Brian Wallace a researcher with security firm Cylance, has found a major Windows flaw which he calls Redirect to SMB. Wallace states “We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability”.
Wallace also states “Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password.”
- Adobe Reader
- Apple Quicktime
- Apple Software Update (which handles the updating for iTunes)
- Internet Explorer
- Windows Media Player
- Excel 2010
- Microsoft Baseline Security Analyzer
- Symantec’s Norton Security Scan
- AVG Free
- BitDefender Free
- Comodo Antivirus
- .NET Reflector
- Maltego CE
- Box Sync
- Github for Windows
- IntelliJ IDEA
- PHP Storm
- JDK 8u31’s installer
Redirect to SMB only affects Windows users who use Internet Explorer as their browser and is most likely to be used in targeted attacks when attackers have control over some component of a victim’s network traffic. It is also plausible that malicious ads can be created or modified to force authentication attempts from IE users whilst masking their intent from those displaying the advertising.
To reinforce how dangerous Redirect to SMB is, basic attacks on any shared WiFi access points can be done from any computer or mobile device. This means if you go to your local coffee shop to avail of their free WiFi facilities, you could be vulnerable.
Worryingly this vulnerability was first disclosed to Microsoft in 1997 and Wallace claims “Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”
In the meantime Wallace has suggested the following workaround. “The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 — either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network.”