Attackers Can Steal Windows Credentials By Exploiting The subDoc Feature In Microsoft Word

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn26

Security researchers from Rhino Labs (a US-based cyber-security firm) have found that cyber criminals can use a Microsoft Word feature dubbed subDoc to fool Windows machines into handing over their NTLM hashes, which is the usual format in which user account credentials are saved.

subDoc feature was created to load a document into the body of a different document, so as to include data from one document into the other, while also enabling for the data to be updated and seen on its own.

Rhino’s researchers said that the feature can be used to load external (Internet-hosted) subDoc files into the host document, thus enabling for malicious exploitation in specific conditions.

According to the researchers:
This feature peaked our curiosity as it resembled a similar Office feature we’ve seen abused in the wild, attachedTemplate. Using the attachedTemplate method, an attacker would be able to send an arbitrary document to a target that would, upon opening, open an authentication prompt in the Windows style. It is this innocent looking functionality that usually catches the target by surprise and provides us the opportunity to harvest credentials remotely.

To exploit this vulnerability, the researchers said that attackers can place together a Word file that loads a sub-document from a malicious server. Cyber criminals can use a malicious SMB server at the other edge of this request, and instead of sending the requested sub-document, they fool the user’s computer into handing over the NTLM hash required for authentication on a fake domain.

The researchers have released an open source tool on GitHub called Subdoc Injector that is intended to create a Word subDoc for a user-defined URL and also to combine it into a user-specified ‘parent’ Word doc.

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn26
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply