Security Experts:

Connect with us

Hi, what are you looking for?


Identity & Access

Credential Hijacking Vulnerability Impacts All Versions of Windows: Cylance

“Re-Direct to SMB” Vulnerability Allows Attackers to Gain Access to Login Credentials

Researchers from security firm Cylance have disclosed a security flaw which impacts all versions of Windows, including the upcoming Windows 10, as well as products from major software makers such as Adobe, Apple, Oracle, and Symantec.

“Re-Direct to SMB” Vulnerability Allows Attackers to Gain Access to Login Credentials

Researchers from security firm Cylance have disclosed a security flaw which impacts all versions of Windows, including the upcoming Windows 10, as well as products from major software makers such as Adobe, Apple, Oracle, and Symantec.

Attackers can exploit the “Re-Direct to SMB” vulnerability to redirect Windows users to malicious SMB-based servers and steal encrypted login credentials, Brian Wallace, a researcher with the Cylance SPEAR team, told SecurityWeek.

Attackers could target users who access a compromised Web server or by launching a man-in-the-middle attack and taking control of the user’s network traffic. “We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image preview,” Wallace said. When the chat client received an image to a URL, it tried to show a preview of the image. Researchers found the bug by sending a URL beginning with file:// pointing to a file located on malicious SMB server, he said.

The bug itself is an extension of a previously-discovered bug in 1997 which allowed attackers to steal credentials using Windows Server Message Block (SMB), a Windows networking protocol for file and printer sharing, remote administration, and domain authentication.

The original bug was not patched.

Wallace said the flaw actually exists in two different places: a core Windows API library and in how Windows connects to SMB. This is why the list of affected applications is so long, including Adobe Reader, Apple QuickTime, Apple iTunes Software Update, Internet Explorer 11, Windows Media Player, Excel 2010, Microsoft Baseline Security Analyzer, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus, .NET Reflector, Maltego CE, Box Sync, TeamView, GitHub for Windows, PyCharm, IntelliJ IDEA, PHP Storm, and the installer used by Oracle JDK 8u31.

Windows 10, which is currently in preview, is also vulnerable as the library remains unchanged, Wallace said.

Wallace called this a “forever-day” vulnerability because it is not a zero-day, and it is still active.

Wallace found that attackers would be able to intercept HTTP/HTTPS request made by browsers and applications. Examples include Web injection attacks targeting application updates and going after IE users with malicious online advertisements. Man-in-the-middle attacks aren’t the only way attackers can take advantage of the flaw. Wallace said the possibility of someone pulling off a successful attack depends on how the person crafts the attack.

“This is a novel attack that can be easily abused to significantly increase the exploitability of Windows client systems communicating on untrusted or compromised networks,” HD Moore, chief research officer at Rapid7 and creator of Metasploit, told SecurityWeek. Existing tools such as KARMA, Metasploit, and typically depend on the user to make a SMB connection to the attacker, but this attack abuses how the URLMon API in Windows handles HTTP redirects, he said. An attacker just needs control of the user’s network traffic to be able to take HTTP request and redirect them to file:// URLs to trigger the attack.

“Given how many applications a typical laptop or tablet has running in the background, this can drastically speed up SMB capture and relay attacks against Windows-based laptops and tablets connecting to insecure wireless networks,” Moore said. Just for context, Moore noted that a Windows 8.1 laptop can easily have 50 different HTTP connections—such as software updaters–running in the background after a restart, any of which could be hijacked in this attack.

Wallace hasn’t seen any signs of attackers exploiting this vulnerability at this time.

The simplest way to defend against it now is to block TCP ports 139 and 445 to disable SMB, he said. Businesses can use a Group Policy setting to prevent the attack, as well. The flaw has been reported to CERT at Carnegie Mellon University, which issued an advisory on Monday.

The advisory listed affected Windows API functions available through urlmon.dll, which includes URLDownloadA, URLDownloadW, URLDownloadToCacheFileA, URLDownloadToCacheFileW, URLDownloadToFileA, URLDownloadToFileW, URLOpenStream, URLOpenBlockingStream.

“While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time,” the advisory said, citing the 1997 report by researcher Aaron Spangler and Microsoft’s 2009 advisory about mitigation methods.

Cylance published a detailed white paper on the vulnerability which is available online in PDF format.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.