Vulnerabilities > CVE-2011-0610 - Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Acrobat and Acrobat Reader

CVSS 9.3 - CRITICAL

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

network

critical

nessus

NVD

Published: 2011-05-03

Updated: 2017-09-19

Summary

The CoolType library in Adobe Reader 9.x before 9.4.4 and 10.x through 10.0.1 on Windows, Adobe Reader 9.x before 9.4.4 and 10.x before 10.0.3 on Mac OS X, and Adobe Acrobat 9.x before 9.4.4 and 10.x before 10.0.3 on Windows and Mac OS X allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. Per: http://www.adobe.com/support/security/bulletins/apsb11-08.html 'Severity rating Adobe categorizes these as critical updates and recommends affected users update their installations to the newest versions.' Per: http://www.adobe.com/support/security/bulletins/apsb11-08.html 'Today's security updates are out-of-cycle updates.'

Vulnerable Configurations

Part	Description	Count
Application	Adobe Adobe Acrobat Reader 9.0 Adobe Acrobat Reader 9.1 Adobe Acrobat Reader 9.1.1 Adobe Acrobat Reader 9.1.2 Adobe Acrobat Reader 9.1.3 Adobe Acrobat Reader 9.2 Adobe Acrobat Reader 9.3 Adobe Acrobat Reader 9.3.0 Adobe Acrobat Reader 9.3.1 Adobe Acrobat Reader 9.3.2 Adobe Acrobat Reader 9.3.3 Adobe Acrobat Reader 9.3.4 Adobe Acrobat Reader 9.4 Adobe Acrobat Reader 9.4.1 Adobe Acrobat Reader 9.4.2 Adobe Acrobat Reader 9.4.3 Adobe Acrobat Reader 10.0 Adobe Acrobat Reader 10.0.1 Adobe Acrobat Reader 10.0.2 Adobe Acrobat 9.0 Adobe Acrobat 9.1 Adobe Acrobat 9.1.1 Adobe Acrobat 9.1.2 Adobe Acrobat 9.1.3 Adobe Acrobat 9.2 Adobe Acrobat 9.3 Adobe Acrobat 9.3.1 Adobe Acrobat 9.3.2 Adobe Acrobat 9.3.3 Adobe Acrobat 9.3.4 Adobe Acrobat 9.4 Adobe Acrobat 9.4.1 Adobe Acrobat 9.4.2 Adobe Acrobat 9.4.3 Adobe Acrobat 10.0 Adobe Acrobat 10.0.1 Adobe Acrobat 10.0.2	37
OS	Microsoft Microsoft Windows *	1
OS	Apple Apple MAC OS X *	1

Common Weakness Enumeration (CWE)

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Common Attack Pattern Enumeration and Classification (CAPEC)

Buffer Overflow via Environment Variables
This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
Client-side Injection-induced Buffer Overflow
This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
Filter Failure through Buffer Overflow
In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
MIME Conversion
An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.

