Bayne shows possibility of “Pass -the-Hash” attacks by specially crafted .theme file

Jimmy Bayne, a security researcher, revealed this weekend that there is a risk of Pass-the-Hash attacks with some specially crafted Windows 10 themes, allowing attackers to steal Windows account credentials from unsuspected users.

Widows’ users are provided a feature to create custom themes containing colors, sounds, mouse cursors and the wallpaper that OS use. They can switch between different themes as per their choice. A theme’s settings are saved as a file under %AppData%\Microsoft\Windows\Themes folder.

Such a file has .theme extension at the end. The users can also share these themes, as well. When they right click on an active theme and select “Save them for sharing,” they will be provided the themes in the packed form for sharing via email or as downloads on websites.

“Pass -the-Hash” attackers aim to steal Windows log-in names and password hashes. For this, they trick people into accessing a remote SMS share that requires authentication. During the time Windows trying access to the remote resource, they will automatically try to log-in to the remote system by sending the Windows’ usernames and an NTLM hash of the password.

These credentials are harvested by attackers in the Pass-the-Hash attacks. After this, they try to dehash the password to access the visitor’s login name and password. Dehashing any easy password requires just 2-4 seconds cracking it.

What the Bayne discovered is that, the attack can be performed by specially crafted .theme file and change the desktop wallpaper settings. These are used as a remote authentication-required resource. When Windows try to access this remote authentication-required resource, it will automatically try to log into the share by sending logged in accounts’ NTLM hash and login name. The attackers can then harvest these credentials and dehash the passwords using special scripts.

Bayne’s advised for protecting malicious theme files for you is to block or re-associate the .theme, .themepack and and .desktopthemepackfile extensions to a different program. However, you should use it if you do not need to switch to another theme as doing this will break the Windows 10 theme feature.

To prevent any NTLM credentials from being sent to remote hosts, configure to a group policy named named ‘Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers’ and set it to ‘Deny All.’ Please note, this configuration can bring issues in enterprise environment that use remote shares.