In a recent revelation, EXPMON has reported a previously unknown “zero-day behavior” in certain PDF samples, leading to the potential leakage of local (net)NTLM information. While not a zero-day attack in itself, the observed behavior highlights significant risks in commonly used PDF applications like Adobe Reader and Foxit Reader.
As EXPMON explains, “This was not a zero-day attack … there is no evidence suggesting [these samples] were created with malicious intent. However, the samples exhibited an unpatched, previously unknown behavior.”
When analyzed in EXPMON’s sandbox, the PDF samples demonstrated a vulnerability wherein specific actions triggered unintended network requests. The findings reveal that:
- Adobe Reader: The application attempts to locate a network resource based on the PDF’s embedded actions. EXPMON’s analysis noted, “If the PDF sample is opened directly, the application will attempt to locate a computer named ‘Applications.’ If it finds the computer, it will try to connect to the server and send the local (net)NTLM information to it.” Although Adobe Reader issues a warning, the NTLM information leak occurs before user intervention is possible.
- Foxit Reader: Unlike Adobe Reader, Foxit Reader doesn’t trigger the NTLM leak under the same conditions. However, a slight modification in the PDF’s structure enables the behavior. EXPMON reports, “If we open the modified PDF sample with Foxit Reader, the application will attempt to connect to the server ‘pub.expmon.com’ and send the local (net)NTLM information to the server.”
The implications of this behavior are substantial. An attacker could manipulate the PDF file to send NTLM information to a server under their control. EXPMON elaborates on the exploit’s methodology: “An attacker could simply change the name to a server under their control and send the PDF file to the victim. When the victim opens the file, the attacker could collect the victim’s local (net)NTLM information.”
Notably, the attack is limited by network scope:
- Adobe Reader: This behavior is restricted to intranet domains, as clarified by Adobe: “DNS/NTLM calls only for intranet domains, not for internet domains.”
- Foxit Reader: The behavior could extend to public domains, broadening the attack surface.
Both Adobe and Foxit Software have responded to the findings:
- Adobe Reader: The vendor acknowledged the behavior but did not consider it a security risk due to its intranet domain restriction. “Acrobat considers intranet domains to be trusted when the ‘Automatically trust sites from Win OS security zones’ feature is enabled,” Adobe stated.
- Foxit Reader: The vendor took a proactive stance, releasing a patch in December 2024. According to Foxit Software, “The products are available immediately. You are encouraged to download your copy of Foxit PDF Reader from our website.”
Related Posts:
- Foxit Reader exists multiple security flaws that can lead to remote code execution
- CVE-2024-49576 and CVE-2024-47810: Foxit Addresses Remote Code Execution Flaws
- Adobe released security update to address multiple security vulnerabilities