Nessus

NASL family	Windows
NASL id	ADOBE_ACROBAT_APSA11-02.NASL
description	The remote Windows host contains a version of Adobe Acrobat 9.x < 9.4.4 or 10.x < 10.0.3. Such versions are affected by multiple memory corruption vulnerabilities. A remote attacker could exploit this by tricking a user into viewing a malicious crafted PDF file, resulting in arbitrary code execution. Note also, CVE-2011-0611 is being exploited in the wild as of April 2011.
last seen	2020-06-01
modified	2020-06-02
plugin id	53450
published	2011-04-15
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/53450
title	Adobe Acrobat 9.x / 10.x Multiple Vulnerabilities (APSB11-08)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(53450); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2011-0610", "CVE-2011-0611"); script_bugtraq_id(47314, 47531); script_xref(name:"CERT", value:"230057"); script_xref(name:"Secunia", value:"44149"); script_name(english:"Adobe Acrobat 9.x / 10.x Multiple Vulnerabilities (APSB11-08)"); script_summary(english:"Checks version of Adobe Acrobat and authplay.dll"); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Acrobat on the remote Windows host is affected by multiple memory corruption vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host contains a version of Adobe Acrobat 9.x < 9.4.4 or 10.x < 10.0.3. Such versions are affected by multiple memory corruption vulnerabilities. A remote attacker could exploit this by tricking a user into viewing a malicious crafted PDF file, resulting in arbitrary code execution. Note also, CVE-2011-0611 is being exploited in the wild as of April 2011."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ee82b34"); script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/advisories/apsa11-02.html"); script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb11-08.html"); script_set_attribute(attribute:"solution", value:"Upgrade to Adobe Acrobat 9.4.4 / 10.0.3 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/04/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("adobe_acrobat_installed.nasl"); script_require_keys("SMB/Acrobat/Version"); script_require_ports(139, 445); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smb_func.inc"); include("audit.inc"); version = get_kb_item_or_exit("SMB/Acrobat/Version"); path = get_kb_item_or_exit("SMB/Acrobat/Path"); version_ui = get_kb_item("SMB/Acrobat/Version_UI"); if (isnull(version_ui)) version_report = version; else version_report = version_ui; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); report = ''; # This affects 9.x < 9.4.4 / 10.x < 10.0.3 if ( # 9.x ( (ver[0] == 9 && ver[1] < 4) \|\| (ver[0] == 9 && ver[1] == 4 && ver[2] < 4) ) ) { report = '\n Path : ' + path + '\n Installed version : ' + version_report + '\n Fixed version : 9.4.4 / 10.0.3\n'; } else if (ver[0] == 10 && ver[1] == 0 && (ver[2] < 1 \|\| (ver[2] == 1 && ver[3] <= 434))) { path = get_kb_item_or_exit('SMB/Acrobat/Path'); name = kb_smb_name(); #port = kb_smb_transport(); login = kb_smb_login(); pass = kb_smb_password(); domain = kb_smb_domain(); #if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); #soc = open_sock_tcp(port); #if (!soc) exit(1, "Failed to open a socket on port "+port+"."); #session_init(socket:soc, hostname:name); if(!smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init'); share = ereg_replace(pattern:'^([A-Za-z]):.', replace:'\\1$', string:path); dll = ereg_replace(pattern:'^[A-Za-z]:(.)', replace:'\\1\\Acrobat\\authplay.dll', string:path); rc = NetUseAdd(login:login, password:pass, domain:domain, share:share); if (rc != 1) { NetUseDel(); exit(1, 'Can\'t connect to '+share+' share.'); } fh = CreateFile( file:dll, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING ); if (isnull(fh)) { NetUseDel(); exit(1, 'Unable to access : '+path+'\\Acrobat\\authplay.dll.'); } dllver = GetProductVersion(handle:fh); dllver = split(dllver, sep:',', keep:FALSE); CloseFile(handle:fh); NetUseDel(); if (isnull(dllver)) exit(1, 'Can\'t get the version of '+path+'\\Acrobat\\authplay.dll.'); dllversion = join(sep:'.', dllver); fixdll = '10.2.159.1'; if (ver_compare(ver:dllversion, fix:fixdll) == -1) { report = '\n DLL : ' + path + '\\Acrobat\\authplay.dll' + '\n Installed version : ' + dllversion + '\n Fixed version : ' + fixdll + '\n'; } } if (report) { if (report_verbosity > 0) security_hole(port:get_kb_item('SMB/transport'), extra:report); else security_hole(get_kb_item('SMB/transport')); } else exit(0, "The host is not affected.");

