Redirect to SMB Flaw

Last week a new means of exploiting a previously unpatched flaw was discovered in the Microsoft SMB (Server Message Protocol). At the time of the announcement of this flaw and at the time of writing, no security advisory from Microsoft has been published.

If an attacker can intercept communications between a client and a legitimate server (i.e. a man in the middle (MITM) attack); the attacker can send the client a specifically crafted URL beginning with file:// The client system can then be re-directed (using HTTP redirect) to provide the clients authentication credentials to a malicious SMB server. These credentials could then be cracked using a brute force password attack (since the passwords are hashed and salted) in order to obtain credentials for the genuine server.

Recommended mitigations for this attack are to block outbound TCP ports 139 and 445 (used for SMB connections) from the outbound firewall on your network. This will allow SMB traffic within your network to work as normal will blocking attempts to perform redirects to external SMB servers. You can also block these ports on any of the host devices (endpoints) within your network. The most effective means of blocking these ports using the Windows Firewall and Group Policy are referenced (page 14) in the following white paper (created by Cylance, the organisation which discovered this new exploit). Further mitigations are detailed in the above mentioned white paper and at the following pages:

SPEAR – Redirect to SMB

US CERT Vulnerability Note VU#672268

Since SMB uses TCP ports 139 and 445 you can use these ports to locate any suspicious traffic on your network using Wireshark. For any host device (e.g. server, laptop etc.) that you wish to monitor, try to capture traffic using Wireshark as close as possible to the host device of interest or install Wireshark on the host device (if possible/permitted). You could also use a simple packet capturing tool such as tcpdump installed on the host device of interest.

In order capture traffic as close as possible to the host device you could capture traffic at a network switch closest to the host of interest. This can be done by installing a Test Access Port (TAP) in between the switch and the host or connecting directly to the switch if that switch supports port spanning. Using a TAP is preferable since link-layer traffic will also be included in the capture.

Once you have captured traffic you can check for suspicious traffic using one or all of the following display filters:

Where ip address below is any host that you wish to check if an attempt to access that host using the SMB protocol has taken place. The ip.dst declaration means that traffic is coming from a host on your network to another host device on your network and is attempting to communicate with that host. Replace (ip address) with the IP address (without the parenthesis/brackets) you wish to monitor:

ip.dst==(ip address) && tcp.srcport==139
ip.dst==(ip address) && tcp.srcport==445

An example of the result from one of the above filters is shown in the screenshot below:

SMB2

 

You can also use the Statistics->Conversations window to narrow down traffic coming from another host to a host device of interest using the TCP tab, selecting a port column that contains Microsoft-DS traffic and choosing Apply as Filter->Selected A <- Any (as shown in the screenshot below):

SMB1

While the above TCP ports should not normally be exposed from inbound traffic, it is also good practice to ensure that these ports are not accessible from outside your network. A simple test for this is to visit the ShieldsUP website from a device that you wish to test. From the tabs at the top of the page choose, Services -> ShieldsUP. Read the short terms and conditions page, if you agree to it, click Proceed. Within the white text box located on the page, enter

139, 445

I.e. 139 and 445 separated with a comma. Press the Enter key (Carriage return) on your keyboard. The ShieldsUP service will then test the above ports for exposure. If all goes well, you should see a page similar to that pictured below:

SMB3
====
Copyright (c) 2014 Gibson Research Corporation. SpinRite, ShieldsUP,
NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA.
====

If these ports are found to be open, please use a firewall; either a network firewall or a firewall installed on the host device to block these ports from inbound connections/traffic.

At this time it is unclear if this flaw will be patched. Since it also effects software from AVG, Adobe, Apple, Box, Symantec and many others, it is likely it will be resolved in the near future. Until that time the above mentioned mitigations will protect you from this flaw.

Thank you.

3 thoughts on “Redirect to SMB Flaw

  1. John

    What would be your preferred method of finding out which ports are currently being used on a machine ?
    Netstat is one option, but do you have any other recommendations ?

    Reply
    1. JimC_Security Post author

      Hello John,

      Many thanks for your question.

      You’re correct netstat is a means of displaying the ports in use by applications without installing any further tools.

      I find using netstat as follows displays the ports open as well as the application associated with each port a useful indictor as to the ports that are in use:

      netstat -an –b

      Below is a sample output from this command:

      ===================
      Active Connections

      Proto Local Address Foreign Address State
      TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
      RpcSs
      [svchost.exe]
      TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
      Can not obtain ownership information
      TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING
      Can not obtain ownership information
      TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING
      [wininit.exe]
      TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING
      eventlog
      [svchost.exe]
      TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING
      Schedule
      [svchost.exe]
      TCP 0.0.0.0:49157 0.0.0.0:0 LISTENING
      [lsass.exe]
      TCP 0.0.0.0:49158 0.0.0.0:0 LISTENING
      [services.exe]
      TCP 127.0.0.1:5354 0.0.0.0:0 LISTENING
      [mDNSResponder.exe]
      TCP 127.0.0.1:5354 127.0.0.1:49155 ESTABLISHED

      ===================
      As opposed to command line tools, Windows tools such as Sysinternals TCPView and Process Monitor (with help from Process Explorer) are useful to view the open ports. While Process Monitor does not display the ports in use, Process Explorer can assist with that.

      Netstat is also available within Linux. Another alternative would be lsof

      To display all the programs using network connections on a Windows PC, download Process Monitor. Extract it from the Zip file and run Procmon.exe as administrator.

      Go to File->Capture events to turn off the capturing of information temporarily. Un-click all icons in the upper menu bar so that only “Show Network Activity” is clicked/enabled. Re-enable Capture Events from the File menu to capture a list of the applications generating network activity.

      Screenshots of the “Show Network Activity” option and the result of the above steps are shown in the screenshots below:

      Process Monitor Network Activity

      Process Monitor Network Activity2

      Once you know the programs of interest, e.g. Apples’ mDNSRespnder.exe, download Process Explorer, Extract it from the Zip file and run Procexp.exe as administrator. Double click mDNSRespnder.exe and choose the TCP/IP tab to display the list of ports it’s using:

      Process Explorer Ports

      Another tool for Windows, again from Systinternals would be TCPView. Download and extract it from its Zip file. Run Tcpview.exe as administrator. It displays an easy to follow list of programs actively using the network connection along with the corresponding ports in use. This is shown in the screenshot below:

      TCPView

      While the above options only show the open ports, a more comprehensive tool to check if a device on the network has too many open ports would be the Nmap Scanner

      I hope the above info answers your question. Thanks again.

      Reply
    2. JimC_Security Post author

      Hello John,

      In addition to the tools mentioned above, an alternative tool for Windows that displays the ports in use by an application easily is Process Hacker. This tool is open source and maintained by volunteer developers (thus to everyone who likes and/or uses this tool on a regular basis; please consider a donation to support this project).

      To view the ports being used an application, simply download and launch the tool and select the Network tab shown just below the menu bar. A list of the applications along with their local ports (ephemeral ports) and remote ports that are in use are shown in the screenshot below):

      Process Hacker Showing Port Numbers

      Ephemeral ports are port numbers that are randomly chosen by the transport layer software present on the client host/device being used in a client/server model. The server (remote) port must be a standardized/well known port number e.g. 80 for HTTP or 443 for HTTPS (shown in the above screenshot, these particular ports are in the Well-known port range (0 – 1023) as defined by Internet Assigned Number Authority (IANA)) since if the server used a random remote port the client would not know which port number the server is using to receive such traffic e.g. port 443 for a secure connection within your web browser.

      I hope that this tool is also useful to you. Thank you.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s