Windows 10 Vulnerable to New SMB attack
New SMB Flaw Affects All Versions of Windows, Windows 10 Vulnerable to New SMB attack, 'Redirect to SMB' vulnerability allows login theft,Researchers Discover SMB Security Flaw in All Windows, New Windows Vulnerability at Large, Security Vendor Says, SMB Relay Attack
Interesting part is that Microsoft have not patched this serious vulnerability on any of its windows version, as the vulnerability is 18-year-old. Microsoft latest windows version Windows 10 is also found to be vulnerable of this attack. Application found vulnerable to the technique are Apple iTunes, Adobe Flash, Symantec products etc.
What is Redirect to SMB
‘Redirect to SMB’ allows attackers to perform Man in the Middle (MITM) attacks by redirecting users to malfeasant SMB authentication servers which are capable of exfiltrating the credentials and granting intercepting parties the opportunity to harvest private data in confidential locations, shepherd the victim machine into a larger botnet, and even completely take over the machine.
The attack vector was developed from the 1997 vulnerability exposed by Aaron Spangler, who discovered that URLs which begin with the word ‘File’ (i.e. file://18.104.22.168/) would prompt the Windows OS to authenticate via SMB (Server Message Block) at the IP address used in the crafted URL – analogous to asking a thief for a character reference.
Researcher mention that they uncovered the Redirect to SMB bug while hunting for ways to abuse a chat client feature that provides image previews and found that by sending an SMB-directed exploit, the victim was forced to authenticate through the bogus SMB server provided.
You can read Cylance blog for the full details about the vulnerability. Researcher team have also published couple of the POC video demonstrating the vulnerability.First POC - Attacking AVG via ARP Poisoning
Second POC - Attacking Microsoft Baseline Security Analyzer via modified DNS record
Currently Microsoft has not released a patch for this vulnerability. Researchers say “We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack,”