Windows remains vulnerable to serious 18-year-old SMB security flaw
A serious security hole leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine. Researchers at Cylance say the problem affects "any Windows PC, tablet or server" (including Windows 10) and is a slight progression of the Redirect to SMB attack discovered by Aaron Spangler way back in 1997.
Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection. As the name suggests, victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords. Cylance also reports that software from companies such as Adobe, Oracle and Symantec -- including security and antivirus tools -- are affected.
In a blog post, Brian Wallace explains that Cylance has spent the last month and half working with vendors to help fix the problem, but has now decided to make details of the vulnerability public. A technical white paper explains how the original Redirect to SMB attack worked by sending a URL in the form file://184.108.40.206 -- this would cause Windows to connect to a malicious SMB server at 220.127.116.11, attempt to authenticate, and essentially hand over security credentials.
We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.
Cylance found no fewer than four Windows API functions that can be used to redirect a user from an HTTP or HTTPS connection to a malicious SMB server. The forced authentication makes it relatively easy to get hold of usernames and passwords, even if they are held in encrypted form. As well as Windows itself, other programs affected by the problem include AVG Free, Internet Explorer, Windows Media Player, BitDefender Free, TeamViewer, and Github for Windows.
Wallace points out that:
Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.
Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising.
Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools.
Although Microsoft is still to release a patch for the security flaw, Cylance suggests a workaround. By blocking outbound traffic from TCP 139 and TCP 445 you can put an obstacle in the way of authentication attempts that originate outside of your network while retaining SMB capabilities within it.