Vulnerability Note VU#672268
Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL
Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to a file:// protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user's credentials are then logged on the malicious server. This vulnerability is alternatively known as "Redirect to SMB".
CWE-201: Information Exposure Through Sent Data
Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be "brute-forced" to break the encryption.
urlmon uses the wininet library for processing, therefore the affected functionality may be contained within wininet; it is currently not clear where the vulnerability lies. Internet Explorer and the WebBrowser component of .NET have also be reported vulnerable to this SMB redirection. For a longer description with more examples, see Cylance's blog on the issue.
While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time. For example, see Aaron Spangler's report from 1997, Steve Birnbaum's report, Paul Ashton's report, and information from Microsoft from 2009. Please see the full list of references at the end of this publication.
An attacker exploiting this vulnerability may obtain the victim's user credentials in an encrypted format.
The CERT/CC is currently unaware of a full solution to this problem. However, affected users may consider the following workarounds.
Block outbound SMB
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Adobe||Affected||24 Mar 2015||05 Sep 2017|
|AVG Anti-virus Software||Affected||24 Mar 2015||01 Apr 2015|
|Microsoft Corporation||Affected||11 Mar 2015||01 Apr 2015|
|Oracle Corporation||Affected||24 Mar 2015||01 Apr 2015|
|Apple||Unknown||24 Mar 2015||24 Mar 2015|
|Box.com||Unknown||14 Apr 2015||14 Apr 2015|
|COMODO Security Solutions, Inc.||Unknown||24 Mar 2015||24 Mar 2015|
|Github||Unknown||-||13 Apr 2015|
|GoPro||Unknown||-||13 Apr 2015|
|JetBrains||Unknown||-||13 Apr 2015|
|Symantec||Unknown||17 Apr 2015||17 Apr 2015|
|Unify Inc||Unknown||17 Apr 2015||17 Apr 2015|
CVSS Metrics (Learn More)
Thanks to Brian Wallace of Cylance, Inc., for reporting this vulnerability.
This document was written by Garret Wassermann.
- CVE IDs: Unknown
- Date Public: 13 Apr 2015
- Date First Published: 13 Apr 2015
- Date Last Updated: 05 Sep 2017
- Document Revision: 66
If you have feedback, comments, or additional information about this vulnerability, please send us email.