Attackers Can Steal Windows Credentials By Exploiting The subDoc Feature In Microsoft Word

Security researchers from Rhino Labs (a US-based cyber-security firm) have found that cyber criminals can use a Microsoft Word feature dubbed subDoc to fool Windows machines into handing over their NTLM hashes, which is the usual format in which user account credentials are saved.

subDoc feature was created to load a document into the body of a different document, so as to include data from one document into the other, while also enabling for the data to be updated and seen on its own.

Rhino’s researchers said that the feature can be used to load external (Internet-hosted) subDoc files into the host document, thus enabling for malicious exploitation in specific conditions.

According to the researchers:
This feature peaked our curiosity as it resembled a similar Office feature we’ve seen abused in the wild, attachedTemplate. Using the attachedTemplate method, an attacker would be able to send an arbitrary document to a target that would, upon opening, open an authentication prompt in the Windows style. It is this innocent looking functionality that usually catches the target by surprise and provides us the opportunity to harvest credentials remotely.

To exploit this vulnerability, the researchers said that attackers can place together a Word file that loads a sub-document from a malicious server. Cyber criminals can use a malicious SMB server at the other edge of this request, and instead of sending the requested sub-document, they fool the user’s computer into handing over the NTLM hash required for authentication on a fake domain.

The researchers have released an open source tool on GitHub called Subdoc Injector that is intended to create a Word subDoc for a user-defined URL and also to combine it into a user-specified ‘parent’ Word doc.

About the author

Mazen Elzanaty

Add Comment

Click here to post a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: