Adobe Acrobat Reader is one of the world's most popular tools for viewing and editing PDFs. Because it's so widely used, it's also a big target for hackers. In late 2023, a critical vulnerability—CVE-2023-44367—was discovered. This bug could let attackers run any code they want on your computer if you opened a specially crafted PDF. In this post, I'll break down what this vulnerability is, how it can be exploited, and show you real-world code snippets. I'll also share links to original sources for further reading.

What is CVE-2023-44367?

CVE-2023-44367 is a Use-After-Free vulnerability in Adobe Acrobat Reader. This means the program tries to use part of the computer memory after it's already been freed ("freed" means the memory is no longer supposed to be in use). Attackers can exploit this bug to trick the program into running their own code—usually by getting you to open a booby-trapped PDF file.

Code runs as the current Windows or Mac user

User interaction required: Yes (you need to open a malicious PDF)

How Does the Exploit Work?

This bug happens because Acrobat Reader forgets about some memory that was already freed, but still tries to use it. An attacker can carefully craft a PDF file that takes advantage of this mistake.

Walkthrough: Exploiting CVE-2023-44367

Below is a simplified proof-of-concept (PoC) just for educational purposes. Do not use this against others.

Crafting Malicious JavaScript in a PDF

Adobe Acrobat supports JavaScript actions. Attackers can abuse certain objects/methods, such as manipulating annotations.

// Vulnerable code flow (simplified!)
// This simulates creating and deleting objects quickly,
// hoping to trigger the use-after-free.
var annots = this.getAnnots({nPage: });
if (annots && annots.length > ) {
  this.removeAnnot(, annots[]);
  // Now, try to use the annotation that was already removed (freed)
  try {
    annots[].setProps({contents: "Trigger UAF"});
  } catch(e) {
    app.alert("Error: " + e);
  }
}

In a real exploit, the attacker would fill freed memory with their shellcode (using "heap spray" techniques), but that's much more complex and dangerous.

Delivering the Payload

The attacker combines the PDF JavaScript with binary data. This is typically done with tools like Metasploit's PDF exploit modules or custom scripts using PDF toolkit libraries.

Victim opens the PDF using a vulnerable version of Adobe Acrobat Reader.

- The embedded JavaScript triggers the bug, overwrites freed memory, and runs attacker's code (such as launching calc.exe, opening a backdoor, etc.).

The most recent versions patched this bug. Get the latest updates here:

https://get.adobe.com/reader/

Go to Edit > Preferences > JavaScript > Uncheck "Enable Acrobat JavaScript"

References & Further Reading

- Adobe Security Bulletin: APSB23-42
- CVE Details: CVE-2023-44367
- MITRE Entry: CVE-2023-44367
- Acrobat JavaScript API Reference
- Metasploit PDF Exploit Modules

Final Thoughts

CVE-2023-44367 is a great example of how serious a "simple" memory bug can be—let a stranger control your computer, just by opening a PDF. Always keep your software up to date, and never open files from untrusted sources. If you're interested in learning more about PDF exploits or vulnerability research, the links above are a great place to start.

Timeline

Published on: 11/16/2023 10:15:17 UTC
Last modified on: 11/22/2023 16:58:57 UTC