Metadata and the Risks to your Security
Imagine the following scenario. A company not dissimilar to yours, let’s call it Thomson & Hardy Ltd, uploads a PDF of its product brochure to its website. It looks good, flawless in fact. Thomson & Hardy’s products are attractively set out, the copy word perfect. And why not, the business has a strict editorial quality control process, so it was rigorously checked before it was published.
But wait, something’s missing. An integral part of the document, the metadata, wasn’t subjected to the same scrutiny. Unlike everything else, it sailed through entirely unchecked. Now let’s fast forward a couple of days, until a cyber criminal, we’ll call him Mr Opportunist, downloads the glossy PDF brochure. What happens next is a by-product of the seemingly harmless disclosure of the metadata information included in the file.
Mr Opportunist isn’t interested in Thomson & Hardy’s products of course, he has a different goal in mind. He downloads the file, renames it test.pdf, and examines it. As shown in the screenshot below, he discovers that test.pdf was created using LibreOffice 5.1 and that the PDF version is 1.4.
Armed with this juicy information including version numbers, our threat actor decides to obtain a shell access on the target as it seems the easiest way forward. As illustrated, a search is performed in Metasploit and one exact match is shown:
While the vulnerability appears to target only OpenOffice, a deeper look reveals that this module can also be used for LibreOffice:
His next step is to configure the exploit to return a reverse shell upon successful execution of the payload:
This particular exploit requires the attacker to use social engineering to persuade someone at Thomson & Hardy to open a LibreOffice document. Since the PDF document was created using LibreOffice, there’s a good chance that at least one or two employees will use it. In the ideal scenario, everyone in the company will have it installed on their computers.
Mr Opportunist just has to think of a plausible reason, and ensure that he (or an accomplice) sounds convincing. He does a little research via LinkedIn and social media sites to identify Thomson & Hardy’s marketing staff and rings posing as a helpful user who has spotted an error with the brochure. Naturally, the marketing team want to rectify it quickly and are grateful to receive a copy of the PDF brochure with the error highlighted. An employee opens the file but it only displays a blank page on the screen:
In the background, Mr Opportunist receives a shell connection from the victim’s machine and achieves access to Thomson & Hardy’s network. In the absence of other robust security controls, he can now roam at will to do as he pleases for malicious or financial gain.
Metadata Risks Scenario Summary
The key information disclosed through metadata in this case was the LibreOffice version. If it had been removed from the PDF document before it was published, it would have made the attack harder to execute. This exploit scenario is largely simplified, as in reality additional reconnaissance tasks would be necessary to turn a simple information disclosure into a complete compromise of the target (our fictitious Thomson & Hardy Ltd).
Further Good Reading on Metadata
How To Prevent Metadata Information Disclosure
Ensure that all documents shared with external parties are sanitised and do not include information that may be helpful to attackers such as: software version numbers, author’s details including their username, direct telephone numbers and individual email addresses. If metadata must be attached to documents, it should be limited to generic information to reduce the attack surface.
Popular Microsoft Office and LibreOffice software allows users to remove some of the metadata quite easily. However, even when care is taken there will always be some metadata attached. In conclusion, the less the metadata says about the document, the harder it is for cyber criminals to use the extracted information for nefarious purposes.
For Perspective Risk’s expertise to protect your company, please click here to contact us.