Securing business data

Blog Item

The Security Train - Beware of the Crops

/>

shutterstock_523923208

Its been a while since the last security train....to be honest there are a number of reasons largely the last train I got home I left at 5 and got home at 1am due to a power line issue and honestly I didn't feel like writing after that...then one of my team came to me with an interesting prospect which consumed my last journey...its amazing what you can get done on a train...

So what the hell is the title about? well funnily enough its not about my crop of beetroot we just extracted from our vegetable patch back up north (great pickled by the way)...but about the dangers of using Microsoft Word.

Now I should explain, Microsoft Word is not really a dangerous program...however it does present a number of interesting information disclosures I personally hadn't thought of before....and this is where, in our humble story, Richard Hall steps in...Now for those that don't know him, Richard is one of our CHECK team members and a much treasured developer within the testing team (also the sworn enemy of the operations department...something to do with time sheets?). Anyway....One sunny day while working on the new look PDF reports for CNS testing Richard was picking his way through the marketing style guide given to us by our marketing team, we spotted a few images we wanted to use in the new reports and so we promptly started to de-compile the PDF document to break it down into its individual components and images ready for use.

While reviewing the images from the de-compiled PDF we noticed some interesting images that were not part of the original PDF document...or so we thought.

On closer inspection it turned out that the images we were seeing were screenshots of the creators full desktop, detailing their emails open in the background with the image they clearly wanted to crop in the center of the desktop...it took us a couple of minutes to work out what was going on, and, with a bit of googling it turns out this is not exactly a secret either but instead just a little know "feature"...apparently when you crop an image in word and export as a PDF its not the cropped image thats saved...its the whole thing...

In this case we were handed a PDF document that looked normal and as it should from the outside, but decompile it to bare bones and you end up with a totally different set of uncropped pictures disclosing a load of information.

We didn't stop there of course....after a bit of googleing to see who else had spotted this we noted a few people had and it really was no big secret...however Richard then went on to say "hey Andy....do you think anyone has written a tool you could point at a domain that would download all PDF's on that site and decompile them??"....turns out we couldn't find one...so from that conversation I decided I would spend the next few hours writing up a quick script to do just that.

It uses google hacking/dorking to look up all the known PDF files at a given domain, it then downloads them and extracts them presenting them in a neat directory for you to browse...the script has three requirements:

-n The number of google results pages you want to crawl

-p The path you want to save the lovely images to and

-d The target domain you wish to pillage.

I have included a screenshot below of the tool working against cnsgroup.co.uk and the results it yields, obviously the results here are clean, but leave this running for long enough against other domains and with a high enough number of google page settings and you will soon uncover some interesting data....

This isn't to say every PDF will be riddled with this kind of disclosure...in fact in our tests only a VERY small percentage of PDF documents actually contained anything interesting, but hey....its an information disclosure I for one had never thought about and I have no shame in admitting that! hopefully this might one day stop someone from disclosing their inbox contents by mistake...you never know.

If anyone would like access to the tool just email me, I have some tweaking to do still and after that I will put it up on git for all to download freely.

Speak soon!

thumbnail sec train

thumbnail sec train 2

If you would like to know more about how you may be vulnerable to attack, why not enquire about our free Penetration Testing Training sessions CLICK HERE.

 

       
 Andy Swift - Head of Offensive Security  

Andy Swift is, Head of Offensive Security at CNS Six Degrees
and has written countless articles on information security.
He has a particular speciality in Malware and Virus Analysis. 
Andy holds Global Industrial Cyber Security Professional (GICSP) status,
certifying his expertise in ICS Security Essentials for Engineering,
Operating Technology and Cyber.
   



 
     
       
Andy Swift - Head of Offensive Security            


call us

Get in touch

Talk to our experts today +44 (0) 20 7592 8800

Send us a message

We'll get back to you Send us a message

Connect with us

See what we're saying elsewhere