Adobe 0-day and Captain Metadata

>We talked about the recent 0-day on episode 141 of the podcast. You can read the advisory from Adobe here.
Captain_Metadata.jpgThere are two things that I find interesting about this advisory: First off, it affects versions 7, 8 and 9. Secondly, it not only affects Adobe Reader, but it also affects all of the publishing products including Adobe Standard, Pro, and Pro Extended. Patches are not expected for a few weeks.
So, why do I find these two items interesting? If we wished to utilize this 0-day as an attack vector, we need to know what Adobe product is in use on the victim system. Without some other cues, such as already having access to the system, it becomes difficult to determine Adobe Reader version – aside from the install, we’re not dealing with much (read as none) output to determine the version installed.
However with the publishing products, potential victims use these all of the time to deliver output. That’s what the product is made for. As a result, we can analyze output outside of the potential victim system.
Yes, Captain Metadata is here again.
We can use Metagoofil to find and analyzed documents. We can determine usernames, dates (for “freshness”), and Adobe product version. Here’s how we can do that:

python ./ -d  -f pdf -l <# of results> -o  -t 

So, in order to search for 100 PDFs, I’d use this:

python ./ -d -f pdf -l 100 -o -t

Enjoy your auditing for the next few weeks. Use your 0-days responsibly. :-)
– Larry “haxorthematrix” Pesce
aka, Captain Metadata

Larry Pesce

A self-professed, lifelong “tinkerer and explorer,” Larry always wanted to know how things work. “I found myself getting to engage in deep dives of technology from an early age: My dad built the family television from a kit, and I helped. It caught fire. Twice. I helped fix it both times.”

The help and advice received from the infosec community throughout his career inspired him to share what he had learned to help others secure their networks and improve their craft. Part of that ongoing sharing has been as the co-founder and co-host of the international award winning Paul’s Security Weekly podcast for more than 19 years.

Larry has spent the last 15 years as a penetration tester, spending lots of time focused on Healthcare, ICS/OT, Wireless, and IoT/IIoT/Embedded Devices, but now focuses his efforts on securing the software supply chain at Finite State.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.