You Can Steal Windows Login Credentials via Google Chrome and SCF Files | | Just by accessing a folder containing a malicious SCF file, a user will unwittingly share his computer's login credentials with an attacker via Google Chrome and the SMB protocol. SCF stands for Shell Command File and is a file format that supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file. | Just like LNK files (shortcuts), SCF files, when stored on disk, will retrieve an icon file when the user loads the file in a Windows Explorer window. For many years, LNK files were allowed to store the location of their icon file inside a DLL or at an URL. After the Equation Group (cough, NSA, cough) used the ability to load malicious code via LNK files in the Stuxnet attacks, Microsoft patched LNK files to load their icons only from local resources. The same was not done for SCF files, which were not included in this patch, still being possible to load the icon of an SCF file from the Internet. | When the user has navigated to a folder containing a malicious SCF file, in milliseconds, the OS will read the SCF file and give away the user's credentials in the form of a NTLMv2, NTLMv1, or LM password hash. Many open-source tools that can crack these types of password hashes. | But this wouldn't be a problem if users wouldn't have malicious SCF files on their computers. Here is where Google Chrome comes in, in its default configuration, Chrome will automatically download files that it deems safe without prompting the user, this is the case for SCF files. | As a way to mitigate these types of attacks, you can change the default behaviour in Settings -> Show advanced settings -> Ask where to save each file before downloading. More advanced protection measures include blocking outbound SMB requests via firewalls, so local computers can't query remote SMB servers. | | |
|