Windows 10: Warning: Attackers can Steal Windows Credentials using Google Chrome

  1. Brink's Avatar
    Posts : 32,415
    64-bit Windows 10 Pro build 18242
       17 May 2017 #1

    Warning: Attackers can Steal Windows Credentials using Google Chrome

    Attacks that leak authentication credentials using the SMB file sharing protocol on Windows OS are an ever-present issue, exploited in various ways but usually limited to local area networks. One of the rare research involving attacks over the internet was recently presented by Jonathan Brossard and Hormazd Billimoria at the Black Hat security conference[1] [2] in 2015. However, there have been no publicly demonstrated SMB authentication related attacks on browsers other than Internet Explorer and Edge in the past decade. This paper describes an attack which can lead to Windows credentials theft, affecting the default configuration of the most popular browser in the world today, Google Chrome, as well as all Windows versions supporting it.

    The Problem

    With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one. From a security standpoint, this feature is not an ideal behavior but any malicious content that slips through still requires a user to manually open/run the file to do any damage. However, what if the downloaded file requires no user interaction to perform malicious actions? Are there file types that can do that?

    Windows Explorer Shell Command File or SCF (.scf) is a lesser known file type going back as far as Windows 98. Most Windows users came across it in Windows 98/ME/NT/2000/XP where it was primarily used as a Show Desktop shortcut. It is essentially a text file with sections that determine a command to be run (limited to running Explorer and toggling Desktop) and an icon file location. Taken as an example, this is how Show Desktop SCF file contents looked like:


    As with Windows shortcut LNK files, the icon location is automatically resolved when the file is shown in Explorer. Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares. But what is the difference between LNK and SCF from the attack standpoint? Chrome sanitizes LNK files by forcing a .download extension ever since Stuxnet[3] but does not give the same treatment to SCF files.

    SCF file that can be used to trick Windows into an authentication attempt to a remote SMB server contains only two lines, as shown in the following example:


    Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file Windows File Explorer will automatically try to retrieve the "icon ".

    The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password. The captured information may look like the following:

    [*] SMB Captured - 2017-05-15 13:10:44 +0200
    NTLMv2 Response Captured from -
    USER:Bosko DOMAIN:Master OS: LM:
    The above example shows a disclosure of victim's username, domain and NTLMv2 password hash.

    It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings. Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files...

    Read more: DefenseCode - Home
      My ComputersSystem Spec

  2.    17 May 2017 #1

    Thanks.....I'm currently using Chrome. I already have that box checked. I will read the whole article when I get some free time. Thanks again for the heads up.
      My ComputerSystem Spec

  3.    18 May 2017 #2

    Brink, thanks for the heads up...
      My ComputerSystem Spec

  4.    18 May 2017 #3

    And here is the solution

    Block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.
      My ComputerSystem Spec

  5.    19 May 2017 #4

    Thanks for the heads up Brink.
      My ComputerSystem Spec


Related Threads
Google Chrome Warning. in AntiVirus, Firewalls and System Security
Google Chrome users should be on the look-out for a terrifying new scam. A malicious application that disguises itself to look like the Google Chrome web browser has been discovered. Credit Card Stealer Disguises as Google Chrome Browser
Clean installed windows 10 last week and I'm now getting a few odd display issues. On occasion my google app launcher is not displaying properly, It is much too big. After opening and closing a few times it returns to normal size. The same thing...
18-year-old Windows bug allows attackers to harvest credentials in AntiVirus, Firewalls and System Security
18-year-old Windows bug allows attackers to harvest credentials - TechRepublic
Anyone upgrading to the new Chrome stable build 42.0.2311.90 and would like to revert back to the standard Bookmark Manager, here is how.... Type about:flags in search bar, press enter. Disable flag: Enable Enhanced BookmarksMac, Windows,...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd
All times are GMT -5. The time now is 20:17.
Find Us