_installed.nasl'); script_require_keys('SMB/Acroread/Version'); exit(0); } # include('global_settings.inc'); info = NULL; vers = get_kb_list('SMB/Acroread/Version'); if (isnull(vers)) exit(0, 'The "SMB/Acroread/Version" KB item is missing.'); foreach version (vers) { ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if ( ver[0] < 8 || (ver[0] == 8 && ver[1] < 2) || (ver[0] == 8 && ver[1] == 2 && ver[2] < 2) || (ver[0] == 9 && ver[1] < 3) || (ver[0] == 9 && ver[1] == 3 && ver[2] < 2) ) { path = get_kb_item('SMB/Acroread/'+version+'/Path'); if (isnull(path)) exit(1, 'The "SMB/Acroread/'+version+'/Path" KB item is missing.'); verui = get_kb_item('SMB/Acroread/'+version+'/Version_UI'); if (isnull(verui)) exit(1, 'The "SMB/Acroread/'+version+'/Version_UI" KB item is missing.'); info += ' - ' + verui + ', under ' + path + '\n'; } } if (isnull(info)) exit(0, 'The remote host is not affected.'); if (report_verbosity > 0) { if (max_index(split(info)) > 1) s = "s of Adobe Reader are"; else s = " of Adobe Reader is"; report = '\nThe following vulnerable instance'+s+' installed on the'+ '\nremote host :\n\n'+ info; security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport"));NASL family SuSE Local Security Checks NASL id SUSE_ACROREAD-6994.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code. (CVE-2010-0190 / CVE-2010-0191 / CVE-2010-0192 / CVE-2010-0193 / CVE-2010-0194 / CVE-2010-0195 / CVE-2010-0196 / CVE-2010-0197 / CVE-2010-0198 / CVE-2010-0199 / CVE-2010-0201 / CVE-2010-0202 / CVE-2010-0203 / CVE-2010-0204 / CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 51700 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51700 title SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 6994) NASL family Windows NASL id ADOBE_ACROBAT_APSB10-09.NASL description The version of Adobe Acrobat installed on the remote host is earlier than 9.3.2 / 8.2.2. Such versions are reportedly affected by multiple vulnerabilities : - A cross-site scripting issue could lead to code execution. (CVE-2010-0190) - A prefix protocol handler vulnerability could lead to code execution. (CVE-2010-0191) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0192) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0193) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0194) - A font handling vulnerability could lead to code execution. (CVE-2010-0195) - A denial of service vulnerability could potentially lead to code execution. (CVE-2010-0196) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0197) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0198) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0199) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0201) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0202) - A buffer overflow vulnerability could lead to code execution. (CVE-2010-0203) - A memory corruption vulnerability could lead to code execution. (CVE-2010-0204) - A heap-based buffer overflow vulnerability could lead to code execution. (CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 45504 published 2010-04-13 reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/45504 title Adobe Acrobat < 9.3.2 / 8.2.2 Multiple Vulnerabilities (APSB10-09) NASL family SuSE Local Security Checks NASL id SUSE_ACROREAD_JA-6995.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code. (CVE-2010-0190 / CVE-2010-0191 / CVE-2010-0192 / CVE-2010-0193 / CVE-2010-0194 / CVE-2010-0195 / CVE-2010-0196 / CVE-2010-0197 / CVE-2010-0198 / CVE-2010-0199 / CVE-2010-0201 / CVE-2010-0202 / CVE-2010-0203 / CVE-2010-0204 / CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 51712 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51712 title SuSE 10 Security Update : acroread_ja (ZYPP Patch Number 6995) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0349.NASL description Updated acroread packages that fix several security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes several vulnerabilities in Adobe Reader. These vulnerabilities are summarized on the Adobe Security Advisory APSB10-09 page listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193, CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197, CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202, CVE-2010-0203, CVE-2010-0204, CVE-2010-1241) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.3.2, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 46299 published 2010-05-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46299 title RHEL 4 / 5 : acroread (RHSA-2010:0349) NASL family SuSE Local Security Checks NASL id SUSE_11_2_ACROREAD-100419.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code (CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193 CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197 CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202 CVE-2010-0203, CVE-2010-0204, CVE-2010-1241). last seen 2020-06-01 modified 2020-06-02 plugin id 45600 published 2010-04-22 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45600 title openSUSE Security Update : acroread (openSUSE-SU-2010:0137-1) NASL family SuSE Local Security Checks NASL id SUSE_ACROREAD-6993.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code. (CVE-2010-0190 / CVE-2010-0191 / CVE-2010-0192 / CVE-2010-0193 / CVE-2010-0194 / CVE-2010-0195 / CVE-2010-0196 / CVE-2010-0197 / CVE-2010-0198 / CVE-2010-0199 / CVE-2010-0201 / CVE-2010-0202 / CVE-2010-0203 / CVE-2010-0204 / CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 51699 published 2011-01-27 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/51699 title SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 6993) NASL family SuSE Local Security Checks NASL id SUSE_11_1_ACROREAD-100418.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code (CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193 CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197 CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202 CVE-2010-0203, CVE-2010-0204, CVE-2010-1241). last seen 2020-06-01 modified 2020-06-02 plugin id 45599 published 2010-04-22 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45599 title openSUSE Security Update : acroread (openSUSE-SU-2010:0137-1) NASL family SuSE Local Security Checks NASL id SUSE_11_ACROREAD_JA-100419.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code. (CVE-2010-0190 / CVE-2010-0191 / CVE-2010-0192 / CVE-2010-0193 / CVE-2010-0194 / CVE-2010-0195 / CVE-2010-0196 / CVE-2010-0197 / CVE-2010-0198 / CVE-2010-0199 / CVE-2010-0201 / CVE-2010-0202 / CVE-2010-0203 / CVE-2010-0204 / CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 50885 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50885 title SuSE 11 Security Update : acroread_ja (SAT Patch Number 2322) NASL family SuSE Local Security Checks NASL id SUSE_11_ACROREAD-100418.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code. (CVE-2010-0190 / CVE-2010-0191 / CVE-2010-0192 / CVE-2010-0193 / CVE-2010-0194 / CVE-2010-0195 / CVE-2010-0196 / CVE-2010-0197 / CVE-2010-0198 / CVE-2010-0199 / CVE-2010-0201 / CVE-2010-0202 / CVE-2010-0203 / CVE-2010-0204 / CVE-2010-1241) last seen 2020-06-01 modified 2020-06-02 plugin id 50881 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50881 title SuSE 11 Security Update : Acrobat Reader (SAT Patch Number 2320) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201009-05.NASL description The remote host is affected by the vulnerability described in GLSA-201009-05 (Adobe Reader: Multiple vulnerabilities) Multiple vulnerabilities were discovered in Adobe Reader. For further information please consult the CVE entries and the Adobe Security Bulletins referenced below. Impact : A remote attacker might entice a user to open a specially crafted PDF file, possibly resulting in the execution of arbitrary code with the privileges of the user running the application, or bypass intended sandbox restrictions, make cross-domain requests, inject arbitrary web script or HTML, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 49126 published 2010-09-08 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/49126 title GLSA-201009-05 : Adobe Reader: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_11_0_ACROREAD-100418.NASL description Specially crafted PDF documents could crash acroread or even lead to execution of arbitrary code (CVE-2010-0190, CVE-2010-0191, CVE-2010-0192, CVE-2010-0193 CVE-2010-0194, CVE-2010-0195, CVE-2010-0196, CVE-2010-0197 CVE-2010-0198, CVE-2010-0199, CVE-2010-0201, CVE-2010-0202 CVE-2010-0203, CVE-2010-0204, CVE-2010-1241). last seen 2020-06-01 modified 2020-06-02 plugin id 45598 published 2010-04-22 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45598 title openSUSE Security Update : acroread (openSUSE-SU-2010:0137-1)
Oval
| accepted | 2013-08-12T04:10:19.894-04:00 | ||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||
| description | Adobe Reader and Acrobat 9.x before 9.3.2, and 8.x before 8.2.2 on Windows and Mac OS X, do not properly handle fonts, which allows attackers to execute arbitrary code via unspecified vectors. | ||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:7420 | ||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2010-04-13T10:30:00.000-05:00 | ||||||||||||||||||||||||||||||||||||||||||||
| title | Adobe Reader and Acrobat Font Handling Vulnerability | ||||||||||||||||||||||||||||||||||||||||||||
| version | 21 |
Redhat
| rpms |
|