Adobe 0-day and Captain Metadata

>We talked about the recent 0-day on episode 141 of the podcast. You can read the advisory from Adobe here.
Captain_Metadata.jpgThere are two things that I find interesting about this advisory: First off, it affects versions 7, 8 and 9. Secondly, it not only affects Adobe Reader, but it also affects all of the publishing products including Adobe Standard, Pro, and Pro Extended. Patches are not expected for a few weeks.
So, why do I find these two items interesting? If we wished to utilize this 0-day as an attack vector, we need to know what Adobe product is in use on the victim system. Without some other cues, such as already having access to the system, it becomes difficult to determine Adobe Reader version – aside from the install, we’re not dealing with much (read as none) output to determine the version installed.
However with the publishing products, potential victims use these all of the time to deliver output. That’s what the product is made for. As a result, we can analyze output outside of the potential victim system.
Yes, Captain Metadata is here again.
We can use Metagoofil to find and analyzed documents. We can determine usernames, dates (for “freshness”), and Adobe product version. Here’s how we can do that:

python ./ -d  -f pdf -l <# of results> -o  -t 

So, in order to search for 100 PDFs, I’d use this:

python ./ -d -f pdf -l 100 -o -t

Enjoy your auditing for the next few weeks. Use your 0-days responsibly. :-)
– Larry “haxorthematrix” Pesce
aka, Captain Metadata

Larry Pesce

Larry’s core specialties include hardware and wireless hacking, architectural review, and traditional pentesting. He also regularly gives talks at DEF CON, ShmooCon, DerbyCon, and various BSides. Larry holds the GAWN, GCISP, GCIH, GCFA, and ITIL certifications, and has been a certified instructor with SANS for 5 years, where he trains the industry in advanced wireless and Industrial Control Systems (ICS) hacking. Larry’s independent research for the show has led to interviews with the New York Times with MythBusters’ Adam Savage, hacking internet-connected marital aids on stage at DEFCON, and having his RFID implant cloned on stage at Shmoocon. Larry is also a Principal Instructor and Course Author for the SANS Institute for SEC617: Wireless Penetration Testing and Ethical Hacking and SEC556: IoT Penetration Testing. When not hard at work, Larry enjoys long walks on the beach weighed down by his ham radio, (DE KB1TNF), and thinking of ways to survive the impending zombie apocalypse.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.