A new finding shared on Twitter by security researcher Jimmy Bayne points towards a loophole in Windows 10’s themes settings that can let bad actors steal users’ credentials by creating a specific theme to carry out a ‘Pass-the-Hash’ attack. The ability to install separate themes from other sources lets attackers create malicious themes files that when opened, redirect users to a page that prompts users to enter their credentials.
Windows lets users share themes via the Settings UI by right-clicking on the currently active theme under Personalization > Themes and clicking on “Save theme for sharing”. This creates a ‘.deskthemepack’ file for sharing through email or other sources, which can then be downloaded and installed. Attackers can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.
[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user 1/4 pic.twitter.com/rgR3a9KP6Q— bohops (@bohops) September 5, 2020
One way that the researcher provided for protecting against such files is by looking for and blocking extensions such as ‘.theme’, ‘.themepack’, and ‘.desktopthemepackfile’. Additionally, BleepingComputer lists a few alternatives via group policy that restricts sending NTLM hashed credentials to remote hosts. However, the publication cautions that doing so could interfere with enterprise setups that require this feature for authentication.
Bayne adds that these findings were disclosed to the Microsoft Security Response Center (MSRC). However, the bug was supposedly not fixed because it was a “feature by design”. It is not clear if the company does plan on fixing the bug post this disclosure, or if it tweaks the file structure for the themes to prevent bad actors from leveraging it to point to sites that require authentication.
Considering that most users are logged into their Microsoft accounts in Windows 10, the theft of the credentials also puts users’ linked data – such as email, OneDrive, and even Azure data – at risk. It is best for users to always enable two-factor authentication as a primary form of account security.