A critical Server Message Block (SMB) #VU672268 in all Windows version including Windows 10 allows potential hackers to steal sensitive login credentials

Security researchers at Cylance have discovered a serious vulnerability in all supported versions of Windows that can allow a potential hacker who has control of some portion of a victim’s network traffic to steal users’ credentials for valuable services.

Cylance researchers disclosed the vulnerability today on their website in which they said that their study is an extension to a similar research done by Aaron Spangler in 1997.

“The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer  would cause the operating system to attempt to authenticate with a SMB server at the IP address1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser. “

The Redirect to SMB flaw is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.

“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.”

The bug is so severe that it affects not only affects all of the current versions of Windows but software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec say the Cylance researchers.

A critical Server Message Block (SMB) #VU672268 in all Windows version including Windows 10 allows potential hackers to steal sensitive login credentials

The experts at Carnegie Mellon University CERT have given it ID number #VU672268 and warned that once a potential hacker has managed to get the victims credentials, they can easily crack passwords offline. Carnegie Mellon University CERT team have been working with the above said software companies to help them mitigate the issue.

“Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption,” the CERT advisory says.

Examples

The Cylance researchers have given following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples:

• 192.168.36.207 – The Attacker
• 192.168.36.247 – The Victim
• 192.168.36.128 – The Router/Internet Gateway

The tools in the examples are as follows:

SMBTrap2
SMBTrap-mitmproxy-inline.py
MITMProxy
Zarp

You can download the white paper to get a detailed research about Redirect to SMB attacks.

The video of the Proof of Concept is given below :

Microsoft has not commented thus far and a patch can be expected later in the month.

LEAVE A REPLY

Please enter your comment!
Please enter your name here