Submitted via IRC for SoyCow8317
NT LAN Manager (NTLM) credentials can be stolen via malicious Portable Document Format (PDF) files without user interaction.
PDF files, the security researchers explain, consist primarily of objects, together with Document structure, File structure, and content streams. There are eight basic types of objects, including dictionaries, and a malicious actor can abuse these to steal NTLM credentials.
A dictionary object represents a table containing pairs of objects, called entries, where the first element is the key (a name) and the second element is the value (may be any kind of object). Represented by dictionary objects, the pages of a document are called page objects and consist of required and optional entries.
One of the optional entries is the /AA entry, defining actions performed when a page is opened (/O entry) or closed (/C entry). An action dictionary is held within /O (/C) and consists of 3 required entries: /S, /F, and /D, describing the type of action to be performed – GoToR (Go To Remote) and GoToE (Go To Embedded) –, the location location [sic] of the other PDF, and the location to go to within the document.
"By injecting a malicious entry (using the fields described above together with his SMB server details via the '/F' key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details," Check Point explains.
Source: https://www.securityweek.com/pdf-files-can-silently-leak-ntlm-credentials
(Score: 5, Insightful) by looorg on Saturday May 05 2018, @03:15AM (4 children)
Why would I allow a pdf-viewer/reader access to the net?
Not really the same, they didn't test all but assumes? They didnt even get answers from at least one vendor, its not all adobe.
(Score: 0) by Anonymous Coward on Saturday May 05 2018, @03:20AM
It appears this is a flaw in PDFs, but the NTLM data is transmitted by Windows without any user interaction or knowledge.
(Score: 4, Informative) by requerdanos on Saturday May 05 2018, @01:41PM (1 child)
You shouldn't, of course, in a sane and free world.
But PDF, in addition to being a portable format for documents, can also serve as a DRM-infected defective document delivery system. The last university I attended "sold" me textbooks in PDF containers that can only be "opened" if you have an Internet connection available to the viewer to process the DRM.
Obviously the first thing to be done with such a document is print to file, which, with these documents, resulted in large, ugly watermarks. Basically, I was ripped off. I did graduate, though.
(Score: 1, Touché) by Anonymous Coward on Sunday May 06 2018, @12:54AM
When you print to file, those watermarks are objects in the result, which can be stripped.
(Score: 0) by Anonymous Coward on Sunday May 06 2018, @12:48AM
They did test; they didn't get an answer from Foxit, but you can see for yourself that Foxit does leak like this.
Calling it a PDF reader bug is incorrect. It's a vulnerability in the PDF standard, which exposes useful data to attackers in some (NTLM-using) environments.