Resurrection of the Living Dead: The “Redirect to SMB” Vulnerability
An 18-year-old vulnerability called Redirect to SMB has been resurrected with a new attack vector. This vulnerability can be used to redirect a victim to a malicious Server Message Block (SMB) server, without any direct action from the user except visiting a website.
If the SMB security policy is not secure enough, the SMB client will try to make an authenticated request to the malicious server and send credentials through the network. Even if the SMB credentials are protected by encryption, today a state of art brute force attack can recover the credentials in many cases.
This new vector to the old vulnerability now uses its location header as “location: File://192.168.0.1/share/doc.” The file:// protocol handler works in HTTP using tags such as <img> and <iframe>.
It is important to take in consideration that this vulnerability is just a new vector for a very old pre-existing vulnerability. According to our research, the vulnerability affects Internet Explorer; however, applications using Windows API functions (available via urlmon.dll) are also vulnerable.
This attack can now be carried out without any user interaction. For this vulnerability it is very important to understand what “HTTP Redirection” is.
Redirection is one way to make sure that users always receive the web page that they want. It refers to the process of configuring the web server to issue a redirect message to the client (such as HTTP 302 Found response), which instructs the client to resubmit the request for a new location. The user can be redirected to another file, directory or site.
Redirection is helpful in the following situations:
- The location of the website has changed, and users should be redirected to the new site.
- The website is under construction and part of the site should be unavailable.
- The content is not located on the web server.
- The name of a virtual directory has changed, but users should still be able to access files from the old URL.
Redirection is implemented in the HTTP protocol using the Location header. This is usually is used in combination with some HTTP error messages like 301, 302, and 307, but may be possible using other methods.
Possible Attack Scenario:
If an attacker can convince a user to click on a link to a malicious site under the attacker’s control, this vulnerability can be exploited. One possible way of doing it is using HTTP redirection using the Location header in the HTTP response. Another possible way – which has been known for some time – is to use a link on the attacker’s site itself which the user is enticed to click.
Execution of Attack vector
The Redirect to SMB attack is a very old attack originally discovered by Aaron Spangler, who found that a user can be redirected using the file://handler. This could be used in an image, iframe, or any other web resource controlled by an attacker.
The HTTP Location header could be used to redirect the user. The attack can be executed as shown in the following screen:
Figure 1. Attacker redirecting victim to the malicious file
The victim’s browser on Windows, when it receives the HTTP redirect response with a Location header pointing to the URL starting with file:// automatically initiates an SMB request to the specified server. Presumably, this would be an SMB server under the attacker’s control. All the clients not having a security policy for SMB shares could be vulnerable to this SMB redirect attack vector.
This attack can also be used with other SMB vulnerabilities to compromise the victim’s machine and gain foothold in the network.
Figure 2. Attacker redirecting victim to the malicious file
In the above picture we can see, the SMB redirect after the HTTP 307 response.
This is a very old vulnerability which has a new attack vector. Compared to the older (known) vector, this new vector is much easier to target as it doesn’t require user interaction. A man-in-the-middle attack can also exploit this vulnerability very easily. Microsoft has not released a patch for this vulnerability, although they stated in 2009 that an appropriate solution would be to block outbound traffic from ports 139 and 445, which would prevent any SMB connections from being made.
Trend Micro Deep Security protects users from attacks that may use this attack vector via the following rule:
- 1006631 – Identified File Protocol Handler In HTTP Location Header