>We talked about the recent 0-day on episode 141 of the podcast. You can read the advisory from Adobe here.
Captain_Metadata.jpgThere are two things that I find interesting about this advisory: First off, it affects versions 7, 8 and 9. Secondly, it not only affects Adobe Reader, but it also affects all of the publishing products including Adobe Standard, Pro, and Pro Extended. Patches are not expected for a few weeks.
So, why do I find these two items interesting? If we wished to utilize this 0-day as an attack vector, we need to know what Adobe product is in use on the victim system. Without some other cues, such as already having access to the system, it becomes difficult to determine Adobe Reader version – aside from the install, we’re not dealing with much (read as none) output to determine the version installed.
However with the publishing products, potential victims use these all of the time to deliver output. That’s what the product is made for. As a result, we can analyze output outside of the potential victim system.
Yes, Captain Metadata is here again.
We can use Metagoofil to find and analyzed documents. We can determine usernames, dates (for “freshness”), and Adobe product version. Here’s how we can do that:

python ./metagoofil.py -d  -f pdf -l <# of results> -o  -t 

So, in order to search whitehouse.gov for 100 PDFs, I’d use this:

python ./metagoofil.py -d whitehouse.gov -f pdf -l 100 -o whitehouse.gov-pdf.html -t whitehouse.gov-temp

Enjoy your auditing for the next few weeks. Use your 0-days responsibly. :-)
– Larry “haxorthematrix” Pesce
aka, Captain Metadata