NASL family	Windows
NASL id	ADOBE_READER_APSA11-02.NASL
description	The remote Windows host contains a version of Adobe Reader 9.x < 9.4.4 or 10.x <= 10.1. Such versions are affected by multiple memory corruption vulnerabilities. A remote attacker could exploit this by tricking a user into viewing a maliciously crafted PDF file, resulting in arbitrary code execution. Note that Adobe Reader X Protected Mode prevents an exploit of this kind from executing. Note also, CVE-2011-0611 is being exploited in the wild as of April 2011.
last seen	2020-06-01
modified	2020-06-02
plugin id	53451
published	2011-04-15
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/53451
title	Adobe Reader 9.x / 10.x Multiple Vulnerabilities (APSB11-08)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(53451); script_version("1.21"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id("CVE-2011-0610", "CVE-2011-0611"); script_bugtraq_id(47314, 47531); script_xref(name:"CERT", value:"230057"); script_xref(name:"Secunia", value:"44149"); script_name(english:"Adobe Reader 9.x / 10.x Multiple Vulnerabilities (APSB11-08)"); script_summary(english:"Checks version of Adobe Reader"); script_set_attribute(attribute:"synopsis", value: "The version of Adobe Reader on the remote Windows host is affected by multiple memory corruption vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host contains a version of Adobe Reader 9.x < 9.4.4 or 10.x <= 10.1. Such versions are affected by multiple memory corruption vulnerabilities. A remote attacker could exploit this by tricking a user into viewing a maliciously crafted PDF file, resulting in arbitrary code execution. Note that Adobe Reader X Protected Mode prevents an exploit of this kind from executing. Note also, CVE-2011-0611 is being exploited in the wild as of April 2011."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9ee82b34"); script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/advisories/apsa11-02.html"); script_set_attribute(attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb11-08.html"); # "The update for Adobe Reader X (10.x) for Windows also incorporate the updates # previously addressed in all other supported versions of Adobe Reader and Acrobat # as noted in Security Bulletin APSB11-06 and Security Bulletin APSB11-08." script_set_attribute(attribute:"see_also",value:"http://www.adobe.com/support/security/bulletins/apsb11-16.html"); script_set_attribute(attribute:"solution", value: "Upgrade to Adobe Reader 9.4.4 / 10.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value: "2011/04/11"); script_set_attribute(attribute:"patch_publication_date", value: "2011/04/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/04/15"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("adobe_reader_installed.nasl"); script_require_keys("SMB/Acroread/Version"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smb_func.inc"); version = get_kb_item_or_exit("SMB/Acroread/Version"); path = get_kb_item_or_exit('SMB/Acroread/'+version+'/Path'); version_ui = get_kb_item('SMB/Acroread/'+version+'/Version_UI'); if (isnull(version_ui)) version_report = version; else version_report = version_ui; ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); # This affects 9.x < 9.4.4 / 10.x < 10.1 if ( # 9.x ( (ver[0] == 9 && ver[1] < 4) \|\| (ver[0] == 9 && ver[1] == 4 && ver[2] < 4) ) \|\| # 10.x (ver[0] == 10 && ver[1] < 1) ) { if (report_verbosity > 0) { report = '\n Path : '+path+ '\n Installed version : '+version_report+ '\n Fixed version : 9.4.4 / 10.1\n'; security_hole(port:get_kb_item('SMB/transport'), extra:report); } else security_hole(get_kb_item('SMB/transport')); } else exit(0, 'Adobe Reader '+version_report+' is installed and not affected.');

Oval

accepted

2014-10-06T04:00:57.123-04:00

class

vulnerability

contributors

name Aharon Chernin
organization DTCC
name Sergey Artykhov
organization ALTX-SOFT
name Sergey Artykhov
organization ALTX-SOFT
name Shane Shaffer
organization G2, Inc.
name Maria Mikhno
organization ALTX-SOFT
name Maria Mikhno
organization ALTX-SOFT

definition_extensions

comment Adobe Acrobat 10.x is installed
oval oval:org.mitre.oval:def:11989
comment Adobe Acrobat 9 Series is installed
oval oval:org.mitre.oval:def:6013
comment Adobe Reader 9 Series is installed
oval oval:org.mitre.oval:def:6523
comment Adobe Reader 10.x is installed
oval oval:org.mitre.oval:def:12283

description

family

windows

oval:org.mitre.oval:def:13967

status

accepted

submitted

2011-11-04T14:32:55.000-05:00

title

version

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Nessus

Oval

References