Vigil@nce - Microsoft Windows: credentials disclosure via HTTP redirections
June 2015 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker who controls both an HTTP server used by a application
program based on urlmon.dll and a CIFS server can use HTTP
redirections to get encrypted user credentials.
Impacted products: ProxySG, Windows 7, Windows 8, Windows RT,
Windows Search, Windows Vista, Windows XP
Severity: 2/4
Creation date: 15/04/2015
DESCRIPTION OF THE VULNERABILITY
Microsoft Windows offers a library urlmon.dll that provides an
HTTP client.
This client follows HTTP redirections. However, it does so even if
the URL schema is changed from "http" to "file". So, when the
redirection target is a SMB/CIFS server, the client automatically
send the user credentials (user name and password hash) to the
CIFS server.
An attacker who controls both an HTTP server used by a application
program based on urlmon.dll and a CIFS server can therefore use
HTTP redirections to get encrypted user credentials.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN