SAINT CorporationSAINT:A349338637A1691CF3A26B6961567E5FAdobe Reader U3D Heap Overflow
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.969 High
EPSS
Percentile
99.7%
Added: 12/21/2011
CVE: CVE-2011-2462
BID: 50922
OSVDB: 77529
Background
Adobe Reader is free software for viewing PDF documents.
Problem
A heap memory corruption vulnerability exists in Adobe Acrobat Reader. The vulnerability is due to an input validation error while parsing Universal 3D (U3D) files. This vulnerability is unrelated to CVE-2009-2997.
Resolution
Apply one of the security patches referenced in Adobe Security Bulletin ASPA11-04.
References
<http://blogs.adobe.com/asset/2011/12/background-on-cve-2011-2462.html>
Limitations
This exploit has been tested against Adobe Systems Reader 9.4.6 on Windows XP SP3 English (DEP OptIn). While our testing suggests that reliable exploitation is likely, due the volatile nature of heap locations, this exploit may not be 100% reliable and may occasionally cause Reader to crash without executing the payload.
Platforms
Windows
Related
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.969 High
EPSS
Percentile
99.7%