Micropatch prevents malicious PDFs from Calling Home

The 0patch experts released a micropatch to address a flaw in Adobe Reader zero-day that allows maliciously PDFs to call home and send over the victim’s NTLM hash.The 0patch experts released a micropatch to address an in Adobe Reader zero-day that allows maliciously PDF documents to call home and send over the victim’s NTLM hash.

The 0patch experts released a micropatch to address a zero-day vulnerability in Adobe Reader which could be exploited by threat actors to craft maliciously PDF documents that call home and send over the victim’s NTLM hash to remote attackers in the form of an SMB request.

The vulnerability was reported by the security expert Alex Inführ that also published technical details of the issue along with a proof-of-concept.

“Once again the XML Form Architecture (XFA) structure helped.
XFA is a XML structure inside a PDF, which defines forms and more. This time it is not even necessary to use a feature of the XFA form but instead a xml-stylesheet does the trick.” wrote the expert.

“Adobe Reader actually detects any http/https URLs specified in a xml-stylesheet element and asks for the user’s confirmation. This dialog can be simply bypassed by using UNC paths.”

The expert explained that this new issue is similar to the
CVE-2018-4993 (aka “BadPDF“) that fixed by Adobe in November. The flaw allowed to trigger a callback to an attacker-controlled SMB server and leak the users NTMLv2 hash.

Inführ tested the PoC on Adobe Acrobat Reader DC 19.010.20069 running on Windows OS.

Once users have applied the micropatch the vulnerability will be immediatelly addressed.

“This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDFreported by CheckPoint in April last year, allows a remote attacker to steal user’s NTLM hash included in the SMB request. It also allows a document to “phone home”, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.” reads the blog post published by 0patch.

“The malicious PDF included a certain element that triggered automatic loading of another PDF from a remote share.”

The patch released by the 0patch community allows to display a warning that inform users that the document is trying to access a remote share:

“This warning allowed the user to decide whether to allow the potentially malicious document to “phone home” or not.” reads the post.

0patch published a video PoC demo that shows how the micropatch works:

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – micropatch, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.