Adobe Reader and Acrobat Zero Day exploit (Dec 9, 2011)

SonicWALL UTM Research team found reports of a new zero-day vulnerability (CVE-2011-2462) in Adobe Reader and Acrobat affecting Windows, Mac OS X, and Unix operating systems. This U3D memory corruption vulnerability (CVE-2011-2462) could lead to application crash, and may potentially allow the attacker to gain control of the victim machine. Adobe issued a security advisory on December 6, 2011 warning the users about this flaw.

SonicWALL UTM Research team got hold of a zero-day exploit for this vulnerability in the wild which is a specially crafted PDF file containing malicious encoded JavaScript and malicious U3D object. The exploit may arrive via e-mail or can be served via a malicious drive-by site.

A code snippet from decoded version of JavaScript that performs heap spray and drops a malicious executable file onto the target machine can be seen below:

The malicious PDF file when opened performs the following activity on victim machine:

• Encoded JavaScript uses heap spraying technique to crash the application and redirect to second document page as seen below.

  

  

• It drops a backdoor Trojan on the target machine and runs it:
  • (USER)Local Settingspretty.exe --- Detected as GAV: Wisp.A_2 (Trojan)
• Creates a registry entry to ensure that the backdoor Trojan runs on system reboot:
  • HKCUSoftwareMicrosoftWindowsCurrentVersionRunoffice = "(USER)Local Settingspretty.exe"
• The dropped backdoor Trojan will further attempt to connect to a remote server prettyli(REMOVED)com and sends following requests:
  • GET /asp/kys_allow_get.asp?s=https&name=getkys.kys&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122
  • GET /ASP/KYS_ALLOW_PUT.ASP?s=https&TYPE=ptpretty.tmp&hostname=(HOSTNAME)-(IPADDRESS)-pretty20111122

SonicWALL UTM appliance provides protection against this threat via the following signatures:

• GAV: CVE-2011-2462.A (Exploit)
• IPS: Malformed PDF File 14b