SPEAR, the research team at Cylance, has discovered new attack vectors for an 18-year-old vulnerability in Windows Server Message Block (SMB). The updated attack vector, called Redirect to SMB, impacts products from Microsoft, Apple, Adobe, Symantec, Box, Oracle, and more.
In 1997, Aaron Spangler discovered a bug in Internet Explorer that allowed attackers to steal credentials by exploiting a feature in the SMB protocol.
SMB is a core component in Windows networking, and enabled by default in all versions of the Windows OS.
Microsoft provided workarounds and difficult-to-implement GPO options after the flaw was initially disclosed, but never fully addressed the underlying problem. As things stand now, unless default settings in Windows are changed, systems remain vulnerable to these types of attack.
An SMB attack is one where a victim is tricked into following a link that causes the browser to authenticate to a remote SMB server (e.g. file://x.x.x.x or \\x.x.x.x\), which results in the attacker obtaining credentials for the user that's currently logged in. The credentials are hashed, but they can be recovered given enough time, usually a few hours in most cases thanks to GPU-based cracking.
The Redirect to SMB attack discovered by SPEAR follows the original concepts developed by Spangler, but now the attack can target all vulnerable HTTP/HTTPS requests, including those made by browsers as well as applications attempting to access resources on the Web.
For this updated method to work, attackers would use a Web server under their control, or gain access to network traffic (Man-in-the-Middle) and force the user to authenticate to a rogue server running SMB. For example, online, the attackers could use a 301 or 302 status code, directing the browser to a resource that starts with file://.
"Abusing network share paths (UNC) to steal and relay Windows credentials has been well-known for almost 20 years," said HD Moore, Chief Research Officer at Rapid7, in a statement to Salted Hash.
"These techniques are often used by professional attackers (legit or otherwise) to gain initial access to an organization and to escalate privileges once they are on the internal network. Microsoft has provided a number of mitigations that have made these attacks slightly less effective, but overall, it is a design issue that is not likely to be fixed for quite some time."
Next: So what's vulnerable?