CVE-2020-9715: Adobe Acrobat and Reader Use-After-Free

Note

Executive Summary (TL;DR): CVE-2020-9715 is a critical Use-After-Free (UAF) vulnerability in Adobe Acrobat and Reader’s EScript.api module. It originates from a string encoding mismatch (ANSI vs Unicode) during object cache purging. Exploitation allows an attacker to achieve Remote Code Execution (RCE) by enticing a user to open a specially crafted PDF file.

Danger

This vulnerability is confirmed to be exploited in the wild (CISA KEV).

Technical Analysis

The vulnerability resides within the EScript.api module, specifically in how Adobe Reader handles embedded JavaScript via its internal ESObject cache.

The Memory Management Flaw

The core of the issue is a discrepancy in how the application handles string encoding when managing the data ESObject cache.

1. Cache Insertion: When a data ESObject is constructed, the cache key is created using the original encoding (either ANSI or Unicode) found in the PDF document.
2. Cache Eviction (The Bug): During the deletion phase, the system attempts to locate the object for removal. However, it exclusively uses Unicode-encoded strings for this search.
3. The Gap: If the object was originally cached using an ANSI key, the Unicode search fails to find a match. Consequently, the cache entry is never purged.
4. The Result: While the underlying object is freed from memory (due to JavaSript reference nullification), the pointer remains active in the cache. This creates a classic Use-After-Free (UAF) condition.

Technical Metrics

• Vulnerability Type: Use-After-Free (CWE-416)
• CVSS v3.1: 7.8 (High)
• Vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
• Impact: Complete compromise of the renderer process.

Exploitation Flow

The exploitation of CVE-2020-9715 is achieved through a precise sequence of JavaScript operations embedded within a malicious PDF.

1. Trigger Allocation: The exploit calls a method to create a Data ESObject with an ANSI-encoded name, forcing Adobe Reader to store a pointer in the EScript.api cache.
2. Reference Nullification: The JavaScript reference to the object is set to null (e.g., this.dataObjects[0] = null), marking the object for deletion.
3. Garbage Collection (GC) Trigger: The attacker uses a timeout function (app.setTimeOut) to wait for the JavaScript engine’s Garbage Collector to reclaim the memory of the nullified object.
4. Stale Pointer Access: The exploit calls toString() or another method on the original object. Because the cache eviction failed (due to the ANSI/Unicode mismatch), the system finds the stale pointer in the cache and attempts to use it.
5. RCE Achievement: By grooming the heap, the attacker replaces the freed memory area with controlled shellcode, leading to arbitrary code execution.

Proof of Concept (Conceptual JS)

function triggerUAF() {
    // Accesses the stale pointer in the object cache
    this.dataObjects[0].toString();
}

function poc() {
    // 1. Allocate Data ESObject
    this.dataObjects[0].toString();
    // 2. Nullify reference
    this.dataObjects[0] = null;
    // 3. Trigger UAF after GC occurs
    app.setTimeOut("triggerUAF()", 1000);
}
poc();

Forensic Investigation

When analyzing a system suspected of being compromised via CVE-2020-9715, analysts should look for the following traces.

Memory & Process Analysis

• Abnormal Process Lineage: Look for Acrobat.exe or AcroRd32.exe spawning unexpected child processes such as cmd.exe, powershell.exe, wscript.exe, or mshta.exe.
• Process Crashes: Frequent crashes of the Adobe Reader renderer process of the same machine may indicate unsuccessful exploitation attempts (heap corruption).
• Heap Inspection: Scanning the heap of the reader process for common shellcode patterns (e.g., NOP sleds, 0xCC breakpoints) if a memory dump is available.

File-Based Artifacts

• Malicious PDF Analysis: Inspection of PDF files for the use of dataObjects collections and app.setTimeOut calls within embedded JavaScript.
• Prefetch/Shimcache: Verify the execution of Acrobat.exe and check for concurrent execution of shells immediately following the opening of a PDF.

Detection

Sigma Rule (Conceptual)

To detect post-exploitation activity, monitor for suspicious child processes.

Logic:

• Parent Image: C:\Program Files (x86)\Adobe\Acrobat DC\Acrobat\Acrobat.exe OR C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
• Child Image: cmd.exe, powershell.exe, sh.exe, certutil.exe
• Event ID: 4688 (Process Creation)

Threat Hunting Query (Splunk)

index=endpoint
parent_process IN ("Acrobat.exe", "AcroRd32.exe")
process IN ("cmd.exe", "powershell.exe", "sh.exe", "whoami.exe")
| table _time, host, user, pid, process, parent_process, command_line

Mitigation

Patching

Update Adobe Acrobat and Reader to the latest versions. This vulnerability is addressed in APSB20-48.

Sandbox Hardening

Ensure “Protected Mode” (Sandbox) is enabled in Adobe Reader settings to limit the impact of RCE.

JS Disabling

Disable JavaScript in Adobe Reader for high-risk environments if the functionality is not business-critical.

Sources

• NVD: CVE-2020-9715 Detail
• MITRE: CVE-2020-9715 Record
• Exodus Intelligence: Analysis of a UAF in Adobe Reader
• Zero Day Initiative: ZDI-20-991 Advisory
• ZDI Blog: Exploiting a Use-After-Free in Adobe Reader