New SMB flaw affects all versions of Windows

Discussion in 'other security issues & news' started by Minimalist, Apr 13, 2015.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    https://threatpost.com/new-smb-flaw-affects-all-versions-of-windows
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,803
    Location:
    Texas
    Microsoft Windows NTLM automatically authenticates via SMB when following a file:// URL

    http://www.kb.cert.org/vuls/id/672268
     
  3. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    Interesting, but is it an automated exploit for once? Sounds like another thing you need to click.
     
  4. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Is there a workaround? Like disabling certain Windows features or services?
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
  6. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    SMB has all of the same problems on NT systems as NETBIOS did on earlier systems. Unfortunately, port 445 is used for more than one purpose. See Microsoft Directory Services. More info on port 445 at https://www.grc.com/port_445.htm. Traffic for this port needs to be blocked in both directions. The port can be completely closed on XP with some work. No idea if it's possible to completely close this port on Vista and newer.
     
  7. marzametal

    marzametal Registered Member

    Joined:
    Mar 19, 2014
    Posts:
    732
    On W7HP...
    After disabling NETBIOS over TCP/IP via Network Adapter settings, the user needs to do one more thing to complete the partially blocked port 445 sequence.

    Control Panel - Device Manager (Show hidden devices)...
    /Non-Plug and Play Drivers / NETBT > Properties > Driver tab > Stop it and change Type from 'System' to 'Disabled'.

    Windows Services...
    Disable the "Server" service... done, port 445 patched.

    The above was taken from http://hardenwindows7forsecurity.com/Harden Windows 7 Home Premium 64bit - Standalone.html
    P.S.: I have 95 Windows Services disabled.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Is a home user vulnerable to this exploit unless the above conditions are met? How would a home user be communicating on an untrusted network? And how would a home user's network be compromised ?

    ----
    rich
     
  9. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
  10. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,089
    Can you please post a link? According to Trendmicro article it is:
     
  11. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    8,055
    Location:
    The Netherlands
    Well, perhaps I didn't understand it correctly, but it doesn't seem to be easy exploitable, you need to perform a MITM attack, not something that I have to worry about when I'm at home.

    http://blog.cylance.com/redirect-to-smb
     
  12. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    When you consider what a home network can include, it may be easier to create those conditions than most would realize. That home network often includes cellphones utilizing wireless routers and a growing list of IoT devices, most of which didn't make security a design consideration. Combine that with exploitable (if not outright backdoored) routers and modems using weak default configurations connecting devices that use default-permit security policies. I'd suspect that the typical home network (not those of the average Wilders member) would be quite exploitable. For the average user, plugging their cellphone into their PC could easily be all that's required.
     
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Good grief!

    I am so happy I "retired" from home consulting a couple of years ago. How can anyone work with a maze* like that!

    *maze

    1. a confusing network of intercommunicating paths or passages;
    2. any complex system or arrangement that causes bewilderment, confusion, or perplexity;

    ----
    rich
     
  14. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    At one time, I was exploring the idea of a remote administration service for home users and their equipment. In hindsight, I'm so glad that I gave it up. Except for a few friends who have some common sense, I want nothing to do with maintaining equipment for other users any more. It's just not worth the headache.
     
Loading...