Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL

Overview

Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to afile://protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user’s credentials are then logged on the malicious server. This vulnerability is alternatively known as “Redirect to SMB”.

Description

CWE-201: Information Exposure Through Sent Data

Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim’s user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be “brute-forced” to break the encryption.

The following Windows API functions (available via urlmon.dll) have been identified as being affected:

* `URLDownloadA`
* `URLDownloadW`
* `URLDownloadToCacheFileA`
* `URLDownloadToCacheFileW`
* `URLDownloadToFileA`
* `URLDownloadToFileW`
* `URLOpenStream`
* `URLOpenBlockingStream`

urlmon uses the wininet library for processing, therefore the affected functionality may be contained within wininet; it is currently not clear where the vulnerability lies. Internet Explorer and the WebBrowser component of .NET have also be reported vulnerable to this SMB redirection. For a longer description with more examples, see Cylance’s blog on the issue.

While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time. For example, see Aaron Spangler’s report from 1997, Steve Birnbaum’s report, Paul Ashton’s report, and information from Microsoft from 2009. Please see the full list of references at the end of this publication.

Impact

An attacker exploiting this vulnerability may obtain the victim’s user credentials in an encrypted format.

---

Solution

The CERT/CC is currently unaware of a full solution to this problem. However, affected users may consider the following workarounds.

---

Block outbound SMB

Consider blocking outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN.

Update NTLM group policy

This attack may be mitigated in some circumstances by restricting NTLM via appropriate Group Policy. See reference one and reference two from Microsoft.

Do not use NTLM for authentication by default in applications

Developers should ensure their software complies with appropriate Group Policy and does not use NTLM for authentication by default.

Use a strong password and change passwords frequently

Since the credentials are provided to the attacker in encrypted form, a stronger password may require more time to break the encryption. Changing passwords regularly further deters brute-force attacks against the encryption.

---

Vendor Information

672268

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

AVG Anti-virus Software Affected

Notified: March 24, 2015 Updated: April 01, 2015

Statement Date: April 01, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Adobe __ Affected

Notified: March 24, 2015 Updated: September 05, 2017

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

It has been reported to us that CVE-2017-3085 is a form of Redirect to SMB affecting Flash Player. Adobe’s security advisory recommends upgrading Flash Player to at least 26.0.0.151, which has addressed the issue.

Vendor References

• <https://helpx.adobe.com/security/products/flash-player/apsb17-23.html&gt;

Microsoft Corporation Affected

Notified: March 11, 2015 Updated: April 01, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Oracle Corporation Affected

Notified: March 24, 2015 Updated: April 01, 2015

Statement Date: March 31, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Apple Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Box.com __ Unknown

Notified: April 14, 2015 Updated: April 14, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

According to the reporter, the Box Sync client may be vulnerable in certain circumstances if the user accepts an SSL prompt. CERT/CC has been unable to confirm this so far.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).

COMODO Security Solutions, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Github __ Unknown

Updated: April 13, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The GitHub for Windows installer has been reported to be affected by this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).

GoPro __ Unknown

Updated: April 13, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

GoPro Studio has been reported to be affected by this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).

JetBrains __ Unknown

Updated: April 13, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

The following software was reported to CERT/CC to be vulnerable; this information has not been verified yet:

• IntelliJ IDEA
• PyCharm

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23672268 Feedback>).

Symantec Unknown

Notified: April 17, 2015 Updated: April 17, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unify Inc Unknown

Notified: April 17, 2015 Updated: April 17, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 12 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	6.3	AV:N/AC:M/Au:S/C:C/I:N/A:N
Temporal	5.7	E:F/RL:W/RC:C
Environmental	5.7	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

• <http://blog.cylance.com/redirect-to-smb&gt;
• <https://technet.microsoft.com/en-us/library/security/974926.aspx&gt;
• <https://technet.microsoft.com/en-us/library/security/973811.aspx&gt;
• <https://technet.microsoft.com/en-us/library/jj865668(v=ws.10).aspx&gt;
• <https://technet.microsoft.com/en-us/library/jj865676(v=ws.10).aspx&gt;
• <http://blogs.technet.com/b/askds/archive/2009/10/08/ntlm-blocking-and-you-application-analysis-and-auditing-methodologies-in-windows-7.aspx&gt;
• <https://msdn.microsoft.com/en-us/library/ms775122(v=vs.85).aspx&gt;
• <https://msdn.microsoft.com/en-us/library/ms775123(v=vs.85).aspx&gt;
• <https://msdn.microsoft.com/en-us/library/aa939357(v=WinEmbedded.5).aspx&gt;
• <https://msdn.microsoft.com/en-us/library/windows/desktop/aa385483(v=vs.85).aspx&gt;
• <https://technet.microsoft.com/library/jj852213(v=ws.10).aspx&gt;
• <http://insecure.org/sploits/winnt.automatic.authentication.html&gt;
• <http://insecure.org/sploits/win95.smb.auto-auth.html&gt;
• <http://insecure.org/sploits/NT.NTLM.auto-authentication.html&gt;
• <http://cwe.mitre.org/data/definitions/201.html&gt;

Acknowledgements

Thanks to Brian Wallace of Cylance, Inc., for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	None
Date Public:	2015-04-13 Date First Published: