alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat PDF Reader use after free JavaScript engine (CVE-2017-16393)"; flow:established,from_server; flowbits:isset,ET.pdf.in.http; file_data; content:"this.addAnnot"; nocase; content:"this.addField"; nocase; content:".popupRect"; nocase; content:".setAction("; nocase; content:"OnFocus"; nocase; content:"setFocus"; nocase; pcre:"/\s+?(?P<var1>[^\s\x3d]+?)\s*?=\s*?this\.addAnnot.+?(?P=var1)\s*\x2epopupRect\s*?=\s*?0x4000/si"; pcre:"/\s+?(?P<var2>[^\s\x3d]+?)\s*?=\s*?this\.addField.+?(?P=var2)\s*\x2e\s*setAction\s*?\x28\s*?[\x22\x27]\s*?OnFocus[^\x29]+popupOpen\s*?=\s*?true/si"; reference:cve,2017-16393; classtype:attempted-user; sid:2025091; rev:4; metadata:affected_product Adobe_Reader, attack_target Client_and_Server, created_at 2017_11_14, cve CVE_2017_16393, deployment Perimeter, deployment Internal, confidence Low, signature_severity Major, tag Web_Client_Attacks, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2024_11_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1189, mitre_technique_name Drive_by_Compromise; target:dest_ip;)