GPN19:BADPDF – Stealing Windows Credentials via PDF Files
Ein Vortrag von Ido Solomon auf der GPN19.
Shortly after it was reported that malicious actors can exploit a vulnerability in MS outlook to leak a Windows user’s NTLM hashes, our research team revealed that NTLM hash leak can be achieved via PDF files with no user interaction or exploitation. Rather than exploiting a vulnerability in Microsoft Office files or Outlook, attackers can weaponize a PDF file by exploiting a feature that allows embedding remote documents and files within it. By pointing the embedded object to a remote SMB server, the target automatically leaks credentials in the form of NTLM hashes when the PDF is opened. In this presentation I will first cover the basic structure of a PDF file and its objects, in particular the Dictionary object where this vulnerability lies. Next I will present our team’s Proof of Concept, injecting malicious code into a benign PDF file, weaponizing it, and causing an NTLM hash leak upon opening the file. I will then discuss the impact of this attack, by showing the leaked NTLM hash captured on the remote SMB server and how it can be cracked to retrieve the victim’s original password.