Reportedly, custom themes can be used to steal Windows 10 user credentials

As you may already know, Windows allows sharing themes in Settings. This can be done by opening Settings > Personalization > Themes and then by selecting on “Save theme for sharing” from the menu. This will create a new *.deskthemepack file that the user can upload to the Internet, send via email, or can share with others via a variety of methods. Other users can download such files and install it with one click.

An attacker can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.

Windows 10 Theme Vulnerability

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user.

What are *.theme files?

Technically, *.theme files are *.ini files which include a number of sections that Windows reads and changes appearance of the OS according to instructions it found. The theme file specifies the accent color, wallpapers to apply, and a few other options.

One of its sections looks as follows.

[Control PanelDesktop] Wallpaper=%WinDir%webwallpaperWindowsimg0.jpg

Original Article

Spread the love

Leave a Comment