In what’s turning out to be the zero day that keeps on giving, researchers are still finding ways to exploit an unpatched denial of service vulnerability that exists in the way Windows implements the Server Message Block protocol.
Details around the bug aren’t a mystery. Laurent Gaffié, the security researcher who found the vulnerability, made exploit code for the vulnerability public on GitHub when he disclosed it on February 2. Researchers are claiming that there’s a handful of easier ways to exploit it however.
Gaffié’s proof of concept relies on tricking a victim to connect to a malicious SMB server instance, something that could prove challenging for an attacker. Experts with Dell SecureWorks said Monday that it could be more effective for attackers to combine Gaffié’s attack with a redirect to SMB vulnerability from 2015 to crash a victim’s machine.
The redirect to SMB vulnerability, first uncovered by researchers at Cylance in April 2015, affected all versions of Windows when it was announced. If exploited, victims could be forwarded to a file:// protocol on a malicious server. That would have prompted Windows to automatically attempt authentication via SMB to the server and logged encrypted user credentials that could be cracked offline.
Microsoft disputed the bug in 2015 and said that several factors – namely successfully luring a person to enter data into a fake website – would need to come together in order for an attack to work.
To combine the vulnerability with Gaffié’s proof of concept, a scenario would require two systems, researchers say. An attacker would have to run the SMB zero day proof of concept code on one system and use the other for the redirect to SMB attack. After putting the malicious redirect-smb.php file on that web server’s public directory, the attacker would have to trick a user into clicking it on a Windows 10 system running Internet Explorer. From there, the link would redirect a victim’s system to the attacker’s SMB server, the denial of service attack would be initiated, and a blue screen of death would be displayed.
According to SecureWorks researchers Mitsuyoshi Ozaki and Hironori Miwa, an attacker could also hide the SMB DoS exploit in a hyperlink, or an inline image, to trick users. While the vectors wouldn’t work for every browser – exploits didn’t work for Firefox or Chrome when they tested – they could be used against the latest version of Edge and Internet Explorer, Ozaki and Miwa claim.
An attacker could also exploit the zero day through unvalidated redirects, HTTP header injection or via cross-site scripting, the researchers warn. Each attack functions more or less the same way and gives an attacker a different way to try and get the victim to click a link or redirect.
The same advice that the United States Computer Emergency Readiness Team gave at the beginning of the month around the vulnerability is still valid, SecureWorks researchers said. In an advisory pushed after the vulnerability was disclosed, US-CERT said to mitigate the vulnerability concerned organizations should consider blocking outbound SMB connections, on TCP ports 139 and 445 along with UDP ports 137 and 138, from the local network to external networks.
When pressed at the beginning of February Microsoft said that it considers the vulnerability – a remotely triggered DoS bug in SMB for Windows 8.1, Windows 10, Windows Server 2012 R2, and Windows Server 2016 – low risk.
Despite the vulnerability’s “low risk,” it was still assumed Microsoft would fix the flaw with February’s Patch Tuesday security updates. Instead Microsoft elected to skip the release. The company never disclosed exactly why it postponed the round of patches, instead saying that it “discovered a last minute issue that could impact some customers.”
Gaffié – who disclosed the bug to Microsoft in November – released details around the bug a week before he assumed it was going to be patched. He never thought Microsoft would sit on the patch.
“I decided to release this bug one week before the patch is released, because it is not the first time Microsoft sits on my bugs,” he said at the time. “I’m doing free work here with them (I’m not paid in anyways for that) with the goal of helping their users. When they sit on a bug like this one, they’re not helping their users but doing marketing damage control, and opportunistic patch release. This attitude is wrong for their users, and for the security community at large.”
A second vulnerability, a flaw in Windows’ GDI library discovered by Google’s Project Zero researchers, also remains unpatched. That vulnerability, called “high severity” by Google, affects Microsoft’s Internet Explorer and Edge browsers.
Microsoft is expected to fix both issues in two weeks as part of March’s Patch Tuesday update.