The SMB authentication relay attack was first reported by Sir Dystic on March 31st, 2001 at @lanta.con in Atlanta, Georgia. A Metasploit module has been around for some time that could exploit this vulnerability. The attack consisted of relaying SMB authentication requests to another host, gaining access to an authenticated SMB session if successful. If the connecting user is an administrator and network logins are allowed to the target machine, this module could execute an arbitrary payload.
References:
http://en.wikipedia.org/wiki/SMBRelay
http://www.xfocus.net/articles/200305/smbrelay.html
Today Microsoft released a security update, MS08-068, which addresses this NTLM reflection vulnerability in the SMB protocol and basically mitigates this attack. Although it is still possible to set the SMBHOST parameter to a third-party host that the victim is authorized to access, the attack is broken.
Why has the bulletin only a moderate rating for Vista and Windows Server 2008? First reason is that File and Print Sharing is not enabled by default. A user must first enable File and Print sharing (which also enables an exception in the Windows Firewall) in order to be vulnerable to this attack.
Second reason is that in non-domain environments, the default system shares (admin$, c$) are not accessible remotely by admin users, even if File and Print Sharing is enabled and the Windows Firewall allows inbound connections.And in a domain environment, only if a user is logged on using a domain account which is a member of the local machine’s Administrator account, then the default system shares (admin$ and c$) will be accessible to them.
The Windows firewall would also help protect against this attack as long as the the network profile is “Public”. You need the network profile "Private" to allow incoming SMB connections by default.
In any case, everyone is recommended to install this patch.UPDATE (12/11/2008): The metasploit blog has some more details on the SMB relay attack.
UPDATE 2 (16/11/2008): The Zero day blog has an excellent write-up why it took Microsoft years to patch this issue.
Related posts:
- New worms exploiting MS08-067
- MS08-067 a few days later. A summary of resources.(updated)
- Microsoft out of band Critical patch and webcast (updated x2)
- Zero day for Sun Solstice AdminSuite (sadmind)
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment