Security Experts:

Credential Hijacking Vulnerability Impacts All Versions of Windows: Cylance

"Re-Direct to SMB" Vulnerability Allows Attackers to Gain Access to Login Credentials

Researchers from security firm Cylance have disclosed a security flaw which impacts all versions of Windows, including the upcoming Windows 10, as well as products from major software makers such as Adobe, Apple, Oracle, and Symantec.

Attackers can exploit the "Re-Direct to SMB" vulnerability to redirect Windows users to malicious SMB-based servers and steal encrypted login credentials, Brian Wallace, a researcher with the Cylance SPEAR team, told SecurityWeek.

Attackers could target users who access a compromised Web server or by launching a man-in-the-middle attack and taking control of the user's network traffic. "We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image preview," Wallace said. When the chat client received an image to a URL, it tried to show a preview of the image. Researchers found the bug by sending a URL beginning with file:// pointing to a file located on malicious SMB server, he said.

The bug itself is an extension of a previously-discovered bug in 1997 which allowed attackers to steal credentials using Windows Server Message Block (SMB), a Windows networking protocol for file and printer sharing, remote administration, and domain authentication.

The original bug was not patched.

Wallace said the flaw actually exists in two different places: a core Windows API library and in how Windows connects to SMB. This is why the list of affected applications is so long, including Adobe Reader, Apple QuickTime, Apple iTunes Software Update, Internet Explorer 11, Windows Media Player, Excel 2010, Microsoft Baseline Security Analyzer, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus, .NET Reflector, Maltego CE, Box Sync, TeamView, GitHub for Windows, PyCharm, IntelliJ IDEA, PHP Storm, and the installer used by Oracle JDK 8u31.

Windows 10, which is currently in preview, is also vulnerable as the library remains unchanged, Wallace said.

Wallace called this a "forever-day" vulnerability because it is not a zero-day, and it is still active.

Wallace found that attackers would be able to intercept HTTP/HTTPS request made by browsers and applications. Examples include Web injection attacks targeting application updates and going after IE users with malicious online advertisements. Man-in-the-middle attacks aren't the only way attackers can take advantage of the flaw. Wallace said the possibility of someone pulling off a successful attack depends on how the person crafts the attack.

"This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks," HD Moore, chief research officer at Rapid7 and creator of Metasploit, told SecurityWeek. Existing tools such as KARMA, Metasploit, and typically depend on the user to make a SMB connection to the attacker, but this attack abuses how the URLMon API in Windows handles HTTP redirects, he said. An attacker just needs control of the user's network traffic to be able to take HTTP request and redirect them to file:// URLs to trigger the attack.

"Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks," Moore said. Just for context, Moore noted that a Windows 8.1 laptop can easily have 50 different HTTP connections—such as software updaters--running in the background after a restart, any of which could be hijacked in this attack.

Wallace hasn't seen any signs of attackers exploiting this vulnerability at this time.

The simplest way to defend against it now is to block TCP ports 139 and 445 to disable SMB, he said. Businesses can use a Group Policy setting to prevent the attack, as well. The flaw has been reported to CERT at Carnegie Mellon University, which issued an advisory on Monday.

The advisory listed affected Windows API functions available through urlmon.dll, which includes URLDownloadA, URLDownloadW, URLDownloadToCacheFileA, URLDownloadToCacheFileW, URLDownloadToFileA, URLDownloadToFileW, URLOpenStream, URLOpenBlockingStream.

"While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time," the advisory said, citing the 1997 report by researcher Aaron Spangler and Microsoft's 2009 advisory about mitigation methods.

Cylance published a detailed white paper on the vulnerability which is available online in PDF format.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.