Vulnerabilities / Threats

8/5/2015
11:00 PM
50%
50%

New SMB Relay Attack Steals User Credentials Over Internet

Researchers found a twist to an older vulnerability that lets them launch SMB relay attacks from the Internet.

BLACK HAT USA -- Las Vegas -- A Windows vulnerability in the SMB file-sharing protocol  discovered 14 years ago and partially patched by Microsoft could still be abused via remote attacks, two security researchers demonstrated on stage at the Black Hat security conference on Wednesday.

Microsoft patched the vulnerability years ago, but it was actually a partial fix because it based the patch on the fact that the attacker must already be on the local network, said Jonathan Brossard and Hormazd Billiamoria, two engineers from Salesforce.com. In their session, they demonstrated how the SMB relay attack can be launched remotely from the Internet and seize control of the targeted system.

As it stands, the SMB vulnerability, the Windows file-sharing protocol, affects Internet Explorer running on all versions of Windows, even in the newly released Windows 10. It would be the first remote code exploit for the new operating system. It also affects Windows Edge, the researchers said.

The vulnerability is a design flaw in the SMB protocol and was discovered back in 2001. When Microsoft released its patch, it noted the attacks work only if the adversary was already on the local network. But the researchers discovered that it was possible to steal the credentials remotely and impersonate users from the Internet.

 “You visit a website you are done. You are pwned,” Billiamoria said.

Original SMB relay attacks rely on a design flaw in the protocol which has Windows systems save credentials and pass it on to a different authentication attempt. This isn't an obscure scenario, especially in corporate environments with automated systems that can connect to all other hosts, log in with administrative credentials, and perform certain management tasks. These are systems that handle software inventory, manage antivirus and software updates, collect event logs, and run backups.

In an SMB relay attack, the adversary waits for these automated systems to turn on and start scanning all the hosts on the network, at which point it grabs the login credentials. The attack was sucessful as soon as users were tricked into loading an image file in Internet Explorer.

Brossard and Billiamoria were able to modify the attack to use a rogue website to capture the SMB login data. In their attack, users are tricked into visiting a website controlled by the attackers, which then captures the user's username in plaintext and the hash of the user's password. The password can be  cracked in a manner of days because it uses an obsolete hashing algorithm, Billiamoria said.

This happens because IE is configured to allow automatic logon in the intranet zone by default, the researchers said. This means authentication is happening silently and attributes such as the NetBIOS computer and domain names, and DNS computer and domain names are being sent in plain text.

The researchers demonstrated the modified SMB Relay attacks by tricking the user into visiting a malicious site, opening a boobytrapped email in Outlook, and through remote desktop. The attacks rely on the adversary getting in the middle of a NTLM challenge/response session.

In a normal scenario, when the client attempts to log in, it sends a request. The server responds with a challenge for the client to encrypt a string. After the client sends back the encrypted message, the server attempts to decrypt is using the user's password hash. If successful, the user is authenticated.

The attacker hijacks the challenge/response exchange, by waiting for someone else on the network to authenticate against any system on the network. The attacker can pass the same authentication attempt onward to the targeted system, such as a server. The attacker transfers to server's challenge back to the original use to encrypt the hash and then return to the server. The correctly encrypted response gives the attacker authenticated access.

There are some limitations to the attack; packet signing needs to be disabled. It is usually enabled, but there are some security tools which recommend turning it off to improve performance, Brossard said. SMB outbound also needs to be disabled.

The ideal victim would be one with no firewall on the computer or router and who lets SMB traffic from outside. And of course, using Internet Explorer. Chrome users wouldn't be vulnerable because the browser asks permission before connecting to an SMB server. However, if there are plugins installed which use SMB, that may be a risk.

"The only way to defend yourself against it, is blocking the SMB ports," said Brossard. There should be egress filtering at the perimeter level. It's also a good idea to drop outgoing SMB on ports 137, 138, 129, and 445. There should also be some host-level signing, and as stated earlier, packet signing and extended protection should be enabled.

The new kind of SMB relay attack demonstrated by Brossard and Billiamoria lets adversaries upload malware or attack any service using NTLM to take over a computer.

“Literally every service uses NTLM to authenticate,” the researchers said.

 

Black Hat USA is happening! Check it out here.

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
SurendraM929
50%
50%
SurendraM929,
User Rank: Apprentice
8/28/2016 | 3:37:01 AM
Port Number 129
Hi,

Just wanted to be sure about the Port 129 which you mentioned in the list of ports to be blocked.

I think it is port 139 instead of 129 if i am right. If yes, you can correct the information.

 

Thank you,

 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Pair of Reports Paint Picture of Enterprise Security Struggling to Keep Up
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/11/2018
New Domains: A Wide-Open Playing Field for Cybercrime
Ben April, CTO, Farsight Security,  10/9/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-18315
PUBLISHED: 2018-10-15
com/mossle/cdn/CdnController.java in lemon 1.9.0 allows attackers to upload arbitrary files because the copyMultipartFileToFile method in CdnUtils only checks for a ../ substring, and does not validate the file type and spaceName parameter.
CVE-2018-18316
PUBLISHED: 2018-10-15
emlog v6.0.0 has CSRF via the admin/user.php?action=new URI.
CVE-2018-18317
PUBLISHED: 2018-10-15
DESHANG DSCMS 1.1 has CSRF via the public/index.php/admin/admin/add.html URI.
CVE-2018-18296
PUBLISHED: 2018-10-15
MetInfo 6.1.2 has XSS via the /admin/index.php bigclass parameter in an n=column&a=doadd action.
CVE-2018-18309
PUBLISHED: 2018-10-15
An issue was discovered in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.31. An invalid memory address dereference was discovered in read_reloc in reloc.c. The vulnerability causes a segmentation fault and application crash, which leads to denial of service,...