Windows has the ancient hole from hell

Bomarzo_parco_mostri_orcoWindows users are still suffering from a hole which was first discovered by Aaron Spangler in 1997.

The hole is so bad, that it makes Slough look somewhat attractive and leaves millions of Windows users open to attack, making it possible to extract encrypted credentials from a target machine.

Security experts at Cylance say the problem affects “any Windows PC, tablet or server” (including Windows 10) and is a slight progression of the Redirect to SMB attack.

Redirect to SMB is essentially a man-in-the-middle attack which involves taking control of a network connection.Victims are then redirected to a malicious SMB server which can extract usernames, domains and passwords. Cylance also reports that software from companies such as Adobe, Oracle and Symantec — including security and antivirus tools — are affected.

Writing in his bog, Brian Wallace explains that Cylance has spent the last month and half working with vendors to help fix the problem, but has now decided to make details of the vulnerability public.

A technical white paper explains how the original Redirect to SMB attack worked by sending a URL in the form file://1.1.1.1 — this would cause Windows to connect to a malicious SMB server at 1.1.1.1, attempt to authenticate, and essentially hand over security credentials.

The paper said that the researchers uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews.

“When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server,” the paper said.

Cylance found no fewer than four Windows API functions that can be used to redirect a user from an HTTP or HTTPS connection to a malicious SMB server.

The forced authentication makes it relatively easy to get hold of usernames and passwords, even if they are held in encrypted form. As well as Windows itself, other programs affected by the problem include AVG Free, Internet Explorer, Windows Media Player, BitDefender Free, TeamViewer, and Github for Windows.

Wallace said that the redirect to SMB is most likely to be used in targeted attacks by advanced hackers because attackers must have control over some component of a victim’s network traffic.

Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behaviour from those displaying the advertising.

Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices.

“We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools, “he said.

Vole is still to release a patch for the security flaw, Cylance suggests a workaround. By blocking outbound traffic from TCP 139 and TCP 445 you can put an obstacle in the way of authentication attempts that originate outside of your network while retaining SMB capabilities within it.