April 13, 2015

"Redirect To SMB" Technique Re-Exposes 18-Year-Old Vulnerability

Carl Leonard Principal Security Analyst

The Websense Security Labs™ team is aware of a recent discovery that provides attackers with the potential to intercept sensitive user credentials (username, domain, and hashed password). The attack relies on an end user being directed to, and authenticating against, an attacker-controlled SMB (Server Message Block) server. SMB is most often used to access file shares across networks.


Several new ways have been discovered to induce an 18-year-old vulnerability in the handling of such traffic. The attack type is being called “Redirect To SMB.” Several popular applications are vulnerable to this attack method. Reports indicate that while no attacks have been seen in the wild at the time of this writing, the implications of the vulnerability are suitably severe to warrant a triage of the issue and a description of how your organization could be affected.

Is this is a new discovery?

The discovery of new attack methods has been achieved only recently. Vulnerability Notes Database announced the issue to the public today based on analysis by Cylance: http://www.kb.cert.org/vuls/id/672268.

The issue has been assigned designation VU#672268.

How would the attack work?

The "Redirect To SMB" attack describes any method used to send users to, and authenticate them against, a malicious SMB server. Username, domain, and the (typically) hashed password can be intercepted.

The following scenarios have been illustrated:

  • A website could redirect a user to an SMB server under the attacker's control. This website could be disseminated using the email vector, via malvertising (malicious advertisements) or simply by luring the end user to a website that redirects.
  • A man-in-the-middle (MITM) attack could intercept user traffic and redirect to the appropriate SMB server.
  • The update mechanisms of numerous products are said to to be vulnerable (Adobe® Reader®, Apple® QuickTime®, and others) due to their using HTTP requests to access software updates. A MITM attack could intercept and change the destination of the request to a SMB server under the attacker's control.


Current thinking proposes the following mitigation advice. Not all may be suitable for your organization.

  • SMB traffic operates over TCP 139 and TCP 445. This communication could be blocked using a device such as a firewall, particularly the network gateway firewall, to prevent only SMB communications to destinations outside of your network.
  • Apply any applicable software patches from vendors as they are released.
  • End users should be encouraged to use strong passwords to increase the time required for a simple brute force of any hashing algorithms.
  • Additional mitigation methods are described in the Cylance white paper located here.

Websense Security Labs will continue to monitor any developments related to this issue.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.