



What is Redirect to SMB

Researcher mention that they uncovered the Redirect to SMB bug while hunting for ways to abuse a chat client feature that provides image previews and found that by sending an SMB-directed exploit, the victim was forced to authenticate through the bogus SMB server provided.









You can read Cylance blog for the full details about the vulnerability. Researcher team have also published couple of the POC video demonstrating the vulnerability.





Second POC - Attacking Microsoft Baseline Security Analyzer via modified DNS record









Currently Microsoft has not released a patch for this vulnerability. Researchers say “We hope that our research will compel Microsoft to reconsider the vulnerabilities and disable authentication with untrusted SMB servers. That would block the attacks identified by Spangler as well as the new Redirect to SMB attack,”

Security researchers from Cylance have found that all the version of the windows operating system is vulnerable to 18 years old bug, " SMB attack" also know as "Redirect to SMB". This is an old hacking technique to steal Windows user credentials, including the victim’s username, hashed password and domain.Interesting part is that Microsoft have not patched this serious vulnerability on any of its windows version, as the vulnerability is 18-year-old. Microsoft latest windows version Windows 10 is also found to be vulnerable of this attack. Application found vulnerable to the technique are Apple iTunes, Adobe Flash, Symantec products etc.‘Redirect to SMB’ allows attackers to perform Man in the Middle (MITM) attacks by redirecting users to malfeasant SMB authentication servers which are capable of exfiltrating the credentials and granting intercepting parties the opportunity to harvest private data in confidential locations, shepherd the victim machine into a larger botnet, and even completely take over the machine.The attack vector was developed from the 1997 vulnerability exposed by Aaron Spangler, who discovered that URLs which begin with the word ‘File’ (i.e. file://1.1.1.1/) would prompt the Windows OS to authenticate via SMB (Server Message Block) at the IP address used in the crafted URL – analogous to asking a thief for a character reference.The Redirect to SMB flaw not only affects all of the current versions of Windows, but also Flash, some GitHub clients, some Oracle software and several security applications. Experts at the CERT/CC at Carnegie Mellon University warned that once an attacker is able to grab a victim’s credentials, those passwords can be cracked offline.