I recent became aware of the following security vulnerability of SMB on Windows OS.
The respun vulnerability, dubbed Redirect to SMB, requires victims to visit or be pushed to a malicious server which could steal encrypted credentials for later brute-forcing.
Redmond moved to douse reports of the 1997 vulnerability, telling Reuters it addressed the flaw in 2009 with security best practice guidance and the release of Extended Protection for Authentication.
Wallace (@botnet_hunter) says there is no fix for either flaw and urged Microsoft to issue a patch, adding affected vendors include Apple, Adobe, and Oracle.
"Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle (MITM) attacks, then sending them to malicious SMB (server message block) servers that force them to spit out the victim’s username, domain and hashed password," Wallace says in an advisory.
"Redirect to SMB is most likely to be used in targeted attacks by advanced actors because attackers must have control over some component of a victim’s network traffic.
"Malicious ads could also be crafted that would force authentication attempts from Internet Explorer users while hiding malicious behaviour from those displaying the advertising."
Dumb attackers could just attack victims over shared WiFi access points at Starbucks, McDonalds' or airports, even from fondleslabs; Wallace says it works using a Nexus 7 jacked with hacking tools.
It is a "simple attack with undeniable results", Wallace says in a technical paper on the flaw (pdf).
Carnegie Mellon's CERT says Windows software which utilises HTTP requests can be forwarded to file:// protocols on a malicious servers where the automatic SMB authentication takes place.
If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be brute-forced to break the encryption.
I worked with Alex John on the case # 10932219 to try to find a solution to block SMB for internet while allow for intranet traffic. Eventually Symantec says there is no way this can be done as of their latest version 12.1.16 MP5.
I am putting this request to have the ability to block SMB traffic for internet traffic.
Best regards,