Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Credential Hijacking Vulnerability Impacts All Versions of Windows: Cylance

“Re-Direct to SMB” Vulnerability Allows Attackers to Gain Access to Login Credentials

Researchers from security firm Cylance have disclosed a security flaw which impacts all versions of Windows, including the upcoming Windows 10, as well as products from major software makers such as Adobe, Apple, Oracle, and Symantec.

“Re-Direct to SMB” Vulnerability Allows Attackers to Gain Access to Login Credentials

Researchers from security firm Cylance have disclosed a security flaw which impacts all versions of Windows, including the upcoming Windows 10, as well as products from major software makers such as Adobe, Apple, Oracle, and Symantec.

Attackers can exploit the “Re-Direct to SMB” vulnerability to redirect Windows users to malicious SMB-based servers and steal encrypted login credentials, Brian Wallace, a researcher with the Cylance SPEAR team, told SecurityWeek.

Attackers could target users who access a compromised Web server or by launching a man-in-the-middle attack and taking control of the user’s network traffic. “We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image preview,” Wallace said. When the chat client received an image to a URL, it tried to show a preview of the image. Researchers found the bug by sending a URL beginning with file:// pointing to a file located on malicious SMB server, he said.

The bug itself is an extension of a previously-discovered bug in 1997 which allowed attackers to steal credentials using Windows Server Message Block (SMB), a Windows networking protocol for file and printer sharing, remote administration, and domain authentication.

The original bug was not patched.

Wallace said the flaw actually exists in two different places: a core Windows API library and in how Windows connects to SMB. This is why the list of affected applications is so long, including Adobe Reader, Apple QuickTime, Apple iTunes Software Update, Internet Explorer 11, Windows Media Player, Excel 2010, Microsoft Baseline Security Analyzer, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus, .NET Reflector, Maltego CE, Box Sync, TeamView, GitHub for Windows, PyCharm, IntelliJ IDEA, PHP Storm, and the installer used by Oracle JDK 8u31.

Windows 10, which is currently in preview, is also vulnerable as the library remains unchanged, Wallace said.

Advertisement. Scroll to continue reading.

Wallace called this a “forever-day” vulnerability because it is not a zero-day, and it is still active.

Wallace found that attackers would be able to intercept HTTP/HTTPS request made by browsers and applications. Examples include Web injection attacks targeting application updates and going after IE users with malicious online advertisements. Man-in-the-middle attacks aren’t the only way attackers can take advantage of the flaw. Wallace said the possibility of someone pulling off a successful attack depends on how the person crafts the attack.

“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks,” HD Moore, chief research officer at Rapid7 and creator of Metasploit, told SecurityWeek. Existing tools such as KARMA, Metasploit, and Responder.py typically depend on the user to make a SMB connection to the attacker, but this attack abuses how the URLMon API in Windows handles HTTP redirects, he said. An attacker just needs control of the user’s network traffic to be able to take HTTP request and redirect them to file:// URLs to trigger the attack.

“Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks,” Moore said. Just for context, Moore noted that a Windows 8.1 laptop can easily have 50 different HTTP connections—such as software updaters–running in the background after a restart, any of which could be hijacked in this attack.

Wallace hasn’t seen any signs of attackers exploiting this vulnerability at this time.

The simplest way to defend against it now is to block TCP ports 139 and 445 to disable SMB, he said. Businesses can use a Group Policy setting to prevent the attack, as well. The flaw has been reported to CERT at Carnegie Mellon University, which issued an advisory on Monday.

The advisory listed affected Windows API functions available through urlmon.dll, which includes URLDownloadA, URLDownloadW, URLDownloadToCacheFileA, URLDownloadToCacheFileW, URLDownloadToFileA, URLDownloadToFileW, URLOpenStream, URLOpenBlockingStream.

“While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time,” the advisory said, citing the 1997 report by researcher Aaron Spangler and Microsoft’s 2009 advisory about mitigation methods.

Cylance published a detailed white paper on the vulnerability which is available online in PDF format.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

Ajay Garg has joined Saviynt as Chief Development Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.