A vulnerability in Google’s Chrome browser allows hackers to automatically download a malicious file onto a victim’s PC that could be used to steal credentials and launch SMB relay attacks.
Bosko Stankovic, information security engineer at DefenseCode, found the flaw in the default configuration of the latest version of Chrome running on an updated version of Microsoft’s Windows 10 operating system.
“Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials,” he wrote Monday in a description of the vulnerability.
The technique allows an attacker to gain access to a victim’s username and Microsoft LAN Manager (NTLMv2) password hash. That leaves victims open to a variety of attacks including a Server Message Block (SMB) relay attack. A SMB relay attack allows an adversary to use a victim’s credentials to authenticate to a PC or network resource such as email or remote server.
Attacks could also use this vulnerability to attempt to crack the target’s hashed password.
DefenseCode said it did not notify Google of the vulnerability. When Threatpost asked Google to comment a spokesperson said “We’re aware of this and taking the necessary actions.” Google didn’t elaborate.
According to Stankovic the browser attack is simple.
First, a victim is enticed to click on a specially crafted link that triggers an automatic download of a Windows Explorer Shell Command File or SCF file (.scf) onto a victim’s PC. The file is automatically downloaded to the target’s C:Users%Username%Downloads Folder.
Once the .SCF file is downloaded into the Download directory it lays dormant. However, once the user opens the Download directory folder in Windows, the SCF file tries to retrieve data associated with a Windows icon located on the attacker’s server.
When the SCF file attempts to retrieve the remote icon file data it present the attacker’s server with the victim’s username and hashed version of the victim’s password. If the victim is part of a corporate network, the username and password is the network username and password assigned to the victim by the company’s system administrator. If the victim is a home user, the SCF file will request the icon data associated with the home user’s Windows username and password.
Researchers independent of DefenseCode point out that the vulnerability is not exclusively tied to the way the Chrome browser handles SCF files, but also the way Windows handles them as well.
According to Stankovic, SCF files are lesser known file types going back as far as Windows 98 where it was primarily used as a “Show Desktop” shortcut. “It is essentially a text file with sections that determine a command to be run (limited to running Explorer and toggling Desktop) and an icon file location,” Stankovic said.
Researchers say this type of attack could be used maliciously to attempt to crack the hashed password. The attacker could also use the credential request in a SMB relay attack. Under that scenario an attacker could forward the credential request to attempt access NTLM-enabled services on a corporate network – such as email or network access.
“Organizations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password,” Stankovic said.
To protect against the attack in Google Chrome, DefenseCode recommends visiting Settings> Show advanced settings> and Check the “Ask where to save each file before downloading” option.
“As with Windows shortcut LNK files, the icon location is automatically resolved when the file is shown in Explorer. Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares. But what is the difference between LNK and SCF from the attack standpoint? Chrome sanitizes LNK files by forcing a .download extension ever since Stuxnet, but does not give the same treatment to SCF files,” Stankovic wrote in his report.
Stankovic said competing browsers Microsoft Internet Explorer, Edge, Mozilla Firefox and Apple Safari each do not allow the automatic download of SCF files.