Vulnerabilities > CVE-2011-2462 - Unspecified vulnerability in Adobe Acrobat and Acrobat Reader
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011.
Vulnerable Configurations
Exploit-Db
| description | Adobe Reader U3D Memory Corruption Vulnerability. CVE-2011-2462. Local exploit for windows platform |
| id | EDB-ID:18366 |
| last seen | 2016-02-02 |
| modified | 2012-01-14 |
| published | 2012-01-14 |
| reporter | metasploit |
| source | https://www.exploit-db.com/download/18366/ |
| title | Adobe Reader U3D Memory Corruption Vulnerability |
Metasploit
| description | This module exploits a vulnerability in the U3D handling within versions 9.x through 9.4.6 and 10 through to 10.1.1 of Adobe Reader. The vulnerability is due to the use of uninitialized memory. Arbitrary code execution is achieved by embedding specially crafted U3D data into a PDF document. A heap spray via JavaScript is used in order to ensure that the memory used by the invalid pointer issue is controlled. |
| id | MSF:EXPLOIT/WINDOWS/FILEFORMAT/ADOBE_READER_U3D |
| last seen | 2020-06-07 |
| modified | 2020-01-15 |
| published | 2012-01-04 |
| references |
|
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/adobe_reader_u3d.rb |
| title | Adobe Reader U3D Memory Corruption Vulnerability |
Nessus
NASL family Windows NASL id ADOBE_READER_APSB12-01.NASL description The version of Adobe Reader installed on the remote host is earlier than 10.1.2 / 9.5, and therefore affected by multiple memory corruption vulnerabilities. An attacker could exploit these issues by tricking a user into opening a maliciously crafted Reader file, resulting in arbitrary code execution. Adobe Reader 10.1.2 is the first 10.x release to include fixes for CVE-2011-2462 and CVE-2011-4369. These were previously fixed for 9.x releases in 9.4.7 (APSB11-30). last seen 2020-06-01 modified 2020-06-02 plugin id 57484 published 2012-01-11 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57484 title Adobe Reader < 10.1.2 / 9.5 Multiple Vulnerabilities (APSB12-01) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(57484); script_version("1.20"); script_cvs_date("Date: 2018/11/15 20:50:26"); script_cve_id( "CVE-2011-2462", "CVE-2011-4369", "CVE-2011-4370", "CVE-2011-4371", "CVE-2011-4372", "CVE-2011-4373" ); script_bugtraq_id(50922, 51092, 51348, 51351, 51349, 51350); script_name(english:"Adobe Reader < 10.1.2 / 9.5 Multiple Vulnerabilities (APSB12-01)"); script_summary(english:"Checks version of Adobe Reader"); script_set_attribute(attribute:"synopsis",value: "The version of Adobe Reader on the remote Windows host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description",value: "The version of Adobe Reader installed on the remote host is earlier than 10.1.2 / 9.5, and therefore affected by multiple memory corruption vulnerabilities. An attacker could exploit these issues by tricking a user into opening a maliciously crafted Reader file, resulting in arbitrary code execution. Adobe Reader 10.1.2 is the first 10.x release to include fixes for CVE-2011-2462 and CVE-2011-4369. These were previously fixed for 9.x releases in 9.4.7 (APSB11-30)." ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-12-021/"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/521538/30/0/threaded"); script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/advisories/apsa11-04.html"); script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb11-30.html"); script_set_attribute(attribute:"see_also", value:"http://www.adobe.com/support/security/bulletins/apsb12-01.html"); script_set_attribute(attribute:"solution", value:"Upgrade to Adobe Reader 9.5 / 10.1.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Reader U3D Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/06"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat_reader"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:'Windows'); script_copyright(english:"This script is Copyright (C) 2012-2018 Tenable Network Security, Inc."); script_dependencies('adobe_reader_installed.nasl'); script_require_keys('SMB/Acroread/Version'); exit(0); } # include('global_settings.inc'); info = ''; info2 = ''; vuln = 0; vers = get_kb_list('SMB/Acroread/Version'); if (isnull(vers)) exit(0, 'The "SMB/Acroread/Version" KB list is missing.'); foreach version (vers) { ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); path = get_kb_item('SMB/Acroread/'+version+'/Path'); if (isnull(path)) path = 'n/a'; verui = get_kb_item('SMB/Acroread/'+version+'/Version_UI'); if (isnull(verui)) verui = version; # Adobe says versions 9.4.7 and earlier are affected, but recommends upgrading # to 9.5 (presumably 9.4.8 and 9.4.9 don't exist or aren't publicly available) if ( (ver[0] == 9 && ver[1] < 4) || (ver[0] == 9 && ver[1] == 4 && ver[2] <= 7) || (ver[0] == 10 && ver[1] < 1) || (ver[0] == 10 && ver[1] == 1 && ver[2] < 2) ) { vuln++; info += '\n Path : '+path+ '\n Installed version : '+verui+ '\n Fixed version : 9.5 / 10.1.2\n'; } else info2 += " and " + verui; } if (info) { if (report_verbosity > 0) { if (vuln > 1) s = "s of Adobe Reader are"; else s = " of Adobe Reader is"; report = '\nThe following vulnerable instance'+s+' installed on the'+ '\nremote host :\n'+ info; security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); exit(0); } if (info2) { info2 -= " and "; if (" and " >< info2) be = "are"; else be = "is"; exit(0, "The host is not affected since Adobe Reader "+info2+" "+be+" installed."); } else exit(1, "Unexpected error - 'info2' is empty.");NASL family SuSE Local Security Checks NASL id SUSE_ACROREAD-7924.NASL description Acrobat Reader was updated to version 9.4.7 to fix two security issues. (CVE-2011-2462 / CVE-2011-4369) last seen 2020-06-05 modified 2012-01-18 plugin id 57587 published 2012-01-18 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57587 title SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 7924) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The text description of this plugin is (C) Novell, Inc. # include("compat.inc"); if (description) { script_id(57587); script_version ("1.13"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2011-2462", "CVE-2011-4369"); script_name(english:"SuSE 10 Security Update : Acrobat Reader (ZYPP Patch Number 7924)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote SuSE 10 host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "Acrobat Reader was updated to version 9.4.7 to fix two security issues. (CVE-2011-2462 / CVE-2011-4369)" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-2462.html" ); script_set_attribute( attribute:"see_also", value:"http://support.novell.com/security/cve/CVE-2011-4369.html" ); script_set_attribute(attribute:"solution", value:"Apply ZYPP patch number 7924."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Reader U3D Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:suse:suse_linux"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/18"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 Tenable Network Security, Inc."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); if (!get_kb_item("Host/SuSE/release")) exit(0, "The host is not running SuSE."); if (!get_kb_item("Host/SuSE/rpm-list")) exit(1, "Could not obtain the list of installed packages."); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) exit(1, "Failed to determine the architecture type."); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") exit(1, "Local checks for SuSE 10 on the '"+cpu+"' architecture have not been implemented."); flag = 0; if (rpm_check(release:"SLED10", sp:4, reference:"acroread-9.4.7-0.5.1")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"acroread-cmaps-9.4.6-0.5.9")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"acroread-fonts-ja-9.4.6-0.5.9")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"acroread-fonts-ko-9.4.6-0.5.9")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"acroread-fonts-zh_CN-9.4.6-0.5.9")) flag++; if (rpm_check(release:"SLED10", sp:4, reference:"acroread-fonts-zh_TW-9.4.6-0.5.9")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else exit(0, "The host is not affected.");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_FA2F386F481411E189B4001EC9578670.NASL description The Adobe Security Team reports : An unspecified vulnerability in the U3D component allows remote attackers to execute arbitrary code (or cause a denial of service attack) via unknown vectors. A heap-based buffer overflow allows attackers to execute arbitrary code via unspecified vectors. last seen 2020-06-01 modified 2020-06-02 plugin id 57705 published 2012-01-27 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57705 title FreeBSD : acroread9 -- Multiple Vulnerabilities (fa2f386f-4814-11e1-89b4-001ec9578670) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(57705); script_version("1.12"); script_cvs_date("Date: 2018/11/23 12:49:57"); script_cve_id("CVE-2011-1353", "CVE-2011-2431", "CVE-2011-2432", "CVE-2011-2433", "CVE-2011-2434", "CVE-2011-2435", "CVE-2011-2436", "CVE-2011-2437", "CVE-2011-2438", "CVE-2011-2439", "CVE-2011-2440", "CVE-2011-2441", "CVE-2011-2442", "CVE-2011-2462"); script_name(english:"FreeBSD : acroread9 -- Multiple Vulnerabilities (fa2f386f-4814-11e1-89b4-001ec9578670)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The Adobe Security Team reports : An unspecified vulnerability in the U3D component allows remote attackers to execute arbitrary code (or cause a denial of service attack) via unknown vectors. A heap-based buffer overflow allows attackers to execute arbitrary code via unspecified vectors." ); # http://www.adobe.com/support/security/bulletins/apsb11-24.html script_set_attribute( attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb11-24.html" ); # http://www.adobe.com/support/security/advisories/apsa11-04.html script_set_attribute( attribute:"see_also", value:"https://www.adobe.com/support/security/advisories/apsa11-04.html" ); # https://vuxml.freebsd.org/freebsd/fa2f386f-4814-11e1-89b4-001ec9578670.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?48167c68" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Reader U3D Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:acroread9"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/07"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/27"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"acroread9<9.4.7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2012-0011.NASL description Updated acroread packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes two security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB11-30, listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2011-2462, CVE-2011-4369) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4.7, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect. last seen 2020-04-16 modified 2012-01-11 plugin id 57482 published 2012-01-11 reporter This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/57482 title RHEL 5 / 6 : acroread (RHSA-2012:0011) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2012:0011. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(57482); script_version ("1.31"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/15"); script_cve_id("CVE-2011-2462", "CVE-2011-4369"); script_bugtraq_id(50922, 51092); script_xref(name:"RHSA", value:"2012:0011"); script_name(english:"RHEL 5 / 6 : acroread (RHSA-2012:0011)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated acroread packages that fix two security issues are now available for Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary. The Red Hat Security Response Team has rated this update as having critical security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Adobe Reader allows users to view and print documents in Portable Document Format (PDF). This update fixes two security flaws in Adobe Reader. These flaws are detailed on the Adobe security page APSB11-30, listed in the References section. A specially crafted PDF file could cause Adobe Reader to crash or, potentially, execute arbitrary code as the user running Adobe Reader when opened. (CVE-2011-2462, CVE-2011-4369) All Adobe Reader users should install these updated packages. They contain Adobe Reader version 9.4.7, which is not vulnerable to these issues. All running instances of Adobe Reader must be restarted for the update to take effect." ); # http://www.adobe.com/support/security/bulletins/apsb11-30.html script_set_attribute( attribute:"see_also", value:"https://www.adobe.com/support/security/bulletins/apsb11-30.html" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2012:0011" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-2462" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2011-4369" ); script_set_attribute( attribute:"solution", value:"Update the affected acroread and / or acroread-plugin packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Reader U3D Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:acroread"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:acroread-plugin"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/12/07"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(4|5|6)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.x / 6.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2012:0011"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"acroread-9.4.7-1.el5")) flag++; if (rpm_check(release:"RHEL5", cpu:"i386", reference:"acroread-plugin-9.4.7-1.el5")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"acroread-9.4.7-1.el6")) flag++; if (rpm_check(release:"RHEL6", cpu:"i686", reference:"acroread-plugin-9.4.7-1.el6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "acroread / acroread-plugin"); } }NASL family SuSE Local Security Checks NASL id SUSE_11_4_ACROREAD-120111.NASL description Acrobat Reader was updated to version 9.4.7 to fix security issues (CVE-2011-2462, CVE-2011-4369) last seen 2020-06-05 modified 2014-06-13 plugin id 75784 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75784 title openSUSE Security Update : acroread (openSUSE-SU-2012:0087-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update acroread-5650. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(75784); script_version("1.5"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2011-2462", "CVE-2011-4369"); script_name(english:"openSUSE Security Update : acroread (openSUSE-SU-2012:0087-1)"); script_summary(english:"Check for the acroread-5650 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "Acrobat Reader was updated to version 9.4.7 to fix security issues (CVE-2011-2462, CVE-2011-4369)" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=735275" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2012-01/msg00030.html" ); script_set_attribute( attribute:"solution", value:"Update the affected acroread package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Adobe Reader U3D Memory Corruption Vulnerability'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:acroread"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.4"); script_set_attribute(attribute:"patch_publication_date", value:"2012/01/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/06/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.4)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.4", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686)$") audit(AUDIT_ARCH_NOT, "i586 / i686", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.4", reference:"acroread-9.4.7-0.3.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "acroread"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201201-19.NASL description The remote host is affected by the vulnerability described in GLSA-201201-19 (Adobe Reader: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Adobe Reader. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could entice a user to open a specially crafted PDF file using Adobe Reader, possibly resulting in the remote execution of arbitrary code, a Denial of Service, or other impact. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 57745 published 2012-01-31 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57745 title GLSA-201201-19 : Adobe Reader: Multiple vulnerabilities NASL family Windows NASL id ADOBE_ACROBAT_APSA11-04.NASL description The remote Windows host contains a version of Adobe Acrobat earlier than 9.4.7. Such versions are affected by multiple memory corruption vulnerabilities related to the last seen 2020-06-01 modified 2020-06-02 plugin id 57042 published 2011-12-07 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57042 title Adobe Acrobat < 9.4.7 Multiple Memory Corruption Vulnerabilities (APSB11-30) NASL family SuSE Local Security Checks NASL id SUSE_11_3_ACROREAD-120111.NASL description Acrobat Reader was updated to version 9.4.7 to fix security issues (CVE-2011-2462, CVE-2011-4369) last seen 2020-06-05 modified 2014-06-13 plugin id 75423 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75423 title openSUSE Security Update : acroread (openSUSE-SU-2012:0087-1) NASL family SuSE Local Security Checks NASL id SUSE_11_ACROREAD-120112.NASL description Acrobat Reader was updated to version 9.4.7 to fix two security issues. (CVE-2011-2462 / CVE-2011-4369) last seen 2020-06-05 modified 2012-01-18 plugin id 57586 published 2012-01-18 reporter This script is Copyright (C) 2012-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57586 title SuSE 11.1 Security Update : Acrobat Reader (SAT Patch Number 5649) NASL family Windows NASL id ADOBE_ACROBAT_APSB12-01.NASL description The version of Adobe Acrobat installed on the remote host is earlier than 10.1.2 / 9.5, and therefore affected by multiple memory corruption vulnerabilities. An attacker could exploit these issues by tricking a user into opening a maliciously crafted Acrobat file, resulting in arbitrary code execution. Adobe Acrobat 10.1.2 is the first 10.x release to include fixes for CVE-2011-2462 and CVE-2011-4369. These were previously fixed for 9.x releases in 9.4.7 (APSB11-30). last seen 2020-06-01 modified 2020-06-02 plugin id 57483 published 2012-01-11 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57483 title Adobe Acrobat < 10.1.2 / 9.5 Multiple Vulnerabilities (APSB12-01) NASL family MacOS X Local Security Checks NASL id MACOSX_ADOBE_READER_APSA11-04.NASL description The version of Adobe Reader installed on the remote Mac OS X host is prior or equal to 10.1.1 or 9.4.6. It is, therefore, affected by a memory corruption issue related to the Universal 3D (U3D) file format. A remote attacker can exploit this, by convincing a user to view a maliciously crafted PDF file, to cause an application crash or to execute arbitrary code. Note that the Adobe Reader X user-specific option to use last seen 2020-06-01 modified 2020-06-02 plugin id 57044 published 2011-12-07 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57044 title Adobe Reader <= 10.1.1 / 9.4.6 U3D Memory Corruption (APSA11-04, APSB11-28, APSB11-30, APSB12-01) (Mac OS X) NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-33.NASL description Acrobat Reader was updated to version 9.4.7 to fix security issues. last seen 2020-06-05 modified 2014-06-13 plugin id 74656 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/74656 title openSUSE Security Update : acroread (openSUSE-2012-33) NASL family Windows NASL id ADOBE_READER_APSA11-04.NASL description The remote Windows host contains a version of Adobe Reader earlier than 9.4.7. Such versions are affected by multiple memory corruption vulnerabilities related to the last seen 2020-06-01 modified 2020-06-02 plugin id 57043 published 2011-12-07 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57043 title Adobe Reader < 9.4.7 Multiple Memory Corruption Vulnerabilities (APSB11-30)
Oval
| accepted | 2014-10-06T04:01:35.722-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. | ||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:14562 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2011-12-09T10:51:10.000-05:00 | ||||||||||||||||||||||||||||||||
| title | Unspecified vulnerability in the U3D component in Adobe Reader and Acrobat 10.1.1 and earlier on Windows and Mac OS X, and Adobe Reader 9.x through 9.4.6 on UNIX, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unknown vectors, as exploited in the wild in December 2011. | ||||||||||||||||||||||||||||||||
| version | 18 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/108359/adobe_reader_u3d.rb.txt |
| id | PACKETSTORM:108359 |
| last seen | 2016-12-05 |
| published | 2012-01-04 |
| reporter | jduck |
| source | https://packetstormsecurity.com/files/108359/Adobe-Reader-U3D-Memory-Corruption.html |
| title | Adobe Reader U3D Memory Corruption |
Redhat
| advisories |
| ||||
| rpms |
|
Saint
| bid | 50922 |
| description | Adobe Reader U3D Heap Overflow |
| id | misc_acroread |
| osvdb | 77529 |
| title | adobe_reader_u3d_heap_overflow |
| type | client |
Seebug
bulletinFamily exploit description BUGTRAQ ID: 50922 CVE ID: CVE-2011-2462 Adobe Reader(也被称为Acrobat Reader)是美国Adobe公司开发的一款优秀的PDF文档阅读软件。Acrobat是1993年推出针对企业、技术人员和创意专业人士的系列产品,使智能文档的传送和协作更为灵活、可靠和安全。 Adobe Acrobat和Reader在处理U3D数据中包含的畸形结构时存在内存破坏漏洞,攻击者可利用此漏洞造成崩溃并完全控制受影响系统 Adobe Reader 9.x Adobe Reader 10.x 临时解决方法: 如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁: * 不要使用Adobe Reader打开来源不明的PDF文件,换用其他的PDF文件查看工具,比如Foxit。 