Security Issue in Windows leaks Login Data

An issue in all Windows systems might leak the user’s Windows login and password information. This is especially critical if the user is using a Microsoft account because this is linked to a number of other services the user may be using. Among them are:

Microsoft OneDrive (cloud storage)

Microsoft Outlook (email account)

Skype account (if signed up with a Microsoft account)

Xbox Live network

Microsoft Office

MSN account (Instant Messaging)

Windows Mobile account (access to mobile phone)

Microsoft Bing account (access to search history)

Basically this attack can compromise any service the user signed up with his Microsoft acccount. If the computer is set up to allow remote logins, this also allows remote code execution.

We were notified of this issue by ValdikSS from the Russian provider ProstoVPN who has more information about this issue in his russian post or in his blog.

You can check whether you are vulnerable to this problem on our dedicated test site. If this test reveals your login and password or password hash, you should immediately change your password and consider the mitigations listed at the end of this blog post.

Check your Windows now »

Details:

To trigger this leak, the attacker needs to set up a network share and trick the victim into visiting any IP address of that share. This can be done by simply embedding an image into a Website if the victim uses Internet Explorer or Edge (Chrome and Firefox are not affected). However, another possibility is embedding the network share into an email. If the victim uses Microsoft Outlook, this will also leak his login credentials.

More specifically, a successful attack leaks the login name and the NTLM hash of the password and Windows domain. However, these hashes can be cracked rather easily – in a matter of seconds for weak passwords. Generally, if your Windows password hash was leaked, it is safe to assume that your password has been compromised.

Note that this is neither a new issue nor a security vulnerability as such: Originally this issue was found in 1997 by Aaron Spangler. Additionally, in 2015 there was a talk on the annual Blackhat security conference about this issue. This was not considered a big problem when the attack only leaked local Windows login information (as in most cases you cannot connect remotely with those credentials). But since Windows 8, Microsoft allows to login to your computer with your Microsoft Live account and since Windows 10 this is the default. As result, like we mentioned at the beginning of this post, this compromises every single service you signed up with your Microsoft account, including email, Skype and- Xbox Live.

While this is not a VPN related issue, it also affects VPN connections: When using an IPsec VPN connection, a successful attack will not reveal your Windows credentials but the username and password of your VPN connection. While this does not affect the security of the encryption of the VPN tunnel, it may compromise the anonymity of the VPN user. Also VPN login credentials of company VPNs (e.g. for external service agents) may fall into the hands of an attacker.

Even if VPN would not be affected, we still feel it is our responsibility to protect our users from such blatantly open security holes. For that reason we have updated our Windows client software so that requests to Samba sources over the internet are now blocked. This means neither your VPN nor your Windows credentials can be leaked when using our VPN Manager.

Mitigation:

Do not use Microsoft software that is accessing network shares over the internet (such as Internet Explorer, Edge or Outlook)

Do not use a Microsoft login for your local Windows machine

Block outgoing connections on ports 445 and 137-139 on your router/firewall.

Block outgoing connections on ports 445 and 137-139 to non local ip-address spaces using Windows-Firewall.

If you are using Perfect Privacy VPN, you are protected against this attack. Our VPN manager prevents sending login information to network shares over the internet. Additionally the Perfect Privacy servers block requests on port 445.