Table Of Contents
A critical Server Message Block (SMB) #VU672268 in all Windows version including Windows 10 allows potential hackers toย steal sensitive login credentials
Security researchers at Cylance have discovered a serious vulnerability in allย supported versions of Windows that can allow a potential hacker who has control of some portion of a victimโs network traffic to steal usersโ credentials for valuable services.
Cylance researchers disclosed the vulnerability today on their websiteย in which they said that their study is an extension to a similar research done by Aaron Spangler in 1997.
“The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word โfileโ (such as file://1.1.1.1/) to Internet Explorerย would cause the operating system to attempt to authenticate with a SMB server at the IP address1.1.1.1. Itโs a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These โfileโ URLs could be provided as an image, iframe, or any other web resource resolved by the browser. “
The Redirect to SMB flaw is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.
โRedirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victimโs username, domain and hashed password.โ
The bug is so severe that it affects not only affects all of the current versions of Windows but software from at leastย 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec say the Cylance researchers.
The experts at Carnegie Mellon University CERT have given it ID number #VU672268ย and warned that once a potential hacker has managed to get the victims credentials, they can easily crack passwords offline. Carnegie Mellon University CERT team have been working with the above said software companiesย to help them mitigate the issue.
โMany software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is aย file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victimโs user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be โbrute-forcedโ to break the encryption,โ the CERT advisory says.
Examples
The Cylance researchers have given following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples:
โข 192.168.36.207 โ The Attacker
โข 192.168.36.247 โ The Victim
โข 192.168.36.128 โ The Router/Internet Gateway
The tools in the examples are as follows:
โข SMBTrap2
โข SMBTrap-mitmproxy-inline.py
โข MITMProxy
โข Zarp
You can download theย white paperย to get a detailed research about Redirect to SMB attacks.
The video of the Proof of Concept is given below :
Microsoft has not commented thus far and a patch can be expected later in the month.