PDF Files Can Silently Leak NTLM Credentials

PDF Files Can Silently Leak NTLM Credentials
30.4.18 securityweek Hacking

NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction, Check Point security researchers warn.

Attackers looking to steal the credentials for the NT LAN Manager (NTLM) authentication protocol (which consist of a domain name, a user name, and a one-way hash of the user's password) can do so by abusing a feature where remote documents and files can be embedded inside PDF files.

PDF files, the security researchers explain, consist primarily of objects, together with Document structure, File structure, and content streams. There are eight basic types of objects, including dictionaries, and a malicious actor can abuse these to steal NTLM credentials.

A dictionary object represents a table containing pairs of objects, called entries, where the first element is the key (a name) and the second element is the value (may be any kind of object). Represented by dictionary objects, the pages of a document are called page objects and consist of required and optional entries.

One of the optional entries is the /AA entry, defining actions performed when a page is opened (/O entry) or closed (/C entry). An action dictionary is held within /O (/C) and consists of 3 required entries: /S, /F, and /D, describing the type of action to be performed – GoToR (Go To Remote) and GoToE (Go To Embedded) –, the location location of the other PDF, and the location to go to within the document.

“By injecting a malicious entry (using the fields described above together with his SMB server details via the ‘/F’ key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details,” Check Point explains.

The security researchers, who also published a proof-of-concept, explain that the victim has no way of noticing the abnormal behavior. There is no evidence of the action being performed, nor a security alert.

Once the PDF file has been executed, the NTLM details are sent to the attacker’s server to be used for various SMB relay attacks.

According to Check Point, the issue likely impacts all PDF-viewers for Windows, as all of them will reveal the NTLM credentials.

The security researchers informed Adobe on the vulnerability, but the company said a fix won’t be released, because Microsoft is already offering users the possibility to prevent such attacks from happening in the first place.

In October 2017, the software giant made some optional Windows NTLM Single Sign-On (SSO) authentication changes to prevent “authentication with resources that are not marked as internal by the Windows Firewall.”

“Microsoft is releasing this new functionality as a mitigation to NTLM dictionary attacks. Microsoft continues to recommend that customers move to public key authentication methods for applications which do not support modern authentication, and use negotiate with Kerberos authentication whenever possible,” the company explained in an advisory.

Hackers Target Poorly Patched Oracle WebLogic Flaw
By Eduard Kovacs on April 30, 18

Hackers have been scanning the Internet for Oracle WebLogic Server installations that can be taken over using a recently addressed vulnerability. While patched systems should be protected against attacks, experts claim the fix implemented by Oracle can be bypassed.

One of the 254 issues resolved by Oracle with its April 18 CPU is CVE-18-2628, a critical remote command execution flaw affecting versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server. Oracle has credited Liao Xinxi of the NSFOCUS Security Team and an individual who uses the online moniker loopx9 for reporting this security hole to the company.

Unauthenticated attackers can exploit this vulnerability remotely via the T3 transport protocol on TCP port 7001 and the task is made easy by the fact that proof-of-concept (PoC) code has already been made available.

One of the first people to disclose details of the vulnerability was Liao Xinxi himself. Developer Davide Tampellini used that information along with PoC code released by others to create a weaponized exploit that can be used to spawn a remote shell.

GreyNoise Intelligence reported seeing a “large spike” in devices scanning the Web for port 7001 shortly after the first PoCs surfaced. GreyNoise’s reports are backed by data from other companies, including SANS and Qihoo 360.

While there have not been any reports of servers actually being hacked using CVE-18-2628, Oracle WebLogic Server has been known to be targeted by malicious actors. For instance, FireEye revealed in February that cybercriminals had been exploiting CVE-2017-10271, a WebLogic Server flaw patched by Oracle in October 2017, to deliver cryptocurrency miners. A possibly related threat group was also spotted recently exploiting the Drupal vulnerability known as Drupalgeddon2.

While users should in theory be protected against attacks exploiting CVE-18-2628 if they have applied Oracle’s patch, a China-based security researcher who uses the online moniker Pyn3rd claims the fix can be easily bypassed.

Researcher Kevin Beaumont confirmed that bypassing the patch is possible and advised users to block port 7001 to mitigate attacks.

Oracle WebLogic flaw exploited in the wild

SecurityWeek has reached out to Oracle for comment and will update this article if the company responds.