‘Redirect to SMB’ vulnerability allows login theft, even in Windows 10
Mon 13 Apr 2015

Security researchers have identified a new variant on an old hacking technique to steal Windows user credentials, including the victim’s username, hashed password and domain – and it works just fine on the Windows 10 preview release too. Applications vulnerable to the technique include those made by Apple, Oracle, Symantec, Adobe and Box, with several popular security and antivirus suites susceptible. Microsoft has never addressed the historical exploit on which the new attack is based, even though it was made public 18 years ago.
‘Redirect to SMB’ allows attackers to perform Man in the Middle (MITM) attacks by redirecting users to malfeasant SMB authentication servers which are capable of exfiltrating the credentials and granting intercepting parties the opportunity to harvest private data in confidential locations, shepherd the victim machine into a larger botnet, and even completely take over the machine.
The attack vector was developed from the 1997 vulnerability exposed by Aaron Spangler, who discovered that URLs which begin with the word ‘File’ (i.e. file://1.1.1.1/) would prompt the Windows OS to authenticate via SMB (Server Message Block) at the IP address used in the crafted URL – analogous to asking a thief for a character reference.
The researchers at Cylance discovered the vulnerability whilst attempting to hack image previews in a chat client, and found that by sending an SMB-directed exploit, the victim was forced to authenticate through the bogus SMB server provided.
Modern applications currently susceptible to the software include Symantec’s Norton Security Scan, antivirus and malware protection software AVG Free, Comodo Antivirus, Windows Media Player, Adobe Reader, Apple’s QuickTime and Software Update, Excel 2010…and even Baseline Security Analyzer, a tool from Microsoft intended to analyse the vulnerability of computers to potential attack.
The report criticises Microsoft for never having addressed Spangler’s 1997 exploit: “We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack,”