CVE-2010-2883 (PDF Cooltype) Exploit Artifacts
Sunday, January 2, 2011
Artifact Name
Exploit Artifacts for CVE-2010-2883 (PDF Cooltype) Vulnerability
Attack Vector Category
Exploit
Description
Vulnerability present in the Cooltype.dll affects Adobe Reader and Acrobat versions 9.x before 9.4 and 8.x before 8.2.5 on Windows and Mac OS X systems. Exploitation allows remote attackers to execute arbitrary code or cause a denial of service.
Attack Description
This description was obtained using the Mitre and ISS X-Force Database references.
1. Create a PDF document with a “long field in a Smart Independent Glyphlets (SING) table in a TTF font".
2. Open the PDF document on the target system.
Exploits Tested
Metasploit v3.5 windows\fileformat\adobe_cooltype_sing
Target System Information
* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (No PDF files were opened on system prior to test)
* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using non-administrative user account (No PDF files were opened on system prior to test)
* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (Non-malicious PDF file was opened on system prior to test)
Different Artifacts based on Administrator Rights
Yes, MFT entry for "Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" was modified when user account had administrative privileges.
Different Artifacts based on Tested Software Versions
Not tested
Potential Artifacts
The potential artifacts include the CVE 2010-2883 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:
* PDF Document Creation
* References of the PDF Document Being Accessed
* Indications of the Vulnerable Application Executing
note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.
* PDF Document Creation
note: the location of the PDF document will vary depending on the delivery mechanism involved
- PDF document being created on the system in the timeframe of interest. [C:\msf-cooltype.pdf which VirusTotal confirmed as being the exploit]
* References of the PDF Document Being Accessed
note: the artifacts may vary depending on the method used to access the document. For example, Windows Explorer will leave different artifacts as compared to a web browser involved in a drive-by download. The testing involved opening the document using Windows Explorer.
- Web browser history with entries containing the PDF document. Entries may involve HTTP or file. [Internet Explorer entry file:///C:\msf-cooltype.pdf]
- Link files of the PDF document being opened. [C:\Documents and Settings\Administrator\Recent\msf-cooltype.pdf.lnk]
-User registry keys with values containing the PDF document. [HKCU-\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf. This key had the name of the PDF in the MRU]
* Indications of the Vulnerable Application Executing
- Prefetch files of the vulnerable application executing. [C:\WINDOWS\Prefetch\ACRORD32.EXE-3A1F13AE.pf and C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-242CE4AA.pf]
- Registry modifications involving the vulnerable application. [modifications made to subkeys under HKCU-\Software\Adobe\Acrobat Reader\9.0\]
- Folder activity involving the vulnerable application. [C:\Program Files\Adobe\Reader 9.0, C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0, or C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0]
- Temp files being created. [C:\Documents and Settings\Administrator\Local Settings\Temp\A9R9E95.tmp. The file signature indicated it was a PDF.]
Timeline View of Potential Artifacts
The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system that had a non-malicious PDF file opened on the system prior to test. The timeline includes the relevant registry and Internet explorer history entires.
References
Vulnerability Information
Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883
Other Information
Metasploit Blog Post http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
Mila's Contagio Malware Dump David Leadbetter Post
ISS X-Force Database http://xforce.iss.net/xforce/xfdb/61635
Exploit Artifacts for CVE-2010-2883 (PDF Cooltype) Vulnerability
Attack Vector Category
Exploit
Description
Vulnerability present in the Cooltype.dll affects Adobe Reader and Acrobat versions 9.x before 9.4 and 8.x before 8.2.5 on Windows and Mac OS X systems. Exploitation allows remote attackers to execute arbitrary code or cause a denial of service.
Attack Description
This description was obtained using the Mitre and ISS X-Force Database references.
1. Create a PDF document with a “long field in a Smart Independent Glyphlets (SING) table in a TTF font".
2. Open the PDF document on the target system.
Exploits Tested
Metasploit v3.5 windows\fileformat\adobe_cooltype_sing
Target System Information
* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (No PDF files were opened on system prior to test)
* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using non-administrative user account (No PDF files were opened on system prior to test)
* Windows XP SP3 Virtual Machine with Adobe Reader v9.3 using administrative user account (Non-malicious PDF file was opened on system prior to test)
Different Artifacts based on Administrator Rights
Yes, MFT entry for "Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe" was modified when user account had administrative privileges.
Different Artifacts based on Tested Software Versions
Not tested
Potential Artifacts
The potential artifacts include the CVE 2010-2883 exploit and the changes the exploit causes in the operating system environment. The artifacts can be grouped under the following three areas:
* PDF Document Creation
* References of the PDF Document Being Accessed
* Indications of the Vulnerable Application Executing
note: the documenting of the potential artifacts attempted to identify the overall artifacts associated with the vulnerability being exploited as opposed to the specific artifacts unique to the Metasploit. As a result, the actual artifact storage locations and filenames are inside of brackets in order to distinguish what may be unique to the testing environment.
* PDF Document Creation
note: the location of the PDF document will vary depending on the delivery mechanism involved
- PDF document being created on the system in the timeframe of interest. [C:\msf-cooltype.pdf which VirusTotal confirmed as being the exploit]
* References of the PDF Document Being Accessed
note: the artifacts may vary depending on the method used to access the document. For example, Windows Explorer will leave different artifacts as compared to a web browser involved in a drive-by download. The testing involved opening the document using Windows Explorer.
- Web browser history with entries containing the PDF document. Entries may involve HTTP or file. [Internet Explorer entry file:///C:\msf-cooltype.pdf]
- Link files of the PDF document being opened. [C:\Documents and Settings\Administrator\Recent\msf-cooltype.pdf.lnk]
-User registry keys with values containing the PDF document. [HKCU-\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs\.pdf. This key had the name of the PDF in the MRU]
* Indications of the Vulnerable Application Executing
- Prefetch files of the vulnerable application executing. [C:\WINDOWS\Prefetch\ACRORD32.EXE-3A1F13AE.pf and C:\WINDOWS\Prefetch\ACRORD32INFO.EXE-242CE4AA.pf]
- Registry modifications involving the vulnerable application. [modifications made to subkeys under HKCU-\Software\Adobe\Acrobat Reader\9.0\]
- Folder activity involving the vulnerable application. [C:\Program Files\Adobe\Reader 9.0, C:\Documents and Settings\Administrator\Application Data\Adobe\Acrobat\9.0, or C:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Acrobat\9.0]
- Temp files being created. [C:\Documents and Settings\Administrator\Local Settings\Temp\A9R9E95.tmp. The file signature indicated it was a PDF.]
Timeline View of Potential Artifacts
The images below shows the above artifacts in a timeline of the file system from the Windows XP SP3 system that had a non-malicious PDF file opened on the system prior to test. The timeline includes the relevant registry and Internet explorer history entires.
References
Vulnerability Information
Mitre’s CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2883
Other Information
Metasploit Blog Post http://blog.metasploit.com/2010/09/return-of-unpublished-adobe.html
Mila's Contagio Malware Dump David Leadbetter Post
ISS X-Force Database http://xforce.iss.net/xforce/xfdb/61635
Labels:
adobe,
attack vectors,
exploits
Posts
