The 0patch experts released a
The vulnerability was reported by the security expert Alex Inführ that also published technical details of the issue along with a proof-of-concept.
“Once again the XML Form Architecture (XFA) structure helped.
“Adobe Reader actually detects any
The expert explained that this new issue is similar to the
CVE-2018-4993 (aka “BadPDF“) that fixed by Adobe in November. The flaw allowed to trigger a callback to an attacker-controlled SMB server and leak the users NTMLv2 hash.
Inführ tested the PoC on Adobe Acrobat Reader DC 19.010.20069 running on Windows OS.
Once users have applied the
“This vulnerability, similar to CVE-2018-4993, the so-called Bad-PDFreported by CheckPoint in April last year, allows a remote attacker to steal user’s NTLM hash included in the SMB request. It also allows a document to “phone home”, i.e., to let the sender know that the user has viewed the document. Obviously, neither of these is desirable.” reads the blog post published by 0patch.
“The malicious PDF included a certain element that triggered automatic loading of another PDF from a remote share.”
The patch released by the 0patch community allows
“This warning allowed the user to decide whether to allow the potentially malicious document to “phone home” or not.” reads the
0patch published a video PoC demo that shows how the