厂商补丁: Adobe ----- Adobe已经为此发布了一个安全公告(APSA11-04)但还没有提供相应的补丁: APSA11-04:Security Advisory for Adobe Reader and Acrobat 链接:http://www.adobe.com/support/security/advisories/apsa11-04.html id SSV:26022 last seen 2017-11-19 modified 2011-12-08 published 2011-12-08 reporter Root title Adobe Reader U3D数据处理代码执行漏洞 bulletinFamily exploit description # Adobe Reader U3D Memory Corruption Vulnerability ### 影响范围 软件版本:<=adobe reader 9.4.6 ### 测试环境 测试pdf 版本:9.4.0 测试系统:win7 相关下载 : [点我下载](http://pan.baidu.com/s/1pK0xnNd "Title") ### 漏洞分析 **1 . crash info ** 加hpa的crash info ``` eax=c0c0c0c0 ebx=1e282ea8 ecx=00000024 edx=00000000 esi=00000000 edi=00000000 eip=1a73f2e3 esp=0012f4fc ebp=0012f548 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 rt3d!QUAT::QUAT+0x5cf: 1a73f2e3 80b8fc09000000 cmp byte ptr <Unloaded_.dll>+0x9fb (000009fc)[eax],0 ds:0023:c0c0cabc=jQuery21409907170905381412_1452575796030 ``` 不加hpa 的crash info ``` eax=52520026 ebx=1e282ea8 ecx=00000024 edx=00000000 esi=00000000 edi=00000000 eip=1a73f2e3 esp=0012f4fc ebp=0012f548 iopl=0 nv up ei ng nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286 rt3d!QUAT::QUAT+0x5cf: 1a73f2e3 80b8fc09000000 cmp byte ptr <Unloaded_.dll>+0x9fb (000009fc)[eax],0 ds:0023: 52520A22=?? ``` **2. Analysis** 这是个pdf 0day漏洞没有任何漏洞描述的相关细节,只知道是u3d格式文件出了问题。用已有的010脚本查看u3d格式也没有发现什么异常。 只能一步步跟踪分析。 从上面的crash info中,必须要找出是什么原因导致eax变成了非法的值,从而触发崩溃 出问题的地方是在u3d格式的node节点出,当显示pdf时,e3_NODE__ChildsDraw函数进行绘制视图 ``` C in rt3d.dll int __stdcall e3_NODE__ChildsDraw(struc_1 *a1, int a2, int a3, int a4) { struc_1 *node; // esi@1 int result; // eax@2 for ( node = (struc_1 *)a1->first_node; node; node = (struc_1 *)node->next_node ) { result = (*(int (__stdcall **)(_DWORD, _DWORD, _DWORD, _DWORD))(node->cobject + 0xC4))(node, a2, a3, a4);// rt3d!e3_NODE::Draw if ( result < 0 ) return result; } return 1; } ``` e3_NODE::Draw函数中会调用sub_ 101819E7(命名为Take_Fill_Node)函数,该函数会申请sizeof(struct1)* node_count大小的内存,sizeof(struct1)=0xa0 ,然后循环(这里总共5个节点,从0-4)将将node+0x68处的一个对象指针赋给申请的内存结构中。此时这个对象指针+0x54偏移处已经是被修改的非法值52520026,因此需要知道这个对象是从哪来的。 node+0x68的对象指针从哪来的呢,这里就要看node节点的分配情况。从rt3d.dll中看到有关于e3_NoDE:类,其中有e3_NODE__AddChild和e3_NODE__Create等节点操作函数,很自然的在节点的分配出下断点。 ``` bu !rt3d+165CCA ".if(1){.echo addchild;gc}" bu !rt3d+181A56 ".if(1){.echo malloc base;db eax;}" bu !rt3d+168050 ".if(1){.echo create new child node;r eax;gc}" bu rt3d!e3_NODE::ChildsDraw+0x19 ".if(1){.echo ChildsDraw childnode ;r esi;dd esi+0x48} l4" bu !rt3d+166EB0 ".if(1){.echo call Take_Fill_Node;dd esp l4;dd poi(esp+4)+0x48}" ``` node节点的分配情况 ``` Opened log file 'node.log' 0:004> g create new child node eax=03217ac8 --allocate root node addchild ModLoad: 668a0000 66a63000 C:\Windows\system32\d3d9.dll ModLoad: 70be0000 70be6000 C:\Windows\system32\d3d8thk.dll ModLoad: 6b400000 6b421000 C:\Windows\system32\vm3dum.dll ModLoad: 67ed0000 67fd5000 C:\Windows\system32\d3d8.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Adobe Reader 9.4.0\Reader 9.0\Reader\plug_ins3d\3difr.x3d - create new child node eax=0321c918 --allocate node1 ---second break addchild create new child node eax=0321d3b8 --allocate node2 addchild create new child node eax=0321d488 --allocate node3 addchild create new child node eax=0321d558 --allocate node4 addchild create new child node eax=0321d628 --allocate node5 addchild ModLoad: 69fa0000 6a00c000 C:\Program Files\Adobe Reader 9.4.0\Reader 9.0\Reader\AdobeXMP.dll ModLoad: 6f8d0000 70350000 C:\Windows\system32\ieframe.dll ModLoad: 718a0000 718dc000 C:\Windows\system32\OLEACC.dll ADOBE_READLOGGER_CMD:PAUSE_LOG ModLoad: 6b3d0000 6b3f1000 C:\Windows\system32\vm3dum.dll ChildsDraw childnode esi=03217ac8 ---root node 03217b10 0321c918 00000000 00000000 00000000 ChildsDraw childnode esi=0321c918 ---node 1 0321c960 00000000 03217ac8 0321d3b8 0321d3b8 ChildsDraw childnode esi=0321d3b8 ---node 2 0321d400 00000000 00000000 0321d488 0321d488 ChildsDraw childnode esi=0321d488 ---node 3 0321d4d0 00000000 00000000 0321d558 0321d558 ChildsDraw childnode esi=0321d558 ---node 4 0321d5a0 00000000 00000000 0321d628 0321d628 ChildsDraw childnode esi=0321d628 ---node 5 0321d670 00000000 00000000 00000000 00000000 call Take_Fill_Node 0016e860 0321d628 03213ba0 0016e87c 00000000 ---node5 *(node5+0x68) offset48 03213be8 00000000 0321ba70 00000000 00000000 03213bf8 00000000 41700000 00000000 00000000 03213c08 3f800000 3f800000 00000000 00000000 03213c18 00000011 00000000 18bd34db 88000000 03213c28 0321c788 00000000 00000000 00000000 03213c38 00000000 00000000 00000000 00000000 03213c48 00000000 00000000 00000000 00000000 03213c58 00000000 00000000 00000000 00000000 call Take_Fill_Node 0016e9b4 0321d558 03213870 0016e9d0 00000000 ---node4 *(node4+0x68) offset48 032138b8 00000000 0321b9e0 00000000 00000000 032138c8 00000000 41200000 00000000 00000000 032138d8 3f800000 3f800000 00000000 00000000 032138e8 00000011 00000000 18bd3441 88000000 032138f8 0321c788 00000000 00000000 00000000 03213908 00000000 00000000 00000000 00000000 03213918 00000000 00000000 00000000 00000000 03213928 00000000 00000000 00000000 00000000 call Take_Fill_Node 0016eb08 0321d488 032135c8 03213298 00000000 ---node3 *(node3+0x68) offset48 03213610 00000000 0321b950 00000000 00000000 03213620 00000000 00000000 00000000 00000000 03213630 3f800000 3f800000 00000000 00000000 03213640 00000011 00000000 18bd3596 88000000 03213650 0321c788 00000000 00000000 00000000 03213660 00000000 00000000 00000000 00000000 03213670 00000000 00000000 00000000 00000000 03213680 00000000 00000000 00000000 00000000 call Take_Fill_Node 0016ec5c 0321d3b8 03213320 03213298 00000000 ---node2 *(node2+0x68) offset48 03213368 00000000 0321b8c0 00000000 00000000 03213378 00000000 00000000 00000000 00000000 03213388 3f800000 3f800000 00000000 00000000 03213398 00000011 00000000 18bd352b 88000000 032133a8 0321c788 00000000 00000000 00000000 032133b8 00000000 00000000 00000000 00000000 032133c8 00000000 00000000 00000000 00000000 032133d8 00000000 00000000 00000000 00000000 call Take_Fill_Node 0016edb0 0321c918 03213fe0 