CVE-2013-3346

What is Adobe Reader?

Adobe Reader is the world's most widely deployed PDF viewer. Reader's JavaScript engine exposes a rich DOM API for interacting with PDF form elements and toolbars. The ToolButton object represents interactive toolbar buttons in PDF documents. Like all Reader DOM objects, ToolButton instances have a lifecycle managed by Reader's internal reference counting; a use-after-free occurs when a JavaScript handler retains a reference to a ToolButton object after it has been freed from Reader's internal heap.

Overview

CVE-2013-3346 is a memory corruption vulnerability (CWE-787) in Adobe Reader and Acrobat involving improper handling of ToolButton objects. When JavaScript in a malicious PDF triggers a specific sequence of ToolButton creation and deletion operations, Reader accesses freed memory — a use-after-free condition enabling arbitrary code execution. This vulnerability was observed being exploited as a zero-day, chained with CVE-2013-5065 (a Windows NDProxy kernel privilege escalation) to achieve full system compromise bypassing Reader's Protected Mode sandbox.

Adobe patched CVE-2013-3346 in APSB13-22 with Reader XI 11.0.04 and Reader X 10.1.8.

Affected Versions

Technical Details

Adobe Reader exposes ToolButton JavaScript objects representing interactive elements in PDF toolbars. The use-after-free occurs when:

1. JavaScript creates or accesses a ToolButton object
2. A specific sequence of document manipulation operations causes Reader to free the ToolButton's underlying C++ object
3. A retained JavaScript reference continues to exist — a dangling pointer
4. Reader subsequently calls a method on the dangling pointer, dereferencing freed heap memory

When the freed memory has been overwritten with attacker-controlled content (via JavaScript heap spray), the virtual function call is redirected to attacker shellcode.

Two-stage attack chain: FireEye reported observing CVE-2013-3346 combined with CVE-2013-5065 in targeted attacks:

1. CVE-2013-3346 achieves code execution inside Adobe Reader's Protected Mode sandbox
2. CVE-2013-5065 (Windows NDProxy driver privilege escalation) escapes the sandbox and elevates to SYSTEM
3. The combined chain delivers full system compromise from a PDF opened in Reader

This pattern of chaining a Reader content vulnerability with a Windows kernel LPE to escape the sandbox mirrors the earlier CVE-2013-0640 + CVE-2013-0641 chain — demonstrating sustained adversary investment in two-stage sandbox escape techniques against hardened Reader.

Discovery

Zero-day exploitation was observed in October 2013. The attacks were discovered and reported by FireEye, which identified the combined CVE-2013-3346 + CVE-2013-5065 chain being used in targeted attacks against specific organizations.

Exploitation Context

CISA confirmed exploitation in the wild. The CVE-2013-3346 + CVE-2013-5065 chain was used in targeted APT campaigns delivering custom malware including PlugX and other RATs against high-value targets. The two-stage chain indicates sophisticated, well-resourced threat actors willing to invest in developing multiple simultaneous zero-days to defeat layered defenses (sandboxed Reader + Windows privilege separation).

Remediation

1. Apply APSB13-22 — update to Reader XI 11.0.04 or Reader X 10.1.8; also apply MS13-101 for CVE-2013-5065
2. Keep Adobe Reader and Acrobat updated through automatic updates
3. Enable Protected Mode and Protected View — while this specific chain bypassed Protected Mode, it remains effective against most PDF exploits
4. Deploy email security sandboxing for PDF attachments
5. Monitor for NDProxy-related kernel privilege escalation attempts (CVE-2013-5065 component)