Executive Summary

Summary
Title Microsoft Windows NTLM automatically authenticates via SMB when following a file
Informations
Name VU#672268 First vendor Publication 2015-04-13
Vendor VU-CERT Last vendor Modification 2015-04-17
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#672268

Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL

Original Release date: 13 Apr 2015 | Last revised: 17 Apr 2015

Overview

Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to a file:// protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user's credentials are then logged on the malicious server. This vulnerability is alternatively known as "Redirect to SMB".

Description

CWE-201: Information Exposure Through Sent Data

Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be "brute-forced" to break the encryption.

The following Windows API functions (available via urlmon.dll) have been identified as being affected:

  • URLDownloadA
  • URLDownloadW
  • URLDownloadToCacheFileA
  • URLDownloadToCacheFileW
  • URLDownloadToFileA
  • URLDownloadToFileW
  • URLOpenStream
  • URLOpenBlockingStream

urlmon uses the wininet library for processing, therefore the affected functionality may be contained within wininet; it is currently not clear where the vulnerability lies. Internet Explorer and the WebBrowser component of .NET have also be reported vulnerable to this SMB redirection. For a longer description with more examples, see Cylance's blog on the issue.

While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time. For example, see Aaron Spangler's report from 1997, Steve Birnbaum's report, Paul Ashton's report, and information from Microsoft from 2009. Please see the full list of references at the end of this publication.

Impact

An attacker exploiting this vulnerability may obtain the victim's user credentials in an encrypted format.

Solution

The CERT/CC is currently unaware of a full solution to this problem. However, affected users may consider the following workarounds.

Block outbound SMB

Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN.

Update NTLM group policy

This attack may be mitigated in some circumstances by restricting NTLM via appropriate Group Policy. See reference one and reference two from Microsoft.

Do not use NTLM for authentication by default in applications

Developers should ensure their software complies with appropriate Group Policy and does not use NTLM for authentication by default.

Use a strong password and change passwords frequently

Since the credentials are provided to the attacker in encrypted form, a stronger password may require more time to break the encryption. Changing passwords regularly further deters brute-force attacks against the encryption.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
AVG Anti-virus SoftwareAffected24 Mar 201501 Apr 2015
Microsoft CorporationAffected11 Mar 201501 Apr 2015
Oracle CorporationAffected24 Mar 201501 Apr 2015
AdobeUnknown24 Mar 201524 Mar 2015
AppleUnknown24 Mar 201524 Mar 2015
Box.comUnknown14 Apr 201514 Apr 2015
COMODO Security Solutions, Inc.Unknown24 Mar 201524 Mar 2015
GithubUnknown-13 Apr 2015
GoProUnknown-13 Apr 2015
JetBrainsUnknown-13 Apr 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base6.3AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal5.7E:F/RL:W/RC:C
Environmental5.7CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://blog.cylance.com/redirect-to-smb
  • https://technet.microsoft.com/en-us/library/security/974926.aspx
  • https://technet.microsoft.com/en-us/library/security/973811.aspx
  • https://technet.microsoft.com/en-us/library/jj865668(v=ws.10).aspx
  • https://technet.microsoft.com/en-us/library/jj865676(v=ws.10).aspx
  • http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx
  • https://msdn.microsoft.com/en-us/library/ms775122%28v=vs.85%29.aspx
  • https://msdn.microsoft.com/en-us/library/ms775123%28v=vs.85%29.aspx
  • https://msdn.microsoft.com/en-us/library/aa939357%28v=WinEmbedded.5%29.aspx
  • https://msdn.microsoft.com/en-us/library/windows/desktop/aa385483%28v=vs.85%29.aspx
  • https://technet.microsoft.com/library/jj852213(v=ws.10).aspx
  • http://insecure.org/sploits/winnt.automatic.authentication.html
  • http://insecure.org/sploits/win95.smb.auto-auth.html
  • http://insecure.org/sploits/NT.NTLM.auto-authentication.html
  • http://cwe.mitre.org/data/definitions/201.html

Credit

Thanks to Brian Wallace of Cylance, Inc., for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:13 Apr 2015
  • Date First Published:13 Apr 2015
  • Date Last Updated:17 Apr 2015
  • Document Revision:63

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/672268

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
Date Informations
2015-04-17 21:25:16
  • Multiple Updates
2015-04-15 05:26:56
  • Multiple Updates
2015-04-14 00:24:30
  • Multiple Updates
2015-04-13 21:25:32
  • Multiple Updates
2015-04-13 17:26:33
  • First insertion