Adobe Reader Zero-Day Micropatch Stops Malicious PDFs from Calling Home

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
A micropatch is now available for a zero-day vulnerability in Adobe Reader which would allow maliciously crafted PDF documents to call home and send over the victim's NTLM hash to remote attackers in the form of an SMB request.

The vulnerability was first disclosed by security researcher Alex Inführ on his blog, where a full analysis of the security issue and a proof-of-concept were published before Adobe managed to push out a security fix for the issue.

Applying the micropatch delivered through the 0patch platform will not require a system restart or relaunching a program, with the effect being immediate because it is an in-memory fix for running processes.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,458
Micropatch source code :
MODULE_PATH "..\AffectedModules\AcroForm.api_19.10.20064.48846_32bit\AcroForm.api"
PATCH_ID 349
PATCH_FORMAT_VER 2
VULN_ID 4694
PLATFORM win32

patchlet_start

PATCHLET_ID 1
PATCHLET_TYPE 2
PATCHLET_OFFSET 0x000b3f6b ; Injecting before the call towards loading
; a non-HTTP URL
PIT Shlwapi.dll!PathIsUNCA,User32.dll!MessageBoxA

code_start

push ecx ; save ecx so we don't corrupt it

mov eax, dword [eax+10h] ; at this point, the address of path
; is at [eax+10h]+4
add eax, 4
push eax
push eax ; we push the address of path twice as we may need it
; in remediation too
call PIT_PathIsUNCA ; is it a UNC path?
test eax, eax
jz skip ; not a UNC path - skip the warning dialog

push 0x00000134 ; uType = MB_YESNO | MB_ICONEXCLAMATION | MB_DEFBUTTON2
call get_lpCaption
db "Security Warning",0
get_lpCaption:
call get_lpText
db "This document is trying to access a file on the network. If you trust this document, choose Yes. If you do not trust this document, choose No.",0
get_lpText:
push 0 ; hWnd = NULL
call PIT_MessageBoxA
cmp eax, 6 ; Did user click "Yes"?
je skip ; if so, skip remediation

; Remediation: we'll simply delete the entire URL string by putting
; a 0 at the beginning
pop eax ; pop the previously pushed path address
mov byte [eax], 0 ; put a 0 at the start of path
push eax ; we need to re-push something because we have a pop in the epilogue

skip:
pop eax ; pop the additional address of path

pop ecx ; restore original ecx and continue to execute the call
; towards loading the provided URL

code_end

patchlet_end
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top