A really dumb 18 year old exploit in Windows was never patched

[SIGSEGV]

Source: http://thehackernews.com/2015/04/smb-windows-vulnerability.html

This exploit is so unbelievably easy to do, it's not even funny (ok, maybe it is a little funny).

The way this exploit works is very simple, when a Windows computer goes to access a file on an SMB server it automatically sends the user's credentials. All the hacker has to do is read the credentials. A more useful application for a hacker would be to tell a computer accessing a HTTP server that the HTTP server is an SMB server and get the username and password for the user.

 

Security researchers have unearthed a serious security flaw in all supported versions of Windowsthat could let hackers steal users’ credentials from computers, tablets or servers running any version of Windows operating system, including the as-yet-released Windows 10.

 

This vulnerability in Windows was first discovered 20 Years ago:

 

The critical bug, dubbed "Redirect to SMB," is a variant of a vulnerability found in Windows by researcher Aaron Spangler nearly 18 years ago that caused Windows to expose a user's Windows username and password automatically.

 

However, according to researchers at security firm Cylance who discovered the flaw, this weakness in Windows was never patched by Microsoft, as Microsoft says that this flaw is not worth focusing on, and, therefore...

 

...This results in a new hack that targets the SMB file sharing protocol.

 

 

But, What is SMB?

 

SMB, or Server Message Block, is a protocol that allows users to share files over a network. In Windows operating systems, SMB is often used by companies and organizations to share files from one server across their entire network.

 

Now, how this SMB protocol is exploited by hackers?

 

While requesting a file from the server, Windows will automatically attempt to authenticate to the SMB server by providing the system users’ credentials to the server.

 

How "Redirect to SMB" attack works?

 

Any method used by an attacker to force victims to try to authenticate to an attacker-controlled SMB server, simply describes the Redirect to SMB attack.

 

So, an attacker only needs to intercept this HTTP request, which can be easily done using Man-in-the-Middle (MITM) attack, and then redirect the victim to a malicious SMB server controlled by the attacker.

 

When a victim inputs a URL that starts with the word "file://" or clicks on a malicious link, Windows believes that the user is trying to gain access to a file on a server.

 

Because of this vulnerability, Windows will automatically attempt to authenticate itself to the malicious SMB server by providing the user's login credentials to the server.

 

This could allow a malicious hacker to steal victims’ Windows username, domain as well as the typically hashed password, which, Cyclance claims, could be cracked by an attacker with a high-end GPU in less than half a day.

 

What does Microsoft say about the issue?

 

Microsoft officials downplayed the Cylance "discovery" and the seriousness of the flaw on Monday, saying that the issue was not new at all, and the chances of falling victim to this attack are little.

"We do not agree with Cylance's claims of a new attack type. Cybercriminals continue to be engaged in a number of nefarious tactics," a Microsoft spokesperson released a statement on Monday.

"However, several factors would need to come together for this type of cyber attack to work, such as success in luring a person to enter information into a fake website. We encourage people to avoid opening links in emails from senders that they do not recognize or visiting unsecure sites."

Who are affected?

 

Cyclance claims that nearly 31 programs are vulnerable to the SMB flaw, which includes:

• Many widely used applications: Adobe Reader, Apple QuickTime and Apple Software Update that handles iTunes updates
• Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even Microsoft Baseline Security Analyzer
• Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm and JDK 8u31’s installer
• Security Tools: .NET Reflector and Maltego CE
• Antivirus Software: Symantec’s Norton Security Scan, AVG Free, BitDefender Free and Comodo Antivirus
• Team Tools: Box Sync and TeamViewer

How do you protect yourself against this flaw?

• The simplest way to protect against this issue is to block outbound traffic from TCP 139 and TCP 445. This could be prevented using a network gateway firewall to prevent only SMB communications to destinations outside of your network.
• Apply applicable and up-to-date software patches from vendors.
• Use strong passwords so that it requires a larger time for brute forcing of any hashing algorithms.

Here is a video of Cylance exploiting this:

Disclaimer: this is a demonstration and is not intended to be used as a tutorial for illegally compromising computer systems, I am not responsible for any unintended use of the above video or any other content in this post

[WereCat]

Damn... You posted it faster

[Pugs501]

...

gg Microsoft

[TorqueS]

The real question is, are porn sites credentials compromised?

[Guest]

That's why I would be using linux if it had enough software support..

[Manny Calavera]

[Albatross]

[elecxonica]

-Snip-

Trust me, I'd love to, but I need the Adobe suite for various things.

[SIGSEGV]

That's why I would be using linux if enough software supported it

Fix'd

[shirokado]

-snip-

I would honestly jump to linux in a heartbeat, if I could actually use software on it.

