{"id":62344,"date":"2020-09-08T16:38:00","date_gmt":"2020-09-08T13:38:00","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/reportedly-custom-themes-can-be-used-to-steal-windows-10-user-credentials\/"},"modified":"2020-09-08T16:38:00","modified_gmt":"2020-09-08T13:38:00","slug":"reportedly-custom-themes-can-be-used-to-steal-windows-10-user-credentials","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/reportedly-custom-themes-can-be-used-to-steal-windows-10-user-credentials\/","title":{"rendered":"#Reportedly, custom themes can be used to steal Windows 10 user credentials"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a33bd7042ac7\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a33bd7042ac7\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/reportedly-custom-themes-can-be-used-to-steal-windows-10-user-credentials\/#What_are_theme_files\" >What are *.theme files?<\/a><\/li><\/ul><\/nav><\/div>\n<p>&#8220;<strong>#Reportedly, custom <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">theme<\/a>s can be used to steal Windows 10 user credentials<\/strong>&#8221;<\/p>\n<article id=\"post-31129\" target=\"_blank\">\n<div>A new finding by security researcher Jimmy Bayne, who has revealed it on <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">Twitter<\/a>, discloses a vulnerability in Windows 10\u2019s themes engine that can be used to steal users&#8217; credentials. A special malformed theme, when opened, redirect users to a page that prompts users to enter their credentials.<\/p>\n<p>RECOMMENDED: Click here to fix Windows errors and optimize system performance<\/p>\n<div>As you may already know, Windows allows sharing themes in Settings. This can be done by opening Settings > Personalization > Themes and then by selecting on &#8220;<code>Save theme for sharing<\/code>&#8221; from the menu. This will create a\u00a0 new *<code>.deskthemepack file<\/code> that the user can upload to the Internet, send via email, or can share with others via a variety of methods. Other users can download such files and install it with one click.<\/p>\n<p>An attacker can similarly create a \u2018.theme\u2019 file wherein the default wallpaper setting points to a website that requires authentication. When unsuspecting users enter their credentials, an NTLM hash of the details is sent to the site for authentication. Non-complex passwords are then cracked open using special de-hashing software.<\/p>\n<p><img decoding=\"async\" alt=\"Windows 10 Theme Vulnerability\" height=\"326\" loading=\"lazy\" src=\"https:\/\/winaero.com\/blog\/wp-content\/uploads\/2020\/09\/Windows-10-theme-vulnerability.png\" width=\"624\"><\/img><\/p>\n<blockquote>\n<p>[Credential Harvesting Trick] Using a Windows .theme file, the Wallpaper key can be configured to point to a remote auth-required http\/s resource. When a user activates the theme file (e.g. opened from a link\/attachment), a Windows cred prompt is displayed to the user.<\/p>\n<\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"What_are_theme_files\"><\/span>What are *.theme files?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Technically, *.theme files are *.ini files which include a number of sections that Windows reads and changes appearance of the OS according to instructions it found. The theme file specifies the accent color, wallpapers to apply, and a few other options.<\/p>\n<p>One of its sections looks as follows.<\/p>\n<pre dir=\"ltr\" lang=\"en\"><code>[Control PanelDesktop]<\/code>\n<code>Wallpaper=%WinDir%webwallpaperWindowsimg0.jpg<\/code><\/pre>\n<\/div>\n<p>It specifies the default wallpaper applied when the user install the theme. Instead of the local path, points the researcher, it can be set to a remote resource that can be used to make the user enter his credentials.<\/p>\n<p><img decoding=\"async\" alt=\"Malformed Theme File\" height=\"462\" loading=\"lazy\" src=\"https:\/\/winaero.com\/blog\/wp-content\/uploads\/2020\/09\/Malformed-Theme-file.png\" width=\"446\"><\/img><\/p>\n<div>\n<p>The wallpaper key is located under the &#8220;Control PanelDesktop&#8221; section of the .theme file. Other keys may possibly be used in the same manner, and this may also work for netNTLM hash disclosure when set for remote file locations, says Jimmy Bayne.<\/p>\n<p>The researcher provides a method to mitigate the issue.<\/p>\n<blockquote>\n<p>From a defensive perspective, block\/re-associate\/hunt for &#8220;theme&#8221;, &#8220;themepack&#8221;, &#8220;desktopthemepackfile&#8221; extensions. In browsers, users should be presented with a check before opening. Other CVE vulns have been disclosed in recent years, so it is worth addressing and mitigating<\/p>\n<\/blockquote>\n<p>Source: Neowin<\/p>\n<\/div>\n<p>RECOMMENDED: Click here to fix Windows errors and optimize system performance<\/p>\n<\/div>\n<\/article>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener noreferrer\">Technology category.<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>if you want to <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/watch-movies-tv-seriess\/\" data-internallinksmanager029f6b8e52c=\"8\" title=\"Watch Movies &amp; TV Series\" target=\"_blank\" rel=\"noopener\">watch Movies<\/a> or Tv Shows go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/dizi.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Dizi.BuradaBiliyorum.Com<\/a> <\/span> for forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/winaero.com\/blog\/reportedly-custom-themes-can-be-used-to-steal-windows-10-user-credentials\/\" target=\"_blank\" rel=\"noopener noreferrer\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#Reportedly, custom themes can be used to steal Windows 10 user credentials&#8221; A new finding by security researcher Jimmy Bayne, who has revealed it on Twitter, discloses a vulnerability in Windows 10\u2019s themes engine that can be used to steal users&#8217; credentials. A special malformed theme, when opened, redirect users to a page that prompts&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[65957,65956,34290],"class_list":["post-62344","post","type-post","status-publish","format-standard","hentry","category-technology","tag-custom-themes-can-be-used-to-steal-windows-10-user-credentials","tag-reportedly","tag-windows-10"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/62344","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=62344"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/62344\/revisions"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=62344"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=62344"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=62344"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}