Unpatched 18-year-old Windows man-in-the-middle diddle revived

Dumb hackers can target Wi-Fi scabs via Nexus slabs

Security boffin Brian Wallace has revived an 18-year-old Windows bug affecting at least 31 top vendors, which could allow an attacker to steal usernames and passwords from millions of Microsoft boxes.

The respun vulnerability, dubbed Redirect to SMB, requires victims to visit or be pushed to a malicious server which could steal encrypted credentials for later brute-forcing.

Redmond moved to douse reports of the 1997 vulnerability, telling Reuters it addressed the flaw in 2009 with security best practice guidance and the release of Extended Protection for Authentication.

Wallace (@botnet_hunter) says there is no fix for either flaw and urged Microsoft to issue a patch, adding affected vendors include Apple, Adobe, and Oracle.

"Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle (MITM) attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password," Wallace says in an advisory.

"Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.

"Malicious ads could also be crafted that would force authentication attempts from Internet Explorer users while hiding malicious behaviour from those displaying the advertising."

Dumb attackers could just attack victims over shared WiFi access points at Starbucks, McDonalds' or airports, even from fondleslabs; Wallace says it works using a Nexus 7 jacked with hacking tools.

It is a "simple attack with undeniable results", Wallace says in a technical paper on the flaw (pdf).

Carnegie Mellon's CERT says Windows software which utilises HTTP requests can be forwarded to file:// protocols on a malicious servers where the automatic SMB authentication takes place.

Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server.

If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be brute-forced to break the encryption.

Affected applications include Adobe Reader; QuickTime; Apple Software Update; Internet Explorer, Windows Media Player; Excel 2010; Microsoft Baseline Security Analyzer; Norton Security Scan; AVG Free; BitDefender Free; Github for Windows, Comodo Antivirus, and Maltego Community Edition to name a few.

Users can block outbound traffic from TCP 139 and TCP 445 with a firewall, or block all SMB communication entirely.

"We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack," Wallace says. ®

CylanceSPEAR - POC - Redirect To SMB via ARP Poisoning


Biting the hand that feeds IT © 1998–2017