Log-in Stealing Attack Builds on 18-Year-Old Flaw

Written by

Security researchers are warning of a new method for attackers to steal sensitive log-in credentials from any Windows machine, which builds on a vulnerability discovered 18 years ago.

Cylance senior researcher, Brian Wallace, introduced the ‘Redirect to SMB’ attack in a blog on Monday, with the Carnegie Mellon University CERT posting details on the same day.

“Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password,” he explained.

Software from 31 vendors including Adobe, Apple, Microsoft and Oracle can apparently be exploited using the flaw, which is why the researchers have been working with affected vendors for the past six weeks before disclosing.

The original vulnerability discovered in 1997 by Aaron Spangler means that if URLs beginning with the word ‘file’ are entered into Internet Explorer, the OS will try to authenticate with an SMB server at the IP address 1.1.1.1.

Many software products use HTTP requests for things like update checks. But if an attacker could intercept these requests via MITM or similar and use a file:// URL to redirect to a malicious SMB server, then they can compromise those credentials – assuming the victim is running Windows.

Although encrypted, those credentials could be brute forced later.

Wallace claimed that Redirect to SMB is most likely to be used by advanced targeted attackers, as they need control over some part of the victim’s network.

“Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising,” he added.

“Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools.”

The Carnegie Mellon University CERT said it was “unaware of a full solution” to the issue but recommended several workarounds including blocking outbound SMB connections; restricting NTLM group policy; using a strong password; and changing passwords frequently.

Wallace urged Microsoft to “reconsider the vulnerabilities and disable authentication with untrusted SMB servers.

What’s hot on Infosecurity Magazine?