‘Redirect to SMB’ Vulnerability Affects All Versions of Windows

A serious vulnerability in all supported versions of Windows can let an attacker who has control of some portion of a victimEUs network traffic steal usersEU credentials for valuable services, according to the SPEAR (Sophisticated Penetration Exploitation And Research) team at California-based cybersecurity firm Cylance. The vulnerability, disclosed Monday, is known as Redirect to SMB, and it can enable an attacker to force victims to try to authenticate to an attacker-controlled server.

"Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate Web servers via man-in-the-middle attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victimEUs username, domain and hashed password," according to a blog post by CylanceEUs Brian Wallace.

The bug is related to the way that Windows and other software handles some HTTP requests, and now researchers say it affects a wide range of applications, including iTunes and Adobe Flash. The Redirect to SMB flaw affects not only all current versions of Windows, but also some GitHub clients, some Oracle software and several security applications. Once an attacker is able to take victims' credentials, those passwords can be cracked offline.

Discovered Years Ago

The vulnerability was first noted in research done by Aaron Spangler in 1997.

"We uncovered Redirect to SMB while hunting for ways to abuse a chat client feature that provides image previews," Wallace said. "When a URL to an image was received, the client attempted to show a preview of the image. Inspired by AaronEUs research some 18 years ago, we promptly sent another user a URL starting with file:// which pointed to a malicious SMB server. Surely enough, the chat client tried to load the image, and the Windows user at the other end attempted to authenticate with our SMB server."

A number...

Comments are closed.