Pierluigi Paganini February 12, 2019

The 0patch experts released a micropatch to address a flaw in Adobe Reader zero-day that allows maliciously PDFs to call home and send over the victim’s NTLM hash.The 0patch experts released a micropatch to address an in Adobe Reader zero-day that allows maliciously PDF documents to call home and send over the victim’s NTLM hash.

The 0patch experts released a micropatch to address a zero-day vulnerability in Adobe Reader which could be exploited by threat actors to craft maliciously PDF documents that call home and send over the victim’s NTLM hash to remote attackers in the form of an SMB request.

The vulnerability was reported by the security expert Alex Inführ that also published technical details of the issue along with a proof-of-concept.

“Once again the XML Form Architecture (XFA) structure helped.
XFA is a XML structure inside a PDF, which defines forms and more. This time it is not even necessary to use a feature of the XFA form but instead a xml-stylesheet does the trick.” wrote the expert.

“Adobe Reader actually detects any http/https URLs specified in a xml-stylesheet element and asks for the user’s confirmation. This dialog can be simply bypassed by using UNC paths.” 

The expert explained that this new issue is similar to the
CVE-2018-4993 (aka “BadPDF“) that fixed by Adobe in November. The flaw allowed to trigger a callback to an attacker-controlled SMB server and leak the users NTMLv2 hash.

Inführ tested the PoC on Adobe Acrobat Reader DC 19.010.20069 running on Windows OS.

Once users have applied the micropatch the vulnerability will be immediatelly addressed.

“This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDFreported by CheckPoint in April last year, allows a remote attacker to steal user’s NTLM hash included in the SMB request. It also allows a document to “phone home”, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.” reads the blog post published by 0patch.

“The malicious PDF included a certain element that triggered automatic loading of another PDF from a remote share.”

The patch released by the 0patch community allows to display a warning that inform users that the document is trying to access a remote share:

“This warning allowed the user to decide whether to allow the potentially malicious document to “phone home” or not.” reads the post.

0patch published a video PoC demo that shows how the micropatch works:

Pierluigi Paganini

(SecurityAffairs – micropatch, hacking)

[adrotate banner=”5″] [adrotate banner=”13″]