‘Redirect to SMB vulnerability’: Return of the credential stealer

May 12, 2015

Hackers always have a targeted interest in credentials. Just like a burglar would prefer to have a key to a house, credentials provide them easy access to systems. Quite often, a seemingly innocent way of working can be tweaked slightly to be used in a nefarious way. This also applies to a vulnerability called “Redirect to SMB”, which is a variation on an old attack.

Experts from Cylance have come up with a new technique to hijack credentials of users, by taking advantage of the Service Message Block (SMB) service. This provides file and printer sharing within a windows environment. The vulnerability affects any Windows PC, tablet or server – including all versions of Windows, up to and including Windows 10.

Furthermore, some of the most popular and commonly used software like Adobe, Apple, Box, Oracle and Symantec can be exploited using this vulnerability.

Let’s delve a little deeper into this attack…

In 1997, Aaron Sprangler discovered a vulnerability in SMB, where an attacker can gain the credentials of the victim by supplying the them with an URL such as file://<IP Address>. Once the victim accesses the URL, the operating system, by default, automatically attempts to authenticate to the SMB server, by exposing the logged on victim’s user credentials to the server.

Cyclane found a variant of the SMB attack discovered by Aaron. This is an SMB attack coupled with the HTTP Redirection vulnerability. The attack scenario is as explained below:

  1. Victim’s application attempts to check for an update from the legitimate server e.g. http://legit-server.com/update
  2. Attacker performs man in the middle attack and redirects the request to the attacker’s own web server
  3. Attacker’s web server responds with redirect status code (302) to redirect victim to the new location with location header set to file://
  4. Victim’s OS by default attempts to connect to the attacker’s SMB server at IP address and automatically performs authentication without any prompt as “file://” was set in path instead of “http://”
  5. Attacker logs any authentication attempts and captures sensitive details from the victim

How can you protect your data from the ‘Redirect to SMB’ vulnerability?

The easiest way to protect yourself from the attack is to block outbound traffic from TCP ports 139 and 445. This can be done at the endpoint firewall – where users will not be able to use the SMB feature at all. We also recommend blocking traffic at the network gateway firewall, which will ensure that the SMB feature is working within the network and that users cannot authenticate to them outside the network. In addition, ensure that the functions used in the software do not support cross-protocol redirection.

This attack highlights the need to keep up-to-date with the latest types of cyber-attacks and equally, the old vulnerabilities – which should not be forgotten. Hackers regularly revisit older attacks and attempt to reuse them against the latest technologies. Essentially, having the original mitigations in place will prevent this type of attack from affecting your data.

To find out more about how to protect your data from the Redirect to SMB vulnerability or similar cyber security attacks, contact us.