Advertisement

Reportedly, custom themes can be used to steal Windows 10 user credentials

A new finding by security researcher Jimmy Bayne, who has revealed it on Twitter, discloses a vulnerability in Windows 10’s themes engine that can be used to steal users' credentials. A special malformed theme, when opened, redirect users to a page that prompts users to enter their credentials.

Advertisеment

As you may already know, Windows allows sharing themes in Settings. This can be done by opening Settings > Personalization > Themes and then by selecting on "Save theme for sharing" from the menu. This will create a  new *.deskthemepack file that the user can upload to the Internet, send via email, or can share with others via a variety of methods. Other users can download such files and install it with one click.

An attacker can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.

Windows 10 Theme Vulnerability

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user.

What are *.theme files?

Technically, *.theme files are *.ini files which include a number of sections that Windows reads and changes appearance of the OS according to instructions it found. The theme file specifies the accent color, wallpapers to apply, and a few other options.

One of its sections looks as follows.

[Control Panel\Desktop]
Wallpaper=%WinDir%\web\wallpaper\Windows\img0.jpg
It specifies the default wallpaper applied when the user install the theme. Instead of the local path, points the researcher, it can be set to a remote resource that can be used to make the user enter his credentials.
Malformed Theme File

The wallpaper key is located under the "Control Panel\Desktop" section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations, says Jimmy Bayne.

The researcher provides a method to mitigate the issue.

From a defensive perspective, block/re-associate/hunt for "theme", "themepack", "desktopthemepackfile" extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating

Source: via

Support us

Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:

If you like this article, please share it using the buttons below. It won't take a lot from you, but it will help us grow. Thanks for your support!

Advertisеment

Author: Sergey Tkachenko

Sergey Tkachenko is a software developer who started Winaero back in 2011. On this blog, Sergey is writing about everything connected to Microsoft, Windows and popular software. Follow him on Telegram, Twitter, and YouTube.

One thought on “Reportedly, custom themes can be used to steal Windows 10 user credentials”

  1. That’s not a security issue, it’s a user issue. All it says is that themes can access remote resources and that these resources can require credentials. It is the user’s fault for entering the wrong credentials in the box.

    Saying this is a windows security issue is like saying it’s a Firefox security issue for not detecting when a fake paypal website is being displayed and telling the user that http://www.fakepaypalsite.com is not actually paypal.

Leave a Reply

Your email address will not be published.

css.php
Using Telegram? Subscribe to the blog channel!
Hello. Add your message here.