Windows 10 Themes Can Be Abused To Steal Windows Passwords (bleepingcomputer.com) 37
AmiMoJo writes: Specially crafted Windows 10 themes and theme packs can be used in 'Pass-the-Hash' attacks to steal Windows account credentials from unsuspecting users. Windows allows users to create custom themes that contain customized colors, sounds, mouse cursors, and the wallpaper that the operating system will use. Windows users can then switch between different themes as desired to change the appearance of the operating system. A theme's settings are saved under the %AppData%\Microsoft\Windows\Themes folder as a file with a .theme extension, such as 'Custom Dark.theme.' Windows themes can then be shared with other users by right-clicking on an active theme and selecting 'Save theme for sharing,' which will package the theme into a '.deskthemepack' file. These desktop theme packs can then be shared via email or as downloads on websites, and installed by double-clicking them.
This weekend security researcher Jimmy Bayne (@bohops) revealed that specially crafted Windows themes could be used to perform Pass-the-Hash attacks. Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication. When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user's login name and an NTLM hash of their password. In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password.
This weekend security researcher Jimmy Bayne (@bohops) revealed that specially crafted Windows themes could be used to perform Pass-the-Hash attacks. Pass-the-Hash attacks are used to steal Windows login names and password hashes by tricking a user into accessing a remote SMB share that requires authentication. When trying to access the remote resource, Windows will automatically try to login to the remote system by sending the Windows user's login name and an NTLM hash of their password. In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password.
Does it get more amateurish than this? (Score:5, Insightful)
No surprise all that computer stuff is so insecure when the undisputed market leader does not even get basic things right...
Re: (Score:3)
Chains are only as strong as their weakest links, and an operating system has more chains on it than a slave galley. The more complicated and elaborate an OS gets, the more likely you'll find faults in it.
Of course this is not a new problem: https://i.imgur.com/BULPmCI.gi... [imgur.com]
Re: (Score:2)
Indeed. And yet you can do this much, much better than MS. The only thing MS would really need to do is accept that they do not have what it takes to write a good OS and put a Linux or xBSD base below a "Windows" window manager.
Re: (Score:2)
They have a "certification" process for themes in place. You are supposed to use legitimate themes with a proper certification, from their app store, for example. The fact that people go an install potentially malicious themes from untrusted sources is not really the OSs fault. I mean, it's as stupid as running a malicious EXE.
Re: (Score:3)
They have a "certification" process for themes in place. You are supposed to use legitimate themes with a proper certification, from their app store, for example. The fact that people go an install potentially malicious themes from untrusted sources is not really the OSs fault. I mean, it's as stupid as running a malicious EXE.
Nope. The problem is that nobody sane suspects a frigging _theme_ can compromise their system. Like nobody sane suspects a text document (well "word" document in the deranged MS world) can do it either.
Re: (Score:2)
I don't care. My system should never pass authentication credentials to an "untrusted" system without asking my permission-- and untrusted is anything not whitelisted by my DC, anything outside my current network profile, or any server I've never connected to.
Re: (Score:2)
Re: (Score:2)
Pretty much so, yes.
Re: (Score:2)
And some Apple, Microsoft and Trump fanboy seems to have endless mod points and mod as troll anybody who dares criticise their idle. Sort it out Slashdot, change the algorithm so that anyone who excessively mods as troll gets mod points less and less often. It's getting silly.
And this is indeed a really dumb vulnerability where simply put windows just dishes out your password like free candy on Halloween. I always disable windows sharing/networking because I felt MS would muck up the security again, and now
Bad reporting - you pass the hash. Easy anyway (Score:5, Insightful)
The summary is, shall we say, not great.
First, it mentions "pass the hash". In a pass the hash attack, you simply pass the hash along. No need to "dehash" it. Clients send the hash of their password to the server. Since that's what is sent to the server, effectively the hash IS the password. No need to "dehash" it, just send the same hash along and you've got access. An oversight in the design of Windows security makes that work. (A better way, well publicized decades ago, is for the server to send a challenge, then the client sends the hash of challenge+password).
Suppose an attacker does want to find the password from a hash. No problem with Windows hashes. I can try a few billion passwords per second. Get a list of the top million passwords and check them all pretty much instantly, because Windows uses a hashing algorithm that can be run very, very quickly. An attacker can check all possible 8-character passwords over the course of several days, or faster if they devote some disk space to a rainbow table.
Other systems use something like bcrypt() for salted password hashes. Those can't be tried billions of times per second. They are much safer.
To protect yourself, use a long passphrase, at least 12 characters. The characters should be unpredictable, of course, not 123456790abc.