032140f0 00000000 ---node1 *(node1+0x68) offset48 03214028 0321d1e8 0321c788 00000000 00000014 03214038 00000000 00000000 00000000 00000000 03214048 03208ff8 00000014 0320c008 03214178 03214058 0321bdd0 00000000 18bd3b53 88000000 03214068 0321c918 00000000 00000000 00000000 03214078 00000000 00000000 00000000 00000000 03214088 00000000 00000000 00000000 00000000 03214098 00000000 00000000 00000000 00000000 eax=00000000 ebx=00000000 ecx=03216d58 edx=0016ecc0 esi=03216d58 edi=00000004 eip=68881a6b esp=0016eda0 ebp=0016eee4 iopl=0 nv up ei pl nz ac pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000216 rt3d!e3_LAYER::DeleteThis+0x351: 68881a6b 69ffa0000000 imul edi,edi,0A0h 0:000> dd 0321d1e8+54 0321d23c 52520026 13b80100 00140307 00000000 ---52520026 非法的值 0321d24c 00000000 00000000 1e080000 00300322 0321d25c 00000000 00000000 00000000 00000000 0321d26c 00000000 00000000 00000000 00000000 0321d27c 63380000 00000306 64680000 00000306 0321d28c b3bc0000 00240206 00000000 00030000 0321d29c 00000000 00000000 00000000 00000000 0321d2ac 00000000 00000000 fa3a0000 4d24c105 ``` 初步从上面的打印日志来看,是第一个node节点出了问题unkown_class=*(node1+0x68) ; *(*(unkown_class+0x48)+0x54)=0x52520026 Node+0x68是什么时候初始化的呢,恢复虚拟机快照,重新来过,在第一个node子节点分配成功后断下来 然后下 ba w 1 (node+0x68)的访问断点。 (这里分享个调试的技巧 可以用虚拟机来保存开始调试时候的状态,这里以后重新调试的时候直接恢复虚拟机快照,堆分配的地址都是一样的,可以直接下访问断点。) ``` char __userpurge e3_NODE__SetObject<al>(int a1<ebx>, int node, int a3) { int v3; // eax@1 int v4; // ebx@2 int v6; // [sp-4h] [bp-Ch]@2 v3 = *(_DWORD *)(node + 0x68); if ( a3 != v3 ) { v6 = a1; v4 = *(_DWORD *)(node + 0x68); if ( v3 ) (*(void (__stdcall **)(int, int))(*(_DWORD *)v3 + 48))(v3, node); *(_DWORD *)(node + 0x68) = a3; a3=unkown_class 这里进行的初始化 if ( a3 ) { (*(void (__stdcall **)(int, int))(*(_DWORD *)a3 + 44))(a3, node); (*(void (__stdcall **)(_DWORD))(**(_DWORD **)(node + 104) + 4))(*(_DWORD *)(node + 104)); } (*(void (__stdcall **)(int, signed int, int, int))(*(_DWORD *)node + 52))(node, 1006, v4, v6); if ( v4 ) (*(void (__stdcall **)(int))(*(_DWORD *)v4 + 8))(v4); (*(void (__cdecl **)(int))(*(_DWORD *)node + 224))(node); sub_1013C568(*(_DWORD *)(node + 32)); } return 1; } ``` 将a3赋给node+0x68偏移处,此时*(a3+48)+54已经是非法值了 ``` eax=00000000 ebx=00000000 ecx=03372b58 edx=688d078c esi=03166560 edi=03373360 eip=68855496 esp=002dd5b0 ebp=03373360 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206 rt3d!e3_NODE::SetObject+0x24: 68855496 7410 je rt3d!e3_NODE::SetObject+0x36 (688554a8) [br=0] 0:000> dd 03373360+54 033733b4 52520034 57b80100 00140337 00000000 ------此时已经是52520034 了 033733c4 00000000 00000000 86580000 00300337 033733d4 00000000 00000000 00000000 00000000 033733e4 00000000 00000000 00000000 00000000 033733f4 98580000 00000337 98f00000 00000337 03373404 bef40000 00240329 00000000 00030000 03373414 00000000 00000000 00000000 00000000 03373424 00000000 00000000 00000000 00000000 ``` 继续往上追 ``` asm in 3difr.x3d .text:10002DBD mov edi, [esp+8+arg_0] .text:10002DC1 mov esi, [esp+8+arg_4] .text:10002DC5 mov edx, [edi] .text:10002DC7 mov eax, [edx+0C8h] .text:10002DCD push esi ; esi 为某个对象首地址 .text:10002DCE push edi .text:10002DCF call eax //e3_NODE__SetObject 3difr!E3DLLFunc+0xb3f xt:1000415B push edx .text:1000415C push eax ////--- .text:1000415D push ebp .text:1000415E push esi .text:1000415F call sub_10002D00 .text:10004164 add esp, 10h bu 3difr!E3DLLFunc+0xb3f bu !3difr+415F bu !3difr+401F bu !3difr+2b91 ".if(1){db poi(poi(esp))}" ``` 流程太复杂 前面追踪的都不太记得了。。。 //猜测那个03373360 也是一个OBJ对象,因此直接在这里下断点 这里是obj分配内存然后初始化的地方。() bu !rt3d+158DF8 这里为什么会猜测这个03373360是以OBJ对象呢,看下面 Rt3d!dll ``` .text:101594DD sub_101594DD proc near ; DATA XREF: .rdata:101DFA20o .text:101594DD .text:101594DD arg_0 = dword ptr 4 .text:101594DD arg_4 = dword ptr 8 .text:101594DD .text:101594DD push esi .text:101594DE push edi .text:101594DF push 158h ; unsigned int .text:101594E4 call ??2@YAPAXI@Z ; operator new(uint) 分配一个OBJ对象 <DEBUG> eax=033784a8 ebx=033751c8 ecx=00000158 edx=03378608 esi=033751c8 edi=00000000 eip=688494e9 esp=002ddd40 ebp=002de0c8 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 rt3d!QUAT::QUAT+0xcb8d: 688494e9 85c0 test eax,eax 0:000> dd 033784a8+54 033784fc bf7fffff 00000000 00000000 00000000 刚申请时的内存里面填充了随机的数据 0337850c bf7fffff 00000000 3f7fffff 00000000 0337851c 00000000 13000013 0029590f 0337f570 0337852c 01fff998 00000001 00000003 00000000 0337853c 00000001 00000001 00000002 00000006 0337854c 00000004 00000001 00000000 00000002 0337855c 00000008 00000000 00000000 00000001 0337856c 00000002 00000009 00000001 00000001 </DEBUG> .text:101594E9 test eax, eax .text:101594EB mov edi, [esp+0Ch+arg_0] .text:101594EF pop ecx .text:101594F0 jz short loc_10159500 .text:101594F2 push dword ptr [edi+20h] .text:101594F5 mov ecx, eax .text:101594F7 call sub_10158DF8 .text:101594FC mov esi, eax .text:101594FE jmp short loc_10159502 .text:10159500 ; --------------------------------------------------------------------------- .text:10159500 .text:10159500 loc_10159500: ; CODE XREF: sub_101594DD+13j .text:10159500 xor esi, esi .text:10159502 .text:10159502 loc_10159502: ; CODE XREF: sub_101594DD+21j .text:10159502 push 0 .text:10159504 push [esp+0Ch+arg_4] .text:10159508 mov ecx, edi .text:1015950A push esi .text:1015950B call sub_10155AA3 从参数一对象中直接拷贝了0x54偏移的成员给予这个OBJ 因此此时需要追踪这个参数一对象什么时候初始化的+54偏移成员变量,而这个参数一 就是 03373360 ,因此猜测也是一个OBJ对象 .text:10159510 test eax, eax .text:10159512 jge short loc_10159528 .text:10159514 test esi, esi .text:10159516 jz short loc_10159526 .text:10159518 mov