Shulou(Shulou.com)06/02 Report--

This article mainly introduces the example analysis that hackers can use PDF files to obtain Windows credentials, which has a certain reference value, and interested friends can refer to it. I hope you can learn a lot after reading this article.

Assaf Baharav, a Check Point security researcher, revealed that PDF files can be armed by malicious actors to steal Windows credentials (NTLM hashes) without any user interaction, just by opening a file.

This week, Baharav published a study showing how malicious actors can use native features in the PDF standard to steal NTLM Hashes, the format in which Windows stores user credentials.

"the PDF specification allows remote content to be loaded for GoToE&GoToR," Baharav told the media.

Steal Windows credentials through PDF and SMB

For his research, Baharav created an PDF document that can take advantage of these two PDF features. When someone opens this file, the PDF document automatically sends a request to the remote malicious SMB server.

By design, all SMB requests also contain NTLM hashes for authentication purposes. This NTLM hashes will be recorded in the log of the remote SMB server. The available tools can crack the hash and restore the original password.

This type of attack is not new at all and used to be performed by initiating SMB requests from Office documents, Outlook, browsers, Windows shortcut files, shared folders, and other functions within the Windows operating system.

All PDF readers may have vulnerabilities.

Now, Baharav has shown that PDF files are equally dangerous. The Check Point researcher told the media that he only conducted field tests on Adobe Acrobat and FoxIT Reader attacks.

"We chose to test these two popular PDF readers," Baharav told us. "about other people, we are more suspicious that other readers have the same weakness."

"We follow the 90-day disclosure policy and only inform Adobe and Foxit about these issues," Baharav said.

Although FoxIT did not reply, Adobe said it did not intend to modify its software, but postponed mitigation at the Windows operating system level. Adobe engineer refers to the Microsoft Security Bulletin ADV170014 issued in October 2017.

Microsoft released ADV170014 to provide technical mechanisms and instructions for users to disable NTLM SSO authentication on the Windows operating system, hoping to prevent NTLM hash theft by issuing SMB requests to servers outside the local network.

"for now, the best approach is to follow Microsoft's optional security enhancements," Baharav said. "

Thank you for reading this article carefully. I hope the article "sample analysis that hackers can use PDF files to obtain Windows credentials" shared by the editor will be helpful to everyone. At the same time, I also hope you can support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.