Windows-10-theme-vulnerability

Reportedly, custom themes can be used to steal Windows 10 user credentials

As you may already know, Windows allows sharing themes in Settings. This can be done by opening Settings > Personalization > Themes and then by selecting on “Save theme for sharing” from the menu. This will create a new *.deskthemepack file that the user can upload to the Internet, send via email, or can share with others via a variety of methods. Other users can download such files and install it with one click.

An attacker can similarly create a ‘.theme’ file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.

Windows 10 Theme Vulnerability

[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http/s resource. When a user activates the theme file (e.g. opened from a link/attachment), a Windows cred prompt is displayed to the user.

What are *.theme files?

Technically, *.theme files are *.ini files which include a number of sections that Windows reads and changes appearance of the OS according to instructions it found. The theme file specifies the accent color, wallpapers to apply, and a few other options.

One of its sections looks as follows.

[Control PanelDesktop] Wallpaper=%WinDir%webwallpaperWindowsimg0.jpg

Original Article

Spread the love

Leave a Comment