ecx, esi .text:1015951A call sub_10155E10 .text:1015951F push esi ; void * .text:10159520 call ??3@YAXPAX@Z ; operator delete(void *) .text:10159525 pop ecx .text:10159526 .text:10159526 loc_10159526: ; CODE XREF: sub_101594DD+39j .text:10159526 xor esi, esi .text:10159528 .text:10159528 loc_10159528: ; CODE XREF: sub_101594DD+35j .text:10159528 pop edi .text:10159529 mov eax, esi .text:1015952B pop esi .text:1015952C retn 8 .text:1015952C sub_101594DD endp ``` Rt3d!dll //这里进行OBJ对象的初始化 OBJ对象大小0x158 ``` int __thiscall sub_10158DF8(void *OBJ, int a2) { int Temp_OBJ; // esi@1 Temp_OBJ = (int)OBJ; e3_OBJECT__e3_OBJECT(OBJ); *(_DWORD *)Temp_OBJ = &off_101DF9BC; e3_GENERIC__Init(Temp_OBJ, 0x158u); if ( a2 ) sub_1014D0F6(Temp_OBJ, a2); *(_DWORD *)(Temp_OBJ + 0x50) = 7; *(_BYTE *)(Temp_OBJ + 0x58) = 0; *(_BYTE *)(Temp_OBJ + 0x59) = 1; return Temp_OBJ; } ``` 在分配OBJ对象之后 ,此时在这下访问断点ba w 1 03373360+0x54 ``` addchild Breakpoint 9 hit eax=52520034 ebx=00717498 ecx=00747a70 edx=007479f0 esi=00000024 edi=03373360 eip=69d9b785 esp=002dd4f8 ebp=01ff0708 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246 3difr!E3DLLFunc+0x94f5: 69d9b785 e86e460200 call 3difr!e3_SORTEDCOLLECTION::Create+0xc4 (69dbfdf8)//上一条指令修改了03373360+0x54 0:000> dd 03373360+54 033733b4 52520034 56000100 00140337 00000000 033733c4 00000000 00000000 69b00000 00300337 033733d4 00000000 00000000 00000000 00000000 033733e4 00000000 00000000 00000000 00000000 033733f4 a7a00000 00000337 a8380000 00000337 03373404 bef40000 00240329 00000000 00030000 03373414 00000000 00000000 00000000 00000000 03373424 00000000 00000000 00000000 00000000 .text:1000B759 mov ecx, [esp+78h+var_5C] .text:1000B75D push edi .text:1000B75E call sub_10008780 .text:1000B763 mov ebx, eax .text:1000B765 mov eax, [esp+78h+var_60] .text:1000B769 cmp dword ptr [eax+18h], 1 .text:1000B76D jnz short loc_1000B7B7 .text:1000B76F test ebx, ebx .text:1000B771 jz short loc_1000B799 .text:1000B773 cmp dword ptr [ebx], 1 .text:1000B776 jnz short loc_1000B799 .text:1000B778 mov ecx, [ebx+4] .text:1000B77B mov edx, [esp+78h+var_58] .text:1000B77F mov eax, [ecx] .text:1000B781 push edx ; void * .text:1000B782 mov [edi+54h], eax .text:1000B785 call ??_V@YAXPAX@Z ; operator delete[](void *)0:000> db ecx 00747a70 34 00 52 52 52 00 80 3f-b7 48 9c 4a 64 4d 00 88 4.RRR..?.H.JdM.. 00747a80 42 6f 78 30 31 52 58 00-a9 48 9c 4a 00 00 00 88 Box01RX..H.J.... 00747a90 42 6f 78 30 31 52 58 00-ab 48 9c 4a 00 00 00 8c Box01RX..H.J.... 00747aa0 90 64 16 03 00 00 00 00-ad 48 9c 4a 00 00 00 8c .d.......H.J.... 00747ab0 e0 c6 36 03 58 e8 29 03-af 48 9c 4a 00 00 00 8c ..6.X.)..H.J.... 00747ac0 00 00 00 00 ec 41 0e 02-a1 48 9c 4a 00 00 00 88 .....A...H.J.... 00747ad0 c0 63 16 03 f0 63 16 03-a3 48 9c 4a 64 4d 00 88 .c...c...H.JdM.. 00747ae0 70 00 72 00 63 00 00 00-a5 48 9c 4a 00 00 00 88 p.r.c....H.J.... ``` 这里突然想到了一个跟踪数据流的好办法 对于地址不固定的堆来说利用前面的虚拟机快照 直接对 00747a70 下访问断点ba w 1 00747a70 ba w 1 033684c8 第二次断下后 ``` Asm in 3difr .text:100045CE push edx ; Src .text:100045CF push eax ; Dst .text:100045D0 mov [esp+34h+var_4], 0FFFFFFFFh .text:100045D8 call memcpy edx指向 // 0337343a 52 52 52 52 52 01 00 00-00 a6 04 a8 96 b9 3f c5 RRRRR.........?. // 0337344a 43 b2 df 2a 31 b5 56 93-40 00 01 00 00 00 00 00 C..*1.V.@....... // 0337345a 00 05 00 52 52 52 52 52-01 00 00 00 01 00 2e 01 ...RRRRR........ // 0337346a 00 76 00 00 00 00 45 ff-ff ff 23 00 00 00 00 00 .v....E...#..... // 0337347a 00 00 09 00 43 43 43 43-42 6f 78 30 31 02 00 00 ....CCCCBox01... // 0337348a 00 00 00 00 00 01 00 00-00 00 00 00 00 06 00 42 ...............B // 0337349a 6f 02 00 00 00 00 16 ff-ff ff 30 00 00 00 00 00 o.........0..... // 033734aa 00 00 01 00 52 01 00 00-00 a6 04 a8 96 b9 3f c5 ....R.........?. ``` 拷贝长度是0x5 再继续 ``` 0:000> g Breakpoint 9 hit 0:000> r eax=00550034 ebx=0000001a ecx=00000056 edx=00000055 esi=00776940 edi=00747a68 eip=77262d75 esp=002dd41c ebp=002dd450 iopl=0 ov up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000a02 ntdll!RtlpLowFragHeapFree+0xa6: 77262d75 2b7df4 sub edi,dword ptr [ebp-0Ch] ss:0023:002dd444=007478a8 0:000> kb ChildEBP RetAddr Args to Child 002dd450 77262ce8 00747a70 00717570 00000000 ntdll!RtlpLowFragHeapFree+0xa6 //00747a70指向的内存被释放 002dd468 757cc3d4 007e0000 00000000 00747a70 ntdll!RtlFreeHeap+0x105 002dd47c 71664c39 007e0000 00000000 00747a70 kernel32!HeapFree+0x14 002dd4c8 69da181d 00747a70 00000000 002dde98 MSVCR80!free+0xcd WARNING: Stack unwind information not available. Following frames may be wrong. 002dd518 69d9372b 00000000 002dde98 00000002 3difr!E3DLLFunc+0xf58d 002dd530 69da039a 002dde90 176fc977 002dde90 3difr!E3DLLFunc+0x149b 002dd550 77262fe7 77262e82 00000020 176fc953 3difr!E3DLLFunc+0xe10a 002dd5d4 687219e8 03373360 0000017c 69d92f36 ntdll!RtlpLowFragHeapAllocFromContext+0xaec 00000000 00000000 00000000 00000000 00000000 rt3d!V4CUnloadRT+0x2b278 此时 0:000> dd 00747a70 00747a70 52520034 3f800052 4a9c48b7 88004d64 00747a80 30786f42 00585231 4a9c48a9 88000000 00747a90 30786f42 00585231 4a9c48ab 8c000000 00747aa0 03166490 00000000 4a9c48ad 8c000000 00747ab0 0336c6e0 0329e858 4a9c48af 8c000000 00747ac0 00000000 020e41ec 4a9c48a1 88000000 00747ad0 031663c0 031663f0 4a9c48a3 88004d64 00747ae0 00720070 00000063 4a9c48a5 88000000 ``` 内存释放掉之后 下面又重新申请了这个地方的内存00747a70 ``` 10009DEB or ecx, eax .text:10009DED push ecx ; unsigned int .text:10009DEE call j_??2@YAPAXI@Z ; operator new(uint) .text:10009DF3 add esp, 4 .text:10009DF6 test esi, esi .text:10009DF8 mov [ebp+4], eax //eax = 00747a70 .text:10009DFB jbe loc_10009E89 .text:10009E01 .text:10009E01 loc_10009E01: ; CODE XREF: sub_10009D00+183j .text:10009E01 push 1 .text:10009E03 push 4 .text:10009E05 mov ecx, edi .text:10009E07 call sub_10002A00 .text:10009E0C test eax, eax .text:10009E0E jz short loc_10009E7E .text:10009E10 mov eax, [eax] .text:10009E12 test eax, eax .text:10009E14 jbe short loc_10009E7E .text:10009E16 mov [esp+28h+var_10], eax .text:10009E1A lea ebx, [ebx+0] .text:10009E20 .text:10009E20 loc_10009E20: ; CODE XREF: sub_10009D00+178j .text:10009E20 mov ecx, edi .text:10009E22 call sub_10004520 .text:10009E27 mov esi, eax .text:10009E29 mov eax, [esi] .text:10009E2B test eax, eax .text:10009E2D jz short loc_10009E34 .text:10009E2F cmp byte ptr [eax], 0 .text:10009E32 jnz short loc_10009E38 .text:10009E34 .text:10009E34 loc_10009E34: ; CODE XREF: sub_10009D00+12Dj .text:10009E34 xor eax, eax .text:10009E36 jmp short loc_10009E45 .text:10009E38 ; --------------------------------------------------------------------------- .text:10009E38 .text:10009E38 loc_10009E38: ; CODE XREF: sub_10009D00+132j .text:10009E38 mov eax, [esi+4] .text:10009E3B push 0 ; float .text:10009E3D push eax ; wchar_t * .text:10009E3E mov ecx, edi .text:10009E40 call sub_100084B0 .text:10009E45 .text:10009E45 loc_10009E45: ; CODE XREF: sub_10009D00+136j .text:10009E45 mov ecx, [ebp+4] .text:10009E48 mov [ecx+ebx*4], eax .text:10009E4B mov eax, [esi] .text:10009E4D test eax, eax .text:10009E4F jz short loc_10009E5A .text:10009E51 push eax ; void * .text:10009E52 call ??_V@YAXPAX@Z ; operator delete[](void *) .text:10009E57 add esp, 4 .text:10009E5A .text:10009E5A loc_10009E5A: ; CODE XREF: sub_10009D00+14Fj .text:10009E5A mov eax, [esi+4] .text:10009E5D test eax, eax ``` ``` c in 3difi v10 = sub_10002A00(4, 1); if ( v10 ) { v11 = *(_DWORD *)v10; v10=03373493 if ( v11 ) //这里v11=0 直接跳过了初始化 导致后面使用了已经释放掉的内存 { v18 = v11; do { v14 = sub_10004520(v2); v13 = v14; v12 = *(_DWORD *)v14; if ( v12 && *(_BYTE *)v12 ) v15 = sub_100084B0(*(wchar_t **)(v13 + 4), 0.0); else v15 = 0; *(_DWORD *)(*(_DWORD *)(v5 + 4) + 4 * v1) = v15;// 这里初始化刚刚分配的内存 if ( *(_DWORD *)v13 ) operator delete__(*(void **)v13); if ( *(_DWORD *)(v13 + 4) ) operator delete__(*(void **)(v13 + 4)); operator delete((void *)v13); } while ( v18-- != 1 ); v7 = v17; } } ++v1; } while ( v1 < v7 ); ``` 从上面的分析可以知道,漏洞成因是对新分配的内存没有正确的初始化,导致重用了之前分配的内存空间,而刚好之前分配的内存空间的数据来自文件offset =0x10a 。而未初始化的变量刚好是某个对象的首地址,从而有机会导致任意代码执行。 这里分析为什么上面的初始化被绕过 对10002A00函数下断点 ``` Bu !3difr+2a00 eax=00747a70 ebx=00000000 ecx=002dde98 edx=00680048 esi=00000001 edi=002dde98 eip=69d92a00 esp=002dd4e8 ebp=00717498 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202 3difr!E3DLLFunc+0x770: 69d92a00 56 push esi 0:000> dd ecx+40 002dded8 00000133 00000000 ffffff14 0000017c //133是偏移 002ddee8 0000011c 00000000 00000001 031ea1b8 002ddef8 03299108 03298c28 03372378 033723a8 002ddf08 033723d8 03372408 03372438 0329be18 002ddf18 0329be58 00000000 00000000 031ea398 002ddf28 00000000 002de6e0 69dc0deb 00000000 002ddf38 6887e073 00000001 002de678 0336b970 002ddf48 03363920 00000001 002de678 0336b970 0:000> dd ecx+34 002ddecc 03373360 ffffff45 00000024 00000133 //03373360 指向文件中offset=30h 002ddedc 00000000 ffffff14 0000017c 0000011c 002ddeec 00000000 00000001 031ea1b8 03299108 002ddefc 03298c28 03372378 033723a8 033723d8 002ddf0c 03372408 03372438 0329be18 0329be58 002ddf1c 00000000 00000000 031ea398 00000000 002ddf2c 002de6e0 69dc0deb 00000000 6887e073 002ddf3c 00000001 002de678 0336b970 033639200:000> 0:000> db 03373360 03373360 09 00 43 43 43 43 42 6f-78 30 31 00 00 00 00 00 ..CCCCBox01..... 03373370 00 00 00 00 05 00 00 00-22 ff ff ff 5e 00 00 00 ........"...^... 03373380 00 00 00 00 09 00 43 43-43 43 42 6f 78 30 31 01 ......CCCCBox01. 03373390 00 00 00 00 00 00 00 81-3f 00 00 00 00 00 00 00 ........?....... 033733a0 00 00 00 00 00 00 00 00-00 00 00 81 3f 00 00 00 ............?... 033733b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 81 ................ 033733c0 3f 00 00 00 00 54 8a 55-c0 a2 02 7c c2 00 00 00 ?....T.U...|.... 033733d0 00 00 00 81 3f 07 00 42-6f 78 30 31 52 58 01 00 ....?..Box01RX.. 0:000> db 03373360 +133 03373493 00 00 00 00 06 00 42 6f-02 00 00 00 00 16 ff ff ......Bo........ 033734a3 ff 30 00 00 00 00 00 00-00 01 00 52 01 00 00 00 .0.........R.... 033734b3 a6 04 a8 96 b9 3f c5 43-b2 df 2a 31 b5 56 93 40 .....?.C..*1.V.@ 033734c3 00 01 00 00 00 00 00 00-01 00 52 01 00 00 00 01 ..........R..... 033734d3 00 2e 01 00 76 00 00 00-00 00 00 00 00 00 00 00 ....v........... 033734e3 00 00 00 00 00 ee 0d f6-58 2d 59 29 08 80 2e 35 ........X-Y)...5 033734f3 03 68 f0 2c 03 0c 00 00-00 c0 d0 e0 f0 98 66 b6 .h.,..........f. 03373503 49 00 00 00 80 1e 00 00-00 00 00 00 00 05 00 04 I............... ```  将shader_count改成1 发现漏洞就不触发了,上面那地方就可以正常初始化了。 010检测该漏洞 Shader_list_count!=0 Sls.shader_count=0 id SSV:72491 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72491 title Adobe Reader U3D Memory Corruption Vulnerability
References
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00019.html
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00020.html
- http://www.adobe.com/support/security/advisories/apsa11-04.html
- http://www.adobe.com/support/security/bulletins/apsb11-30.html
- http://www.adobe.com/support/security/bulletins/apsb12-01.html
- http://www.redhat.com/support/errata/RHSA-2012-0011.html
- http://www.us-cert.gov/cas/techalerts/TA11-350A.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14562