Certain Javascript APIs in Adobe Acrobat Pro can only be executed in a privileged context. By adding specially crafted Javascript code to a PDF file it's possible to bypass security restrictions and invoke privileged Javascript APIs, allowing for arbitrary code execution. This exploit takes advantage of the AFParseDate() trusted function, which can call eval() with attacker-controlled input, in order to bypass the security restrictions and ultimately call Collab.uriPutData() to write arbitrary files into the victim's filesystem. The exploit will try to gain code execution on the victim's machine by potentially dropping two files: A DLL named updaternotifications.dll will be written into the same folder where the crafted PDF file is located in the victim's machine. This DLL will be automatically loaded by Adobe Acrobat Pro a few seconds after the crafted PDF file has been opened, as long as the Updater settings of Adobe Acrobat Pro is set to any option different than "Do not download or install updates automatically". An EXE file will be written into the %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder, if possible. This executable containing the agent code will be automatically executed upon next user logon into the vulnerable machine. In order for this EXE file to be dropped, the PDF file needs to infer the location of the %USERPROFILE% folder (typically something like C:\Users\JohnDoe) by inspecting the current path of the PDF file. This means that the EXE file will be dropped only if the PDF file is loaded from a path under the %USERPROFILE% folder in the victim's machine, such as the Desktop, the "My Documents" folder, or the "Downloads" folder.
CVE Link
Exploit Platform
Exploit Type
Product Name