SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)



Description


SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:

screenshot

The malicious PDF file when opened performs the following activity on victim machine:

  • Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.

    screenshot

    screenshot

  • It drops a backdoor Trojan on the target machine and runs it:
    • (USER)\Local Settings\pretty.exe --- Detected as GAV: Wisp.A_2 (Trojan)
  • Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\office = "(USER)\Local Settings\pretty.exe"
  • The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:

    • GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
    • GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122

SonicWALL UTM appliance provides protection against this threat via the following signatures:

  • GAV: CVE-2011-2462.A (Exploit)
  • IPS: Malformed PDF File 14b



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2020 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 16.5 | S2MSW01