Lucene search

HistoryOct 28, 2010 - 12:00 a.m.

Adobe Reader 9 <= 9.4 (APSA10-05)

2010-10-2800:00:00

www.tenable.com

EPSS

0.971

Percentile

99.8%

JSON

The remote Windows host contains Adobe Reader version 9.4 or earlier. Such versions are affected by an unspecified memory corruption vulnerability.

A remote attacker could exploit this issue by getting a user to open a maliciously crafted PDF containing SWF content, resulting in the execution of arbitrary code.

This vulnerability is reportedly being exploited in the wild.

#%NASL_MIN_LEVEL 999999

#
# (C) Tenable Network Security, Inc.
#
# @DEPRECATED@
#
# Disabled on 2010/11/17.  Use adobe_reader_apsb10-28.nasl (plugin ID 50614) instead.


include("compat.inc");


if (description)
{
  script_id(50381);
  script_version("1.11");
  script_cvs_date("Date: 2018/08/09 17:06:37");

  script_cve_id("CVE-2010-3654");
  script_bugtraq_id(44504);

  script_name(english:"Adobe Reader 9 <= 9.4 (APSA10-05)");
  script_summary(english:"Checks version of Adobe Reader");

  script_set_attribute(attribute:"synopsis", value:
"The version of Adobe Reader on the remote Windows host is affected by
a code execution vulnerability."
  );
  script_set_attribute(attribute:"description", value:
"The remote Windows host contains Adobe Reader version 9.4 or earlier. 
Such versions are affected by an unspecified memory corruption
vulnerability. 

A remote attacker could exploit this issue by getting a user to open a
maliciously crafted PDF containing SWF content, resulting in the
execution of arbitrary code. 

This vulnerability is reportedly being exploited in the wild."
  );
  script_set_attribute(attribute:"see_also",value:"http://www.adobe.com/support/security/advisories/apsa10-05.html");
  script_set_attribute(attribute:"solution",value:
"Upgrade to the latest version when it is released.  Adobe states it
will be released the week of November 15, 2010. 

In the meantime, deleting or renaming the version of 'authplay.dll'
that ships with Adobe Reader will result in a non-exploitable crash
when opening PDFs containing SWF content.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"metasploit_name", value:'Adobe Flash Player "Button" Remote Code Execution');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"vuln_publication_date",value:"2010/10/28");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/10/28");
  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:adobe:acrobat_reader");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("adobe_reader_installed.nasl", "smb_hotfixes.nasl");
  script_require_keys("SMB/Acroread/Version", "SMB/Registry/Enumerated");
  script_require_ports(139, 445);

  exit(0);
}


# Deprecated
exit(0, "This plugin has been deprecated. Use adobe_reader_apsb10-28.nasl (plugin ID 50614) instead.");

include("global_settings.inc");
include("misc_func.inc");
include("smb_func.inc");


version = get_kb_item_or_exit('SMB/Acroread/Version');
path = get_kb_item_or_exit('SMB/Acroread/'+version+'/Path');
version_ui = get_kb_item('SMB/Acroread/'+version+'/Version_UI');

ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

# This only affects Reader 9.x <= 9.4
if (ver[0] != 9 || (ver[0] == 9 && ver[1] > 4))
  exit(0, 'Adobe Reader '+version_ui+' is installed and not affected.');

# If we're looking at a vulnerable version, see if the workaround
# has been applied (delete/rename authplay.dll)
name    =  kb_smb_name();
port    =  kb_smb_transport();
if (!get_port_state(port)) exit(0, "Port "+port+" is not open.");
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();

soc = open_sock_tcp(port);
if (!soc) exit(1, "Failed to open a socket on port "+port+".");

session_init(socket:soc, hostname:name);
share = ereg_replace(pattern:'^([A-Za-z]):.*', replace:"\1$", string:path);
dll = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\authplay.dll", string:path);

rc = NetUseAdd(login:login, password:pass, domain:domain, share:share);
if (rc != 1)
{
  NetUseDel();
  exit(1, "Can't connect to "+share+" share.");
}

fh = CreateFile(
  file:dll,
  desired_access:GENERIC_READ,
  file_attributes:FILE_ATTRIBUTE_NORMAL,
  share_mode:FILE_SHARE_READ,
  create_disposition:OPEN_EXISTING
);

if (fh)
{
  vuln = TRUE;
  CloseFile(handle:fh);
}
else vuln = FALSE;
  
NetUseDel();

if (vuln)
{
  if (report_verbosity > 0)
  {
    dll_path = path + "\authplay.dll";
    report =
      '\n  Path              : '+path+
      '\n  Installed version : '+version_ui+
      '\n  Comment           : '+dll_path+' has not been deleted or renamed.\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, 'Adobe Reader '+version_ui+' is installed, but authplay.dll has been deleted or renamed so the host is not affected.');

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3654

www.adobe.com/support/security/advisories/apsa10-05.html

EPSS

0.971

Percentile

99.8%

JSON

Related for ADOBE_READER_APSA10-05.NASL