PDF Files Can Be Abused to Steal Windows Credentials
By Catalin Cimpanu | April 27, 2018
Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.
…
By design, all SMB requests also include the NTLM hash for authentication purposes. This NTLM hash would be recorded in the remote SMB server’s log. Tools are available that can break this hash and recover the original password.
This type of attack is not new, at all, and in the past, has been executed by initiating SMB requests from inside Office documents, Outlook, browsers, Windows shortcut files, shared folders, and other Windows OS internal functions.
…
All PDF readers are most likely vulnerable
…
“We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues,” Baharav says.
While FoxIT did not reply, Adobe said it doesn’t plan to modify its software, deferring to Windows OS-level mitigations. Adobe engineers were referring to Microsoft Security Advisory ADV170014, released in October 2017.
Microsoft released ADV170014 to provide a technical mechanism and instructions on how users could disable NTLM SSO authentication on Windows operating systems, in the hopes of stopping the theft of NTLM hashes via SMB requests made to servers located outside the local network.
“The best practice here is to follow Microsoft optional security enhancement,” Baharav told us.
Read the full article here
See also @MrBrian’s link to ADV170014 (and other advices issued at the same time) from October 11th, 2017.
