A new technique for exploiting an 18-year-old bug in Windows Server Message Block (SMB), which would allow attackers to intercept user credentials, had been uncovered by Cylance researcher Brian Wallace.
SMB is a core component in Windows networking, and can be found – and is enabled by default – in all versions of the Windows OS, including Windows 10.
“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” the researcher explained.
“The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word ‘file’ (such as file://184.108.40.206/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 220.127.116.11.”
The flaw affects a number of Windows API functions, which are used by a wide range of software features.
Before revealing the existence of the vulnerability to the public, Cylance shared the information with CERT at Carnegie Mellon University and the developers of the many popular applications that are vulnerable, such as Adobe Reader, Apple Software Update, Internet Explorer, several AV solutions and security tools, Box Sync, TeamViewer, and a number of developer tools.
“Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic. Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising,” Wallace pointed out.
“Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools.”
The attack reveals encrypted information, it’s true, but it can be brute-forced.
The researcher hopes that this revelation with spur Microsoft to disable authentication with untrusted SMB servers, but in the meantime, administrators can protect users by blocking outbound traffic from TCP 139 and TCP 445 (SMB communication).