Adobe Reader Mobile app Javascript code execution

April 25, 2014

Portable Document Format (PDF) is a file format used to present documents in a manner independent of application software, hardware, and operating systems. Adobe Acrobat is a family of application software and web services developed by Adobe Systems to view, create, manipulate, print and manage files in Portable Document Format (PDF). The free Adobe Reader Mobile app is the mobile version of Adobe Reader, that let you view and work with PDF files on your Android and iOS devices, including iPad, iPhone, and iPod touch.

PDF file encapsulates a complete description of a fixed-layout flat document, including the text, fonts, graphics, and other information needed to display it. JavaScript was introduced to PDF file to improve the features of displaying various types of contents. A PDF file containing JavsScript has the following format:


 stream __adobereader.getClass(); endstream 

Adobe Reader Mobile makes use of the WebView API to provide support for JavaScript. There are multiple Java objects and their respective public methods exposed by Adobe Reader Mobile for use in JavaScript, for example:

  • _adobereader
  • _app
  • _doc
  • _field

There is a code execution vulnerability in Adobe Reader Mobile for Android. An attacker can exploit this vulnerability to execute arbitrary Java code in the security context of the affected application. This is because the Adobe Reader Mobile application before 11.2 for Android does not properly restrict use of JavaScript.

Attackers use various compression techniques to avoid detection

Dell SonicWALL protects against this threat with the following signatures:

  • IPS 3762 : Adobe Reader Mobile JavaScript Interface Java Code Execution 1
  • IPS 3765 : Adobe Reader Mobile JavaScript Interface Java Code Execution 2

This vulnerability is identified by CVE as CVE-2014-0514.