Software running on Microsoft Windows that utilizes HTTP requests can be forwarded to a file://protocol on a malicious server, which causes Windows to automatically attempt authentication via SMB to the malicious server in some circumstances. The encrypted form of the user's credentials are then logged on the malicious server. This vulnerability is alternatively known as "Redirect to SMB".
CWE-201: Information Exposure Through Sent Data Many software products use HTTP requests for various features such as software update checking. A malicious user can intercept such requests (such as with a MITM proxy) and use HTTP Redirect to redirect the victim a malicious SMB server. If the redirect is a file:// URL and the victim is running Microsoft Windows, Windows will automatically attempt to authenticate to the malicious SMB server by providing the victim's user credentials to the server. These credentials can then be logged by the malicious server. The credentials are encrypted, but may be "brute-forced" to break the encryption.
urlmon uses thewininet library for processing, therefore the affected functionality may be contained withinwininet; it is currently not clear where the vulnerability lies. Internet Explorer and the WebBrowser component of .NET have also be reported vulnerable to this SMB redirection. For a longer description with more examples, seeCylance's blog on the issue. While the HTTP Redirect vector is novel, this type of issue with SMB has been well known for some time. For example, see Aaron Spangler'sreport from 1997, Steve Birnbaum'sreport, Paul Ashton'sreport, and information fromMicrosoft from 2009. Please see the full list of references at the end of this publication. |
An attacker exploiting this vulnerability may obtain the victim's user credentials in an encrypted format. |
The CERT/CC is currently unaware of a full solution to this problem. However, affected users may consider the following workarounds. |
Block outbound SMB |
Notified: March 24, 2015 Updated: April 01, 2015
Statement Date: April 01, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 24, 2015 Updated: September 05, 2017
Affected
We have not received a statement from the vendor.
It has been reported to us that CVE-2017-3085 is a form of Redirect to SMB affecting Flash Player. Adobe'ssecurity advisory recommends upgrading Flash Player to at least 26.0.0.151, which has addressed the issue.
Notified: March 11, 2015 Updated: April 01, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 24, 2015 Updated: April 01, 2015
Statement Date: March 31, 2015
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: March 24, 2015 Updated: March 24, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 14, 2015 Updated: April 14, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
According to the reporter, the Box Sync client may be vulnerable in certain circumstances if the user accepts an SSL prompt. CERT/CC has been unable to confirm this so far.
If you have feedback, comments, or additional information about this vulnerability, please send usemail.
Notified: March 24, 2015 Updated: March 24, 2015
Unknown
We have not received a statement from the vendor.
Updated: April 13, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
The GitHub for Windows installer has been reported to be affected by this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send usemail.
Updated: April 13, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
GoPro Studio has been reported to be affected by this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send usemail.
Updated: April 13, 2015
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
The following software was reported to CERT/CC to be vulnerable; this information has not been verified yet:
* IntelliJ IDEA
* PyCharm
If you have feedback, comments, or additional information about this vulnerability, please send usemail.
Notified: April 17, 2015 Updated: April 17, 2015
Unknown
We have not received a statement from the vendor.
Notified: April 17, 2015 Updated: April 17, 2015
Unknown
We have not received a statement from the vendor.
| Group | Score | Vector |
|---|---|---|
| Base | 6.3 | AV:N/AC:M/Au:S/C:C/I:N/A:N |
| Temporal | 5.7 | E:F/RL:W/RC:C |
| Environmental | 5.7 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Brian Wallace of Cylance, Inc., for reporting this vulnerability.
This document was written by Garret Wassermann.
| CVE IDs: | None |
| Date Public: | 2015-04-13 |
| Date First Published: | 2015-04-13 |
| Date Last Updated: | 2017-09-05 21:58 UTC |
| Document Revision: | 67 |
Sponsored byCISA.
Carnegie Mellon University
Software Engineering Institute
4500 Fifth Avenue
Pittsburgh, PA 15213-2612
412-268-5800