The first ever security flaw in Windows 10 is here — A team of security researchers have found a vulnerability in the file sharing protocol of Microsoft Server Message Block (SMB).
One of the security researchers told in a report that the said vulnerability in the SMB protocol was partial patched by Microsoft, but the flaw is still there. To exploit the vulnerability, the hacker must have to be on the local area network.
The SMB Protocol Vulnerability
Back in 2001, the serious design flaw was discovered in the Microsoft Server Message Block (SMB) protocol. To fix this, a security patch was released by Microsoft that didn’t properly fixed the flaw but at least restricted the attacks to the local network level.
But last week, two of the researchers Hormazd Billiamoria and Jonathan Brossard demonstrated in their Black Hat USA 2015 sessions that how attacker could still remotely exploit the same SMB vulnerability using the Internet, seizing the control and stealing the user credentials of the targeted computer system.
SMB is actually a Windows-based file-sharing protocol and the found vulnerability has affected all built-in Internet Explorer web browser that comes pre-installed in every version of Windows including the latest OS release, Windows 10. And this vulnerability has affected Windows Edge and becomes the first exploit for the newly released operating system that can be exploited remotely.
Exploiting the SMB Protocol Vulnerability
Exploiting the SMB protocol depends solely on the design flaw left unpatched within the protocol, it is responsible to save Windows user IDs and can forward it for the authentication of login attempt by another user.
Unbelievably, this is how network setup is done in business situations, and all the networked computer systems are linked with an automated system that is connected to all hosts and is in authority to perform various management tasks. The same automated system is also responsible for taking care of the antivirus software, updates, logging events, and other automated tasks.
So to exploit SMB protocol vulnerability, attacker waits for these automated computer systems to power on and begin to connecting with all the available hosts within the network. This is the point at which the server starts grabbing the login credentials of the users, and the moment users begin to login to their accounts, the attacker loads a code in Internet Explorer, exploiting the SMB protocol vulnerability.
How Researchers Exploited the SMB Vulnerability
Security researchers Billiamoria and Brossard showed in the Black Hat session that how they were able to modify the traditional attack to exploit SMB protocol vulnerability, allowing them to capture the login credential of the user.
The user ID is recorded in a plain text format and the user password is recorded in a hashed format, and it takes few days of work to crack the password because Microsoft is still using out-of-date NTLM algorithm to hash passwords, researchers said.
The vulnerability can be remotely exploited because Internet Explorer is pre-configured to allow automatic login into the Intranet zone, making the complete attacking task automated and happens without buzzing a single alarm on the network.
These attacks depend solely on the victim who is accessing the automated computer system’s response session. The attack can be initiated through email phishing, via remote desktop sessions or by force opening a malicious website. Once exploited, that session is then taken over by the attacker and once the response it correctly encrypted then the access will be granted.
Limitations and Possibilities of SMB Protocol Vulnerability
The SMB protocol vulnerability cannot be exploited if the packet signing is enabled on the host computer, the researcher said. He also added that if the targeted computer system has no firewall enabled on the system to disallow outbound SMB traffic and access to the Internet Explorer then this makes the victim more vulnerable to these attacks.
14 years old security flaw still partially fixed
They also noted that users using Google Chrome web browsers would remain on the safe side because the browser is configured to ask for permission before granting access to SMB server, but still there are some Chrome plugins that grant connection to SMB protocol, leaving this browser vulnerable to attacks too.
How to Protect Yourself from SMB Protocol Vulnerability
The users and network managers should make sure that the firewall is properly integrated into the Windows, ensuring that the user’s credentials remain safe. You can protect yourself by blocking SMB port numbers 137, 138, 139 and 445 on the firewall to deny any outbound traffic to the Internet. But local connections should be allowed otherwise it would break local file sharing.
Apart from that, some host-level protection layers should be installed to further protect the identities of users.
Report typos and corrections to firstname.lastname@example.org