Security researcher Assaf Baharav from Check Point Security has discovered a new twist on an old, fairly well-known attack. He was able to essentially “weaponize” PDFs to steal Windows credentials stored in NTLM hashes. Unfortunately, no action other than simply opening the PDF is required for the hacker to gain access to the information.
Baharav used the same methodology that hackers have used in the past, which amounts to instantiating SMB requests from inside the document. Hackers have already performed these types of attacks from inside web browsers, Windows shortcut files, shared folders, Microsoft Office documents, and Microsoft outlook. Using a PDF to run the exploit is something new.
Baharav had this to say about his research:
“We chose to test these two high profile readers (Adobe Acrobat and the FoxIT reader). Regarding the others, we highly suspect they may be vulnerable as well. We followed a 90 days disclosure policy by notifying only Adobe and Foxit regarding the issues.”
Foxit did not respond to the information Baharav sent, but Adobe did. Unfortunately, their response was not encouraging. They simply announced that they had no plans to address the issue, deferring to Windows OS-level mitigations (reference Microsoft Security Advisory ADV170014).
Microsoft released this advisory to provide instructions on how to disable the NTLM SSO authentication inside the Windows operating system. This is a workable solution, but it has problems.
For starters, it’s not really a patch, but rather the modification of a specific registry key and then the implementation of a network isolation policy. Worse, it’s only applicable to Windows 10 and Windows Server 2016 machines. People who have older systems are simply left vulnerable.
Be on the alert then PDFs can now be used to steal credentials. It appears that every reader is affected and that no help is coming for older systems.