SMB security flaw in Windows? Not really, says Microsoft
- By Chris Paoli
- Apr 14, 2015
Researchers from Cylance say they’ve uncovered a new technique for stealing login credentials from any Windows device, including those running previews of Windows 10.
The approach, dubbed "Redirect to SMB," allows attackers to steal user credentials by “hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” Cylance wrote in its blog.
"The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word 'file' (such as file://22.214.171.124/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 126.96.36.199," Cylance said.
Attackers would have to gain access by having a targeted user click on a malicious email link or harmful web ad that connects a system to a server controlled by the attackers. The company said the flaw can be found in every version of Windows and could be executed with the use of one of the 31 vulnerable software packages discovered, which includes Adobe Reader, Apple QuickTime, Internet Explorer and Windows Media Player, to name a few.
Because many software products use HTTP requests for software update checking, for example, a malicious user can intercept such requests and redirect the victim a malicious SMB server, according to the CERT Vulnerability Database at Carnegie Mellon University. “If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be "brute-forced" to break the encryption,” CERT said.
While the Clyance team has been able to provide proof of concept for the flaw, it said that there have been no known attacks using Redirect to SMB.
Microsoft responded in a statement saying the SMB flaw was not as serious as Cylance claims because of the difficulty attackers would have when attempting to take advantage of the vulnerability. "Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature," said Microsoft in a statement to Reuters. "There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials."
The CERT division said it is currently unaware of a full solution but suggested some workarounds:
- Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN.
- Don’t use the NTLM authentication protocol by default in applications
- Use group policies to restrict NTLM traffic
- Use a strong password and change passwords frequently
A version of this article originally appeared on Redmond, a sister site to GCN.
Chris Paoli is the associate Web editor for 1105 Enterprise Computing Group's Web sites, including Redmondmag.com, RCPmag.com, ADTmag.com and VirtualizationReview.com.