• PDF Files Can Be Abused to Steal Windows Credentials

    Home » Forums » Cyber Security Information and Advisories » Code Red – Security/Privacy advisories » PDF Files Can Be Abused to Steal Windows Credentials


    PDF Files Can Be Abused to Steal Windows Credentials
    By Catalin Cimpanu | April 27, 2018

    Baharav published research this week showing how a malicious actor could take advantage of features natively found in the PDF standard to steal NTLM hashes, the format in which Windows stores user credentials.

    By design, all SMB requests also include the NTLM hash for authentication purposes. This NTLM hash would be recorded in the remote SMB server’s log. Tools are available that can break this hash and recover the original password.

    This type of attack is not new, at all, and in the past, has been executed by initiating SMB requests from inside Office documents, Outlook, browsers, Windows shortcut files, shared folders, and other Windows OS internal functions.

    All PDF readers are most likely vulnerable

    “We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues,” Baharav says.

    While FoxIT did not reply, Adobe said it doesn’t plan to modify its software, deferring to Windows OS-level mitigations. Adobe engineers were referring to Microsoft Security Advisory ADV170014, released in October 2017.

    Microsoft released ADV170014 to provide a technical mechanism and instructions on how users could disable NTLM SSO authentication on Windows operating systems, in the hopes of stopping the theft of NTLM hashes via SMB requests made to servers located outside the local network.

    “The best practice here is to follow Microsoft optional security enhancement,” Baharav told us.

    Read the full article here

    See also @MrBrian’s link to ADV170014 (and other advices issued at the same time) from October 11th, 2017.

    5 users thanked author for this post.
    Viewing 0 reply threads
    • #188009

      Background on the vulnerability:
      ADV170014 NTLM SSO: Exploitation Guide

      Who is vulnerable?
      Accordingly to Microsoft, all Windows versions since 3.11 till Windows 10, Desktop and server are vulnerable to this kind of attack.

      Honestly, I have only tested on Windows 7 and Windows 10, then I passed the ball to Microsoft

      Microsoft created a sort of patch to this vulnerability consisting in changing two registry keys to disable NTLM on the system. This registry keys are available only on Windows 10 and Windows Server 2016, and Microsoft has no intentions to backport to the other versions.

      Another issue is that disabling NTLM will break a lot of environments, and that’s a huge concern for them.

      My suggestion is to use strong passwords, after the attack we need to crack the hash, that can take a lot of time if the password is complex, and can be frustrating for the attacker.

      The better approach, don’t share folders without passwords, that’ll do the trick.

      Read the full article here

    Viewing 0 reply threads
    Reply To: PDF Files Can Be Abused to Steal Windows Credentials

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: