Tag Archives: vulnerability

windows – redirect to smb vulnerability

source and the whitepaper
Redirect to SMB is a way for attackers to steal valuable user credentials by hijacking communications with legitimate web servers via man-in-the-middle attacks and then sending them to malicious SMB servers that logs the  victim’s username, domain and hashed password.

source: VU#672268
Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption.

The following Windows API functions (available via urlmon.dll) have been identified as being affected:

  • URLDownloadA
  • URLDownloadW
  • URLDownloadToCacheFileA
  • URLDownloadToCacheFileW
  • URLDownloadToFileA
  • URLDownloadToFileW
  • URLOpenStream
  • URLOpenBlockingStream

urlmon uses the wininet library for processing, therefore the affected functionality may be contained within wininet; it is currently not clear where the vulnerability lies. Internet Explorer and the WebBrowser component of .NET have also be reported vulnerable to this SMB redirection.