Clam 2197 Fix PDF metadata decryption issues + Add support for checking empty owner password#1141
Merged
val-ms merged 3 commits intoCisco-Talos:mainfrom Jan 22, 2024
Merged
Conversation
The encrypted metadata may be stored in a <> block containing hex bytes. Strip off the <> and decode the hex to binary.
Specifically for algorithm 6 (/R 6). Use the O and OE strings to test if an empty owner password will decrypt the file.
Store temp files with obj id and gen id so analysts know which is which. Don't dump decoded objects immediately. They'll get dumped later at the end of pdf_extract_obj(). At the end of PDF object extraction, we don't need to find out the "dumpid" (aka the object index in our list of pdf objects). It isn't actually used! So I removed the unused parameter.
ragusaa
reviewed
Jan 17, 2024
ragusaa
approved these changes
Jan 17, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix PDF metadata decryption issues.
The encrypted metadata may be stored in a
<>-block containing hex bytes (not raw binary).Strip off the <> and decode the hex to binary before attempting to decrypt it.
PDF: Add support for checking empty owner password.
Specifically for algorithm 6 (/R 6). I have not attempted the same for older algorithms.
Use the O and OE strings to test if an empty owner password will decrypt the file.
The primary difference with checking the user password is the U-string is also concatenated when making the hashes to verify the key.