CVE-2009-0927 : PDF Exploit targets Aviation Defense Industry

PDF exploits

Security Researcher have come across a Spam email that leads to a malware page which delivers the PDF exploit(CVE-2009-0927).    The campaign seems to be targeting the aviation defense Industry.

About CVE-2009-0927:
A stack-based buffer overflow vulnerability in the Adobe Reader and Adobe Acrobat before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code via a crafted argument to the getIcon method of a Collab object "Collab.getIcon()".
If the recipient open the malicious PDF file, it opens a fake document and displays an invitation to an actual defense industry event. In the background, it exploits the PDF vulnerability.

If the victim's machine has the vulnerable version , then shellcode inside the pdf will start to execute.  The shellcode creates a file and run "evtmgr.exe in the Temp folder .

The exe file drops another dll file called mssrt726.dll which performs network communication and opens the backdoor at TCP port 49163.



Category: / /

Share this with Your friends: