A vulnerability has been found in all supported versions of Windows. It allows an attacker with control of a portion of a victim’s network traffic to steal users’ credentials.
The bug is related to the way that Windows and other software handles some HTTP requests, and researchers say it affects a wide range of applications, including iTunes and Adobe Flash.
The vulnerability, disclosed Monday by researchers at Cylance, is an extension of research done by Aaron Spangler nearly 20 years ago, and it’s known as Redirect to SMB. This weakness can enable an attacker to force victims to try to authenticate to an attacker-controlled server.
“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” a blog post by Brian Wallace from Cylance says.
“We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server.”
The Redirect to SMB flaw not only affects all of the current versions of Windows, but also Flash, some GitHub clients, some Oracle software and several security applications. Experts at the CERT/CC at Carnegie Mellon University warned that once an attacker is able to grab a victim’s credentials, those passwords can be cracked offline.
“Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption,” the CERT advisory says.
Microsoft has not released a patch for this vulnerability. Researchers say that the attack technique developed by Cylance can make exploitation of the vulnerability much simpler.
Source : Threat Post
