While mainly a tool used in the enterprise, there is a vulnerability in the Microsoft Server Message Block (SMB) protocol used for sharing files in local networks.
The vulnerability affects all versions of Windows, including Windows 10, and can now suffer exploitation over the Internet, where it was once a LAN-based issue.
SMB is a protocol created by IBM, which allows for sharing files and printers inside a network. Since its creation 21 years ago, it evolved and is now at version 3.0, which now ships with most Windows OSes.
The protocol sees use most of the time in enterprise networks, working with the NTLMv2 authentication algorithm, which allows users to quickly authenticate themselves on Windows servers.
The vulnerability discovered by Jonathan Brossard’s team allows hackers to extract user credentials from a closed Windows domain using an attack technique called SMB relay (a man-in-the-middle).
While this technique usually worked only in LANs, because most enterprise networks expanded to include cloud infrastructures, an SMB relay can now work for Internet-facing connections. The credential leak happens when a user is trying to read an email, access a Web page using their browser or do anything that implies opening a URL.
This opens a specific DLL file put into place to protect against SMB relay attacks. This allows an attacker to perform an SMB relay attack, get the user’s credentials, break the password hash, and then use them to steal information from the network by passing as a regular user.
All IE versions are vulnerable, including Microsoft’s latest Edge browser, Brossard said.
Other vulnerable applications include Windows Media Player, Adobe Reader, Apple QuickTime, Excel 2010, Symantec’s Norton Security Scan, AVG Free, BitDefender Free, Comodo Antivirus, IntelliJ IDEA, Box Sync, GitHub for Windows, and TeamViewer.
Click here to download the research paper.