New Redirect to SMB Flaw in all Windows versions including Windows 10 allows hackers to steal login credentials

A critical Server Message Block (SMB) #VU672268 in all Windows version including Windows 10 allows potential hackers toย steal sensitive login credentials

Security researchers at Cylance have discovered a serious vulnerability in allย supported versions of Windows that can allow a potential hacker who has control of some portion of a victimโ€™s network traffic to steal usersโ€™ credentials for valuable services.

Cylance researchers disclosed the vulnerability today on their websiteย in which they said that their study is an extension to a similar research done by Aaron Spangler in 1997.

“The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word โ€œfileโ€ (such as file://1.1.1.1/) to Internet Explorerย  would cause the operating system to attempt to authenticate with a SMB server at the IP address1.1.1.1. Itโ€™s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These โ€œfileโ€ URLs could be provided as an image, iframe, or any other web resource resolved by the browser. “

The Redirect to SMB flaw is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.

โ€œRedirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victimโ€™s username, domain and hashed password.โ€

The bug is so severe that it affects not only affects all of the current versions of Windows but software from at leastย 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec say the Cylance researchers.

A critical Server Message Block (SMB) #VU672268 in all Windows version including Windows 10 allows potential hackers to steal sensitive login credentials

The experts at Carnegie Mellon University CERT have given it ID number #VU672268ย and warned that once a potential hacker has managed to get the victims credentials, they can easily crack passwords offline. Carnegie Mellon University CERT team have been working with the above said software companiesย to help them mitigate the issue.

โ€œMany software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is aย file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victimโ€™s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be โ€œbrute-forcedโ€ to break the encryption,โ€ the CERT advisory says.

Examples

The Cylance researchers have given following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples:

โ€ข 192.168.36.207 โ€“ The Attacker
โ€ข 192.168.36.247 โ€“ The Victim
โ€ข 192.168.36.128 โ€“ The Router/Internet Gateway

The tools in the examples are as follows:

โ€ข SMBTrap2
โ€ข SMBTrap-mitmproxy-inline.py
โ€ข MITMProxy
โ€ข Zarp

You can download theย white paperย to get a detailed research about Redirect to SMB attacks.

The video of the Proof of Concept is given below :

Microsoft has not commented thus far and a patch can be expected later in the month.

spot_img

Read More

Suggested Post