Windows login field

Microsoft has patched only recent versions Windows against a dangerous hack that could allow attackers to steal Windows NTLM password hashes without any user interaction.

The hack is easy to carry out and doesn't involve advanced technical skills to pull off. All the attacker needs to do is to place a malicious SCF file inside publicly accessible Windows folders.

Once the file has been placed inside the folder, it executes due to a mysterious bug, collects the target's NTLM password hash, and sends it to an attacker-configured server. Using publicly available software, an attacker could crack the NTLM password hash and later gain access to the user's computer.

Such a hack would allow an attacker that has a direct connection to a victim's network to escalate access to nearby systems.

Not all computers with shared folders are vulnerable

Computers with shared folders protected by a password are safe. Since this is the default option in Windows, most users aren't vulnerable to this attack.

Nonetheless, users in enterprise environments, schools, and other public networks often share folders without a password due to convenience, leaving many systems open for attacks.

Sharing options

Patches available only to Windows 10 and Server 2016

The hack was discovered by Columbian security researcher Juan Diego, who reported the issue to Microsoft in April.

Microsoft patched the attack vector in this month's Patch Tuesday via the ADV170014 security advisory. The patch is only for Windows 10 and Windows Server 2016 users.

Older Windows versions remain vulnerable to this attack because the registry modifications are not compatible with older versions of the Windows Firewall.

Attack root vulnerability is a mystery

Speaking to Bleeping Computer, Diego says ADV170014 blocks the hack he discovered, but he can't explain why the hack was possible in the first place.

The attack works through a malicious SCF file. SCF stands for Shell Command File and is a file format that supports a very limited set of Windows Explorer commands, such as opening a Windows Explorer window or showing the Desktop. The "Show Desktop" shortcut we all use on a daily basis is an SCF file.

"The attacker only needs to upload the SCF file to the vulnerable folder," Diego told Bleeping Computer via email, highlighting that no user interaction is needed.

Previous attacks that involved SCF files executed only when the victim accessed the folder. This time around, as Diego discovered, the malicious commands contained inside the SCF file run right after the attacker uploads the SCF file inside the shared folder, without needing to wait for the user to view that file's content.

Why this happens is a mystery to Diego. "This [attack] is automatic. The underlying issue triggering this is still unknown to me," Diego said, "[Microsoft] has been very secretive about that."

Microsoft patch tries to address pass-the-hash attacks

The patch Microsoft delivered doesn't actually fix the SCF automatic execution Diego wasn't able to explain but attempts to patch a two-decades-old attack known as pass-the-hash, the automatic sharing of NTLM hashes with servers located outside of the user's network, a technique Diego also employed in his hack.

The issue is an old one, and often used in many types of Windows hacks. Just this spring a pass-the-hash attack combined Chrome and SCF files to steal user credentials, while other recent on pass-the-hash attacks were published in 2016 and 2015.

The patch that Microsoft delivered prevents attackers from tricking local users to authenticating on servers situated outside the local network.

While Diego has reported his attack to Microsoft, it was German researcher Stefan Kanthak who got an acknowledgment from Microsoft for the fixed issue, as he too reported similar bugs in March 2017.

"Microsoft did (as every so often) a POOR job, the updates published this month close only 2 of the 6 distinct weaknesses I reported," Kanthak told Bleeping via email, hinting that more ways to exploit pass-the-hash attacks exist.

"I'm currently working on another way to exploit this vulnerability," Diego also said, echoing Kanthak's assessment that Microsoft is nowhere close to patching this long-lasting security hole.

While ADV170014 is an optional patch, installing this update is highly recommended, especially since it was confirmed to block Diego's dangerous hack, and most likely other pass-the-hash attempts. A walkthrough of Diego's pass-the-hash variation attack is available on his blog.