A new finding by security researcher Jimmy Bayne, who has revealed it on Twitter, discloses a vulnerability in Windows 10’s themes engine that can be used to steal users' credentials. A special malformed theme, when opened, redirect users to a page that prompts users to enter their credentials.
Advertisеment
As you may already know, Windows allows sharing themes in Settings. This can be done by opening Settings > Personalization > Themes and then by selecting on "Save theme for sharing
" from the menu. This will create a new *.deskthemepack file
that the user can upload to the Internet, send via email, or can share with others via a variety of methods. Other users can download such files and install it with one click.
An attacker can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user.
What are *.theme files?
Technically, *.theme files are *.ini files which include a number of sections that Windows reads and changes appearance of the OS according to instructions it found. The theme file specifies the accent color, wallpapers to apply, and a few other options.
One of its sections looks as follows.
[Control Panel\Desktop]
Wallpaper=%WinDir%\web\wallpaper\Windows\img0.jpg
The wallpaper key is located under the "Control Panel\Desktop" section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations, says Jimmy Bayne.
The researcher provides a method to mitigate the issue.
From a defensive perspective, block/re-associate/hunt for "theme", "themepack", "desktopthemepackfile" extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating
Source: via
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!
Advertisеment
That’s not a security issue, it’s a user issue. All it says is that themes can access remote resources and that these resources can require credentials. It is the user’s fault for entering the wrong credentials in the box.
Saying this is a windows security issue is like saying it’s a Firefox security issue for not detecting when a fake paypal website is being displayed and telling the user that http://www.fakepaypalsite.com is not actually paypal.