18 Year Old ‘Redirect To SMB’ Vulnerability Impacts All Versions Of Windows

Security researchers have uncovered a variant of an 18 year old vulnerability in all versions of Windows – including technical previews of Windows 10 – that could be exploited to steal sensitive login credentials from a number of popular applications.

‘Redirect to SMB’ is susceptible to man-in-the-middle attack which tricks applications into allowing Windows to authenticate with a hacker controlled server. The vulnerability was first discovered in 1997 by researcher Aaron Spangler and Microsoft did not issue a patch.

Spangler found that a URL beginning with the world “file” and followed by an IP address would cause the operating system to authenticating with a server message block (SMB) server at that IP.

Redirect to SMB

Researchers at Cylance’s SPEAR team were looking for ways to abuse a chat client that provides image previews and decided to test for the vulnerability. The team then created an HTTP server that automatically answered every request with an HTTP 302 status code that redirected users to a “file://” URL.

Cylance found four susceptible common API functions used by some of the world’s most popular software, including Adobe Reader; Apple QuickTime and Apple Software Update for iTunes; Box’s Sync client; Symantec’s Norton Security Scan; and Microsoft’s Internet Explorer 11, Excel 2010 and Windows Media Player.

Although user credentials sent to legitimate SMB servers are encrypted, the method employed was designed in 1998 and easy to decode in 2015.

“A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers,” said the researchers. “With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day.”

Mitigation recommendations

Cylance has spent six weeks working with CERT at Carnegie Mellon University to coordinate the disclosure of the new vulnerability, allowing the affected vendors to fix or mitigate the bug. Until Microsoft fixes it itself, it is recommended that users block outbound traffic from TCP 139 and TCP 445 at either the endpoint firewall or the network gateway firewall, if using a trusted network.

Other mitigations are available in a whitepaper published by the security firm.

“The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network,” explained Cylance.

“Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”

Take our Microsoft quiz here!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

UK’s CMA Readies Cloud Sector “Behavioural” Remedies – Report

Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector

12 hours ago

Former Policy Boss At X Nick Pickles, Joins Sam Altman Venture

Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…

15 hours ago

Bitcoin Rises Above $96,000 Amid Trump Optimism

Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…

16 hours ago

FTX Co-Founder Gary Wang Spared Prison

Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…

17 hours ago