Adobe WONTFIX PDF Vulnerability Leaking Users' Passwords
In yet another case of obsolete and retired protocols causing modern security headaches, the NTLM password hash has reared its ugly head in two recently disclosed attacks. In the middle of April, security researchers discovered that Microsoft Outlook’s OLE service was leaking users’ NTML password hashes. In a little less than two weeks later, a more dangerous attack was revealed involving passing NTLM hashes through PDF files. While NTLM has many documented vulnerabilities, many companies such as Microsoft choose to keep an outdated and obsolete protocol around and on-by-default in order to ensure backwards compatibility. The SMBv1 protocol was famously discontinued over a decade ago, but was kept on and exploited by WannaCry, NotPetya, and BadRabbit ransomware strains.
In order to appreciate the severity of this NTML password hash attack, we must first review what NTLM password hashes are and why their disclosure is a huge security concern. The major weaknesses of LAN Manager authentication protocol are:
- Passwords are not case sensitive; passwords are converted into uppercase before hashing.
- Password characters are limited to a subset of ASCII characters.
- Passwords are limited to a maximum length of 14 characters.
- A 14 character password is broken into two 7-character substrings, with each 7 character substring hashed separately.
- If the password is 7 characters or less, the second half's "null hash" is always the same value (0xAAD3B435B51404EE). This makes it easy to identify a password that is 7 characters or less without using any tools.
- The password’s hash value is sent over networks to authenticate their users without salting, making it susceptible to man-in-the-middle attacks such as replay the hash or pass the hash.
Attackers have been exploiting a feature with PDF files that allow the delivery of documents from a remote file server. When opened, a maliciously crafted PDF document will cause a user to connect to a remote server in an attempt to retrieve a document and the user’s username and NTML hashed password are sent to the remote server to verify authentication and authorization to retrieve that file. Once a user opens the malicious PDF file, no further user interaction is required. This differs from the Outlook OLE or RTF attack where users must actively allow the remote content or set Outlook to automatically download and trust remote content. Once the NTML hashed password is sent to the remote server, it is a trivial process to reverse the hash into a cleartext password using off-the-shelf software like John the Ripper.
Security researchers responsibly disclosed this vulnerability to Adobe (maker of Acrobat PDF reader) and FoxIt, the two largest PDF software reader makers by market share. FoxIt immediately patched the vulnerability in version 9.1. Adobe referred security researchers to a little-known KB article from Microsoft with instructions on how to disable NTML SSOhash passing through the internet. In other words, it’s a WONTFIX for Adobe and they will rely on administrators disabling this “feature” through a Microsoft patch.
Since it sounds like Adobe is in no rush to patch this vulnerability, the most effective way to protect users against malicious PDF files is to use a Cloud Sandbox. PDF files are simple and easy to modify, so MD5 or signature-based antimalware is typically not enough to detect and prevent these types of attacks. Having a cloud sandbox ensures that users are protected no matter where they work: in the office, at home, in a coffee shop, hotel, etc. A cloud sandbox also benefits users that if a user attempts to download a PDF file and that file is deemed malicious by the cloud sandbox, that file is immediately blacklisted for every user of the multi tenant cloud sandbox, not just the user or organization that discovered the file. A cloud sandbox or any sandboxing product is only as effective as the traffic it can read so combining a cloud sandbox with SSL inspection would give the highest probability that a mallows PDF file is blocked. With over 70% of all web traffic today being encrypted with SSL or TLS encryption, the ability to inspect this traffic should be table stakes for any serious security solution.