The Redirect to SMB vulnerability affects all supported versions of Windows and could be exploited to steal users’ credentials for various services.

Experts at Cylance have discovered a new credential hijacking vulnerability dubbed Redirect to SMB that affects all versions of Windows OSs, including the upcoming Windows 10. The Redirect to SMB could be exploited by an attacker who has control of some portion of a victim’s network traffic to steal users’ credentials. The Redirect to SMB flaw is a hijacking vulnerability that resides in the way Windows OSs and other applications, including Adobe Flash and iTunes, handles some HTTP requests. Unfortunately, Microsoft has not released a fix the flaw.

r1

The experts at Cylance explained that the Redirect to SMB vulnerability was investigated for the first time by Aaron Spangler nearly 20 years ago. The attacker can force victims to try to authenticate to a server it controls. A large number of applications running in the background can speed up SMB capture and relay attacks against devices connecting to insecure wireless networks.

“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” states a blog post published by Cylance.

“We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.”

The Redirect to SMB vulnerability has been reported to CERT at Carnegie Mellon University, which published a security advisory. The researchers explained that many applications running in the background use HTTP requests to perform various activities, by intercepting them it is possible to exploit the flaw and steal the sensitive data.

“Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption,” states the CERT advisory.

Despite the attack is not completely new to the security community, the technique developed by Cylance can make it easier to run as confirmed by said HD Moore, chief research officer at Rapid 7.

“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks. While tools like KARMA, Metasploit, and Responder.py depend on the user to make a SMB connection back to the attacker, the Cylance research improves on the attack by abusing how HTTP redirects are handled by callers of the URLMon API,” said HD Moore.

The researchers explained that this attack could be very effective is attackers use it in a first stage of an attack to gather sensitive credentials to use later.

“I would expect this vulnerability to be used as part of a two-stage phishing attack: First try to exploit vulnerabilities, including this one, after getting the user to click a link in an email, and then attempt to do something further by getting the user to “log in” to a fake portal, or downloading software that takes over the machine. In this way, attackers can be moderately effective even if the user doesn’t fall for anything after opening the page,” explained Patrick Nielsen, senior security researcher at Kaspersky Lab.

The advisory issued by the CERT reported a number of Windows API functions affected by the Redirect to SMB vulnerability, including URLDownloadA, URLDownloadW, URLDownloadToCacheFileA, URLDownloadToCacheFileW, URLDownloadToFileA, URLDownloadToFileW, URLOpenStream, URLOpenBlockingStream.

Pierluigi Paganini