CVE-2010-2883 (PDF Cooltype) Exploit Artifacts

Sunday, January 2, 2011 Posted by Corey Harrell
Artifact Name

Exploit Artifacts for CVE-2010-2883 (PDF Cooltype) Vulnerability

Attack Vector Category

Exploit

Description

Vulnerability present in the Cooltype.dll affects Adobe Reader and Acrobat versions 9.x before 9.4 and 8.x before 8.2.5 on Windows and Mac OS X systems. Exploitation allows remote attackers to execute arbitrary code or cause a denial of service.

Attack Description

This description was obtained using the Mitre and ISS X-Force Database references.

1. Create a PDF document with a “long field in a Smart Independent Glyphlets (SING) table in a TTF font".

2. Open the PDF document on the target system.

Exploits Tested

Metasploit v3.5 windows\fileformat\adobe_cooltype_sing

Target System Information

* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (No PDF files were opened on system prior to test)

* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using non-administrative user account (No PDF files were opened on system prior to test)

* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (Non-malicious PDF file was opened on system prior to test)

Different Artifacts based on Administrator Rights

Yes, MFT entry for "Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" was modified when user account had administrative privileges.

Different Artifacts based on Tested Software Versions

Not tested

Potential Artifacts

The potential artifacts include the CVE 2010-2883 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:

    * PDF Document Creation

    * References of the PDF Document Being Accessed

    * Indications of the Vulnerable Application Executing

note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.

    * PDF Document Creation

note: the location of the PDF document will vary depending on the delivery mechanism involved

         - PDF document being created on the system in the timeframe of interest. [C:\msf-cooltype.pdf which VirusTotal confirmed as being the exploit]

    * References of the PDF Document Being Accessed

note: the artifacts may vary depending on the method used to access the document. For example, Windows Explorer will leave different artifacts as compared to a web browser involved in a drive-by download. The testing involved opening the document using Windows Explorer.

         - Web browser history with entries containing the PDF document. Entries may involve HTTP or file. [Internet Explorer entry file:///C:\msf-cooltype.pdf]

         - Link files of the PDF document being opened. [C:\Documents and Settings\Administrator\Recent\msf-cooltype.pdf.lnk]

        -User registry keys with values containing the PDF document. [HKCU-\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf. This key had the name of the PDF in the MRU]

    * Indications of the Vulnerable Application Executing

         - Prefetch files of the vulnerable application executing. [C:\WINDOWS\Prefetch\ACRORD32.EXE-3A1F13AE.pf and C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-242CE4AA.pf]

         - Registry modifications involving the vulnerable application. [modifications made to subkeys under HKCU-\Software\Adobe\Acrobat Reader\9.0\]

         - Folder activity involving the vulnerable application. [C:\Program Files\Adobe\Reader 9.0, C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0, or C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0]

         - Temp files being created. [C:\Documents and Settings\Administrator\Local Settings\Temp\A9R9E95.tmp. The file signature indicated it was a PDF.]

Timeline View of Potential Artifacts

The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system that had a non-malicious PDF file opened on the system prior to test. The timeline includes the relevant registry and Internet explorer history entires.











References

Vulnerability Information

     Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883

Other Information

     Metasploit Blog Post http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html

     Mila's Contagio Malware Dump David Leadbetter Post

     ISS X-Force Database http://xforce.iss.net/xforce/xfdb/61635

Post a Comment