[Guest]

I would honestly jump to linux in a heartbeat, if I could actually use software on it.

If you don't play games then there is many alternatives and ways to get windows software running, for me the only reason is that most games in my steam library are not linux compatable. Gabe himself is helping to change this with the linux powered steam OS so hopefully more developers will make linux versions if their games.

[LAwLz]

Wow that's a huge oversight. It doesn't affect me since I don't have a Windows password, but it could be a disaster for someone on Windows 8+ who uses their Microsoft account to login. All of a sudden an attacker can get access to your mail, and from there reset your passwords on other websites.

 

What I don't get is, how can they get the passwords? Shouldn't the passwords and usernames be hashed? Not that getting a hold of hashed passwords isn't bad, but this makes it sound like everything is just sent in plain text. If they do then that's just idiotic.

[WanderingFool]

Wow that's a huge oversight. It doesn't affect me since I don't have a Windows password, but it could be a disaster for someone on Windows 8+ who uses their Microsoft account to login. All of a sudden an attacker can get access to your mail, and from there reset your passwords on other websites.

 

What I don't get is, how can they get the passwords? Shouldn't the passwords and usernames be hashed? Not that getting a hold of hashed passwords isn't bad, but this makes it sound like everything is just sent in plain text. If they do then that's just idiotic.

 

The passwords are actually hashed passwords, so the attacker would also need to brute-force to get the password.

 

To be honest, I agree with Microsoft in that it is a bit overblown.  The fact is the attacker would have to have to be inside your network in order to really do anything, and I bet there are countless other vulnerabilities you could exploit to do more damage.

[shirokado]

If you don't play games then there is many alternatives and ways to get windows software running, for me the only reason is that most games in my steam library are not linux compatable. Gabe himself is helping to change this with the linux powered steam OS so hopefully more developers will make linux versions if their games.

I don't want "alternatives" I want the software I use because I don't want to relearn software that I already took time to learn. I don't play much games. If linux has the software I used, I would jump off the windows ship.

[FuzzyYellow]

and this is why i use linux.

[FuzzyYellow]

I don't want "alternatives" I want the software I use because I don't want to relearn software that I already took time to learn. I don't play much games. If linux has the software I used, I would jump off the windows ship.

what software?

[Admiral Naismith]

what software?

Linux has other issues than just software imo; my experience resulted in none of the available guides for installing drivers working and I had to figure it out myself even though I had the typical clean install of Cinnamon (Linux Mint). Installation of any program that is not through the terminal I have found to be a b*tch. Wine is a godsend though.

 

I agree with Microsoft and @WanderingFool here, there are many easier and more effective methods of compromising a person's system. This wouldn't be easy.

[Guest]

I don't want "alternatives" I want the software I use because I don't want to relearn software that I already took time to learn. I don't play much games. If linux has the software I used, I would jump off the windows ship.

WINE (Which Is Not an Emulator) is a great way to get windows programs running on linux and there is another program that I can't remember right now that also does things like MS office.

[FuzzyYellow]

WINE (Which Is Not an Emulator) is a great way to get windows programs running on linux and there is another program that I can't remember right now that also does things like MS office.

is it PlayOnLinux?

[Guest]

is it PlayOnLinux?

Yes, Thank you.

[shirokado]

what software?

Mostly adobe software. I mostly use indesign and photoshop. Unless I'm mistaken, I can't use those on Linux. There are few programs that I use that are cross platform, but I kind of need photoshop and indesign for work.

[shirokado]

WINE (Which Is Not an Emulator) is a great way to get windows programs running on linux and there is another program that I can't remember right now that also does things like MS office.

What does Wine do? If I could get things working. I would have no problem going to Linux. Except for choosing a variant.

[LukaP]

Wow that's a huge oversight. It doesn't affect me since I don't have a Windows password, but it could be a disaster for someone on Windows 8+ who uses their Microsoft account to login. All of a sudden an attacker can get access to your mail, and from there reset your passwords on other websites.

 

What I don't get is, how can they get the passwords? Shouldn't the passwords and usernames be hashed? Not that getting a hold of hashed passwords isn't bad, but this makes it sound like everything is just sent in plain text. If they do then that's just idiotic.

Its sent hashed, but there are rainbow tables for pretty much any hashing algorithm used, so... tough luck

[LukaP]

What does Wine do? If I could get things working. I would have no problem going to Linux. Except for choosing a variant.

the people behind wine reverse engineered most of the windows .dll libraries and compiled them for linux.

[cesrai]

This worries me a lot as I'm really into MS eco-system.