Added: Monty Lattimer - Date: 26.12.2021 05:33 - Views: 46002 - Clicks: 1891
Our cybersecurity antennae always start vibrating when we see warnings about attacks that involve a new type of file. By default, Windows suppresses filename extensions, which are the all-important characters that follow the last dot in a filename, such as the. Annoyingly, Windows itself very often uses extensions to decide what to do when you click on a file — for example, whether to view it harmlessly or to execute it riskily. In real life, those are. Who knew? Very loosely speaking, Windows Themes are just INI-style text files that specify various settings for background colours, wallpapers, and visual effects.
Admittedly, just loading untrusted image files, such as the Wallpaper file specified above, can theoretically be dangerous. In practice, however, that type of vulnerability is rare these days — those that are found are either quickly patched or jealously guarded, and can usually be triggered by delivering a booby-trapped image directly to your computer in a web or an rather than relying on a Theme file to reference them indirectly. The danger posed by booby-trapped Themes is therefore both small and manageable — giving. Despite their generally low direct risk. But some recent digging by a security researcher going by bohops revealed that Themes are open to abuse by cybercrimals after all — albeit in an indirect way to phish for passwords rather than directly to implant malware on your computer.
When a user activates the theme file e. In the animation above, you can see how double-clicking a. Here, however, we have redacted the site name and replaced it with a special use domain name, as detailed in RFC and RFC We urge you to follow these RFCs in your own cybersecurity articles and documentation. By sticking to IP s and domain names that are realistic but will never be allocated in real lifeyou avoid the risk that someone might blindly copy and paste your examples into one of their own tests and subject some innocent third party to an inadvertent, annoying and possibly even dangerous attack.
The trick he figured out was simple but surprisingly effective: point the Theme file at a web server you control, configure your website to require authentication, and see if the Windows computer will supply you with a password. We did that by mocking up a web server of our own in a few lines of Lua so we could track how the Settings app behaved. The client responds to a Must authenticate reply by collecting your username trapped in a window hacked password somehow, combining them into a text string with a colon : between, encoding them using Base64, and including the result in its next attempt to fetch the file.
The Settings app will even connect to a non-HTTPS site to fetch Theme files we tried it to seethough it will warn you not to put in your password due to the lack of encryption:. As Bohops and others have pointed out, you can use a Windows UNC path instead of a website name in a Theme file, which tells Windows to use its file-based networking instead of a regular HTTP connection to retrieve the file.
But you can put an internet domain name or an IP into a Windows UNC name, and Windows will automatically trigger its built-in WebDAV trapped in a window hacked to fetch the file, instead of using its own networking protocols. This would make it more likely that a rogue Theme file could trick you into putting in your regular Windows username and password, although NTLM authentication uses a challenge-response hashing system that means the plaintext of your password would not be revealed as it was above when we forced HTTP Basic authentication. An attacker using the UNC approach would therefore have to collect a hash of your password and crack it — somewhere between very difficult and impossible if you have chosen wisely.
Nevertheless, cybercriminals might be able to recover a poorly-chosen password if they have plenty of computer power to throw at the cracking task which can be done offline. This ultimately reveals a hashed version of your Windows password that can be attacked, and possibly cracked if the attacker is lucky. However, in the tests where we double-clicked on Theme files that specified a remote UNC resource, we were not able to provoke Settings into attempting authentication at all, let alone revealing a Windows password hash.
After 19 attempts to locate the nowwithwebdav. Follow NakedSecurity on Twitter for the latest computer security news. Great article.
I thought incorrectly? For an expert user, you can probably just open the theme file in your favorite text editor and look at the contents before trying to install it. You could, if you wished, change the file association of. When I use Windows for work I like to change extensions such as. Backing off on ease of use a tiny bit can do you a LOT of favours. The Twitter post you mention seems merely to be pondering whether a folder shortcut file could be misused presumably to disguise the destination?
Blindly blocking any use of that CLSID is therefore [a] not an option because it would break folder shortcuts [b] irrelevant to managing the risk posed by. Useful to know who will plug in a USB for instance. First of all, great write up on the exploit of windows theme files. I can remember similar techniques being reported for Zoom where attackers sent a link using a UNC path to intercept the NTLMv2 challenge-response hashes of victims and it also leveraged SMB in the process. I know some organizations either have SMB disabled, or prevent outbound traffic over from leaving the network via firewall.
Could something like that be in scope here? XG Firewall. Intercept X. For Home Users. Free Security Tools. Free Trials.
Product Demos. Have you listened to our podcast? Listen now. : Fake web alerts — how to spot and stop them. Hitman Pro Find and remove malware. Intercept X for Mobile Protect Android devices. Thanks for your kind words. I Appreciate it. Thanks, glad you enjoyed it. Hey guys, First of all, great write up on the exploit of windows theme files. You have to save them as docm.
Macros are deactivated if you open the file with the ending docx. But on a default Windows setup, the ending. What do you think? Cancel reply Comment Name Website. Recommended re. Jul MayTrapped in a window hacked
email: [email protected] - phone:(118) 962-8305 x 6876
Serious Security: Hacking Windows passwords via your wallpaper