Adobe Reader and Acrobat Zero Day exploit

December 14, 2011

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:


The malicious PDF file when opened performs the following activity on victim machine:

  • Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.



  • It drops a backdoor Trojan on the target machine and runs it:
    • (USER)Local Settingspretty.exe --- Detected as GAV: Wisp.A_2 (Trojan)
  • Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
    • HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = "(USER)Local Settingspretty.exe"
  • The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
    • GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
    • GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122

SonicWALL UTM appliance provides protection against this threat via the following signatures:

  • GAV: CVE-2011-2462.A (Exploit)
  • IPS: Malformed PDF File 14b