Windows hit by zero-day Redirect to SMB attack

April 14, 2015 | 11:55

Tags: #0day #0-day #cylance #exploit #flaw #insecurity #security #vulnerability #windows #zero-day

Companies: #microsoft

A security flaw stretching back nearly two decades has been discovered to affect all Windows releases, allowing man-in-the-middle attacks which can steal user credentials.

The Redirect to SMB attack has been publicised by security firm Cylance in a blog post which highlights the severity of the problem: 'We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system,' the post by researcher Brian Wallace reads.

The flaw allows an attacker to hijack a web connection, forcing the system to switch from a HTTP or HTTPS link to Server Message Blocks (SMB) - the file-transfer and user-authentication protocol used in Windows networks. This switch appears invisible to the user, but results in data being transmitted to the attacker which includes the victim's username, domain name and a password hash - the latter of which can be cracked using traditional attack techniques to reveal the underlying password.

Worryingly, the vulnerability affects all versions of the Windows operating system stretching back around two decades. Cylance's research is based on a vulnerability discovered way back in 1997 by Aaron Spangler, who was the first to highlight an issue with Internet Explorer's handling of the file:// URI protocol and its potential to leak account information.

Cylance's variant of the attack isn't limited to Internet Explorer, however: 'Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability,' Wallace warns, with each of those individual software packages - including, embarrassingly, anti-virus and security software - handling file:// protocol links in the same way and forcing the underlying operating system - in which the vulnerability itself lies - to hand over the account information to a remote location. Remote exploitation is trivial: Wallace details the use of a chat client to send a malicious link to a target user, which automatically disclosed account details as the image was loaded by the software without user intervention.

Worryingly, the vulnerability is being made public without a patch from Microsoft to fix the flaw. 'Microsoft did not resolve the issue reported by Aaron Spangler in 1997,' Wallace claims. 'We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.'

A temporary workaround, Wallace suggests, is to block outbound traffic from TCP ports 139 and 445, which prevents SMB traffic from leaking from the internal network. 'If the block is done at the network gateway’s firewall,' Wallace explains, 'SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network.'
Discuss this in the forums
Video: Project #AORUS-KS Part 1: Components and Case Teardown

November 20 2019 | 16:00

TOP STORIES

SUGGESTED FOR YOU