18 Year Old ‘Redirect To SMB’ Vulnerability Impacts All Versions Of Windows

Researchers find Redirect To SMB variant that can leak login credentials for some of the world’s most popular software

Security researchers have uncovered a variant of an 18 year old vulnerability in all versions of Windows – including technical previews of Windows 10 – that could be exploited to steal sensitive login credentials from a number of popular applications.

‘Redirect to SMB’ is susceptible to man-in-the-middle attack which tricks applications into allowing Windows to authenticate with a hacker controlled server. The vulnerability was first discovered in 1997 by researcher Aaron Spangler and Microsoft did not issue a patch.

Spangler found that a URL beginning with the world “file” and followed by an IP address would cause the operating system to authenticating with a server message block (SMB) server at that IP.

Redirect to SMB

windows 10 start screenResearchers at Cylance’s SPEAR team were looking for ways to abuse a chat client that provides image previews and decided to test for the vulnerability. The team then created an HTTP server that automatically answered every request with an HTTP 302 status code that redirected users to a “file://” URL.

Cylance found four susceptible common API functions used by some of the world’s most popular software, including Adobe Reader; Apple QuickTime and Apple Software Update for iTunes; Box’s Sync client; Symantec’s Norton Security Scan; and Microsoft’s Internet Explorer 11, Excel 2010 and Windows Media Player.

Although user credentials sent to legitimate SMB servers are encrypted, the method employed was designed in 1998 and easy to decode in 2015.

“A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers,” said the researchers. “With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day.”

Mitigation recommendations

Cylance has spent six weeks working with CERT at Carnegie Mellon University to coordinate the disclosure of the new vulnerability, allowing the affected vendors to fix or mitigate the bug. Until Microsoft fixes it itself, it is recommended that users block outbound traffic from TCP 139 and TCP 445 at either the endpoint firewall or the network gateway firewall, if using a trusted network.

Other mitigations are available in a whitepaper published by the security firm.

“The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network,” explained Cylance.

“Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack.”

Take our Microsoft quiz here!