Vulnerabilities / Threats

8/5/2015
11:00 PM
50%
50%

New SMB Relay Attack Steals User Credentials Over Internet

Researchers found a twist to an older vulnerability that lets them launch SMB relay attacks from the Internet.

BLACK HAT USA -- Las Vegas -- A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks, two security researchers demonstrated on stage at the Black Hat security conference on Wednesday.

Microsoft patched the vulnerability years ago, but it was actually a partial fix because it based the patch on the fact that the attacker must already be on the local network, said Jonathan Brossard and Hormazd Billiamoria, two engineers from Salesforce.com. In their session, they demonstrated how the SMB relay attack can be launched remotely from the Internet and seize control of the targeted system.

As it stands, the SMB vulnerability, the Windows file-sharing protocol, affects Internet Explorer running on all versions of Windows, even in the newly released Windows 10. It would be the first remote code exploit for the new operating system. It also affects Windows Edge, the researchers said.

The vulnerability is a design flaw in the SMB protocol and was discovered back in 2001. When Microsoft released its patch, it noted the attacks work only if the adversary was already on the local network. But the researchers discovered that it was possible to steal the credentials remotely and impersonate users from the Internet.

 “You visit a website you are done. You are pwned,” Billiamoria said.

Original SMB relay attacks rely on a design flaw in the protocol which has Windows systems save credentials and pass it on to a different authentication attempt. This isn't an obscure scenario, especially in corporate environments with automated systems that can connect to all other hosts, log in with administrative credentials, and perform certain management tasks. These are systems that handle software inventory, manage antivirus and software updates, collect event logs, and run backups.

In an SMB relay attack, the adversary waits for these automated systems to turn on and start scanning all the hosts on the network, at which point it grabs the login credentials. The attack was sucessful as soon as users were tricked into loading an image file in Internet Explorer.

Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the user's username in plaintext and the hash of the user's password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm, Billiamoria said.

This happens because IE is configured to allow automatic logon in the intranet zone by default, the researchers said. This means authentication is happening silently and attributes such as the NetBIOS computer and domain names, and DNS computer and domain names are being sent in plain text.

The researchers demonstrated the modified SMB Relay attacks by tricking the user into visiting a malicious site, opening a boobytrapped email in Outlook, and through remote desktop. The attacks rely on the adversary getting in the middle of a NTLM challenge/response session.

In a normal scenario, when the client attempts to log in, it sends a request. The server responds with a challenge for the client to encrypt a string. After the client sends back the encrypted message, the server attempts to decrypt is using the user's password hash. If successful, the user is authenticated.

The attacker hijacks the challenge/response exchange, by waiting for someone else on the network to authenticate against any system on the network. The attacker can pass the same authentication attempt onward to the targeted system, such as a server. The attacker transfers to server's challenge back to the original use to encrypt the hash and then return to the server. The correctly encrypted response gives the attacker authenticated access.

There are some limitations to the attack; packet signing needs to be disabled. It is usually enabled, but there are some security tools which recommend turning it off to improve performance, Brossard said. SMB outbound also needs to be disabled.

The ideal victim would be one with no firewall on the computer or router and who lets SMB traffic from outside. And of course, using Internet Explorer. Chrome users wouldn't be vulnerable because the browser asks permission before connecting to an SMB server. However, if there are plugins installed which use SMB, that may be a risk.

"The only way to defend yourself against it, is blocking the SMB ports," said Brossard. There should be egress filtering at the perimeter level. It's also a good idea to drop outgoing SMB on ports 137, 138, 129, and 445. There should also be some host-level signing, and as stated earlier, packet signing and extended protection should be enabled.

The new kind of SMB relay attack demonstrated by Brossard and Billiamoria lets adversaries upload malware or attack any service using NTLM to take over a computer.

“Literally every service uses NTLM to authenticate,” the researchers said.

 

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SurendraM929
50%
50%
SurendraM929,
User Rank: Apprentice
8/28/2016 | 3:37:01 AM
Port Number 129
Hi,

Just wanted to be sure about the Port 129 which you mentioned in the list of ports to be blocked.

I think it is port 139 instead of 129 if i am right. If yes, you can correct the information.

 

Thank you,

 
Is Threat Intelligence Garbage?
Chris McDaniels, Chief Information Security Officer of Mosaic451,  5/23/2018
More Than Half of Users Reuse Passwords
Curtis Franklin Jr., Senior Editor at Dark Reading,  5/24/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Shhh!  They're watching... And you have a laptop?  
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-9641
PUBLISHED: 2018-05-25
PI Coresight 2016 R2 contains a cross-site request forgery vulnerability that may allow access to the PI system. OSIsoft recommends that users upgrade to PI Vision 2017 or greater to mitigate this vulnerability.
CVE-2018-10350
PUBLISHED: 2018-05-25
A SQL injection remote code execution vulnerability in Trend Micro Smart Protection Server (Standalone) 3.x could allow a remote attacker to execute arbitrary code on vulnerable installations due to a flaw within the handling of parameters provided to wcs_bwlists_handler.php. Authentication is requi...
CVE-2018-6232
PUBLISHED: 2018-05-25
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x22205C by the tmnciesc.sys driver. An attacker must first obtain the ability...
CVE-2018-6233
PUBLISHED: 2018-05-25
A buffer overflow privilege escalation vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to escalate privileges on vulnerable installations due to a flaw within processing of IOCTL 0x222060 by the tmnciesc.sys driver. An attacker must first obtain the ability...
CVE-2018-6234
PUBLISHED: 2018-05-25
An Out-of-Bounds Read Information Disclosure vulnerability in Trend Micro Maximum Security (Consumer) 2018 could allow a local attacker to disclose sensitive information on vulnerable installations due to a flaw within processing of IOCTL 0x222814 by the tmnciesc.sys driver. An attacker must first o...