On Linux you might want to confirm the system is using a strong hash:
authconfig -â"passalgo=sha512 â"update
Re:Bad reporting - you pass the hash. Easy anyway (Score:4, Insightful)
Why don't systems impose a small delay of even a few seconds if a password is wrong? Those billions of guesses per second suddenly slow to a crawl and it becomes "Until the heat death of the universe".
Because I'm using MY system to crack it (Score:4)
Your password hash is some bits that look like this in hex:
kNS:338d08f8e26de93300000000000000000000000000000000:9526fb8c23a90751cdd619b6cea564742e1e4bf33006ba41:cb8086049ec4736c
Once I get your hash from your system, or from the network, I can copy-paste it to a system I control, maybe a GPU instance on AWS. My OS doesn't know this is password related, it's just running some random application (John the ripper).
Once my system finds your password, based on your hash, I then use your actual password on your network.
Re: (Score:2)
I am totally confused by this. NTLM *IS* a challenge-response. The hash should therefore be different every time and completely useless. It should not be sending the same hash that is used locally, it should be psasing the hash that was calculated in response to the server's challenge. What am I missing here?
Re: (Score:3)
You're right that the current version protocol has a reasonable challenge at one part of the protocol. (But it's still vulnerable to pass the hash).
There are different versions of NTLM and unfortunately Microsoft leaves old protocols enabled after they are quite long in the tooth. So that's ine issue.
The other issue is that even the current protocol uses a challenge only for initial authentication when you first login - after that each request is "protected" only by the same repeated hash, which is stored
Re: (Score:2)
Okay, so with regards to this attack, this is not a "pass the hash" attack. They really are using it to get the account to do a challenge-response against the attacker's server, get a hash, and try to reverse that hash to get a password. The hash is not useful to authenticate against anything other than against that attacker's own server.
Re: (Score:2)
I think that's where the summary is a bit confused.
Thr main takeaway from the article, as I see it, is that themes can be used to get the hash.
Once the attacker has the hash, they can either pass the hash, or attempt to reverse it. What you do with the hash after getting it is separate from the technique used to get the hash, in this case a shared theme.
Re: (Score:2)
In my experience that is often caused by overzealous IT admins that demand you change your password all the time. Personally I've been rotating through a series of obscure words for years at work, and my boss at a previous job got on my case for changing my password from companyname-number to one of these obscure words. After an incident involving a security breach the tech-illiterate CEO demanded the whole uppercase-lowercase-number-special-character-new-password-every-fortnight placebo even though the sec
You in the habit of installing themes sent anon? (Score:2)
Re: (Score:2)
No, but I have installed many themes I downloaded from some website, for various applications over the years. These days I generally like to keep things vanilla, but I used to install a lot of eye candy BS. I could have easily picked up a malicious theme back when.
Re: (Score:1)
Re: (Score:2)
Part of stock X-Window System. "xeyes"
Re: (Score:2)
I've never once had to install a picture from a web page. Neither has 'many'.
So you agree.
Alternative to sending the hash (Score:1)
The SMB server should send some data to the client to encrypt using the password hash as symmetrical key, all over a secured connection (diffie hellman + AES).
If the data decrypts right, the client all is good.
Wait, no because the password hash can't be assumed to not be public...
I'm not a cryptographer, but this problem seems not to be straightforward.
Comment removed (Score:3, Informative)
Re: (Score:2)
All locks can be bypassed, so who cares about locking your front door?
People who understand security know that defence in depth is what matters.
Clarification (Score:2)
Incorrect definition regarding Pass-the-Hash (Score:5, Informative)
In a Pass-the-Hash attack, the sent credentials are harvested by the attackers, who then attempt to dehash the password to access the visitors' login name and password.
No... What the original post just described NOT PtH but is a cracking attack; basically capturing and trying to break the hash.
In a pass the hash attack the attacker discovers the hash, and then due to a weakness in the protocol is able to pass the hash in order to authenticate without knowing what the actual password is that was hashed - - E.g. the Hash itself is good enough to authenticate, because various Windows protocols had weak authentication and sent a Hash over the network instead of the hash... Then knowing the Hash is as good as knowing the password for authentication.. That is the definition of Pass-the-Hash, and NOT the same as "Capture and crack" the hash.
Not NTLM relay, or even NTLM hash harvesting (Score:1)
Disabling NTLM won't help this issue, but blocking those filetypes at the email gateway and firewall would be prudent as a
If you... (Score:2)
Nothing new. Just stop adding all sorts of junk to your computer.
Re: If you... (Score:2)
Indeed. If you need to be reminded about that, you must be new here.