Categories: CVE/vulnerability

Adobe Acrobat Reader DC Affected with Critical Remote Code Execution Vulnerability – Its Time to Update

A Critical Remote Code Execution vulnerability discovered in Adobe Acrobat Reader DC that will perform a stack-based buffer overflow and execute the orbitary code when users opening the vulnerable Adobe document.

This Critical RCE vulnerability affected the version of Adobe Acrobat Reader DC 2018.009.20044 and Below.

Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs.

In this case, an attacker will send the specific crafted malicious document via email or, tricking a user into visiting a malicious web page and make user execute the malicious document and trigger this vulnerability.

Also Read:  Hackers Illegally Purchasing Abused Code-signing & SSL Certificates From Underground Market

Remote Code Execution Working Flow

Adobe Acrobat Reader DC application supports the embedded javascript within the Adobe document and allows it to work as PDF form.

This could be easily abused by an attacker using the vulnerability and using it for an additional attack surface.

According to Aleksandar Nikolic of Cisco Talos, When parsing a PDF file with overly large Document ID field specified in the trailer, it is parsed correctly initially, but when it’s referenced in javascript, a stack-based buffer overflow can occur when encoding the bytes to a hex string.

A sample document ID:

trailer <<
  /Root 1 0 R
  /ID   <AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA><a>
>>

In this case, Cisco Providing a simple javascript to trigger this critical Remote code execution vulnerability.

41 0 obj <<
>>
stream
    this.docID;
endstream
endobj

“the specified part of document ID field is hex-decoded into a sequence of bytes. When a this.docID is dereferenced in javascript, this byte sequence is encoded back into an ascii hex string again function at EScript+0x9e7c0

This vulnerability has been reported to Adobe and patch has been made and released an update on 2018 -02-13 with  CVE-2018-4901.

Balaji

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

Top Ransomware Groups Target Financial Sector, 406 Incidents Revealed

Flashpoint analysts have reported that between April 2024 and April 2025, the financial sector emerged…

9 hours ago

Agenda Ransomware Group Enhances Tactics with SmokeLoader and NETXLOADER

The Agenda ransomware group, also known as Qilin, has been reported to intensify its attacks…

9 hours ago

SpyCloud Analysis Reveals 94% of Fortune 50 Companies Have Employee Data Exposed in Phishing Attacks

SpyCloud, the leading identity threat protection company, today released an analysis of nearly 6 million…

10 hours ago

PoC Tool Released to Detect Servers Affected by Critical Apache Parquet Vulnerability

F5 Labs has released a new proof-of-concept (PoC) tool designed to help organizations detect servers…

11 hours ago

Healthcare Sector Becomes a Major Target for Cyber Attacks in 2025

The healthcare sector has emerged as a prime target for cyber attackers, driven by the…

11 hours ago

SysAid ITSM Vulnerabilities Enables Pre-Auth Remote Command Execution

Security researchers have disclosed a chain of critical vulnerabilities affecting SysAid ITSM’s On-Premise solution, enabling…

12 hours ago