New man-in-the-middle attack for Windows exposed
Security researchers have described a new attack on an old vulnerability in Windows that allows attackers to route data traffic to their own systems to steal login names and passwords.
The researchers have dubbed the vulnerability Redirect to SMB, and it has its origins in a vulnerability that was discovered way back in 1997 but was never patched. When Internet Explorer was served a url containing the word ‘file’, such as file://1.1.1.1, Windows tried to connect and authenticate to an smb server, as in the example with ip address 1.1.1.1. The researchers found a new attack for this that works with all versions of Windows.
Attackers can intercept http requests and use http redirect to redirect traffic from systems to malicious smb servers. Many programs handle http redirects in the background. If the redirect is a url with the ‘file://’ type, Windows will automatically authenticate to the smb server and hand over the user’s credentials. The attacker can intercept the login names and passwords and undo the encryption via, for example, a brute-force attack.
Attackers no longer have to route a target to an SMB server via the browser, but can wait for the automated HTTP requests from applications in the background, in order to obtain SMB logs with personal login information significantly faster and covertly. “We have identified four common Windows API functions that allow redirects from http or https to smb,” writes security firm Cylance, which discovered the attack method. “Tests show that many software functionality, such as updaters and usage reporting tools, use API functions.”
Cylance found that the method works with many software, including Adobe Reader, Apple QuickTime, Apple Software Update, Internet Explorer, Windows Media Player, Excel 2010, Symantec’s Norton Security Scan, AVG Free, TeamViewer, and Github for Windows.
The chance of large-scale abuse is limited, but targeted attacks by advanced attackers, via malicious advertisements and via, for example, open Wi-Fi networks, Cylance deems possible. Microsoft has not patched the vulnerability. In the meantime, users can close tcp ports 139 and 445 for smb traffic.