Microsoft Account Credentials Leak vulnerability
What would you say if I told you that an almost two decade old vulnerability in Windows may leak your Microsoft Account credentials when you visit a website, read an email, or use VPN over IPSec?
A bug, that goes all the way back to Windows 95 is causing major issues on Windows 8 and Windows 10.
Basically, what happens is the following: Microsoft Edge, Internet Explorer, Outlook and other Microsoft products allow connections to local network shares. What the default settings don't prevent on top of that is connections to remote shares.
An attacker could exploit this by creating a website or email with an embedded image or other content that is been loaded from a network share.
Microsoft products like Edge, Outlook or Internet Explorer try to load the network share resource, and send the active user's Windows login credentials, username and password to that network share.
The username is submitted in plaintext, the password as a NTLMv2 hash.
Microsoft Account Credentials Leak vulnerability
There are two main issues that arise from that. First, the account data is exposed to third parties which may try cracking the hash to recover the user password.
Second, since account information leak, it may very well be a privacy issue especially if Tor or VPN services are used to improve privacy while on the Internet.
The reason why the attack is more promising under Windows 8 and newer is that Microsoft accounts are the default sign in option on those systems. This means that Microsoft account credentials are leaked to the network share, and not a local username and password.
A proof of concept web page is available which will test the underlying system to find out whether it is vulnerable or not. Please note that a successful attack will submit the Windows username and password to a third-party site. Click here to open the demo site.
Mitigation
The best course of action is to use third-party products instead of Microsoft products for the time being. While this may work in some situations, it won't in others.
The researchers who discovered the issue suggest to configure Windows Firewall in this case to protect against these attacks.
In addition to network perimeter firewalls, we therefore advocate for a host based hardening thanks to the Windows Firewall present in any Windows machine running at least Windows XP SP2. By enforcing egress filtering on ports 137/138/139/445 and dropping any IP packet leaving the host with a destination matching any of those ports and having a public IP as a target host, we offer a more consistent protection against those attacks.
Also, making sure that the password strength is sufficient to make brute force attacks less of an issue. (via Hackaday)
Now You: Do you use Microsoft software?
Thank you Oliver L the only working solution was yours (Danke für die einzige funktionierende Lösung , Oliver L)
You are welcome. THX from Dortmund for the feedback :-D
In Germany we use a lot of AVM FRITZ!Box DSL/Cable routers. They block any outgoing SMB WAN traffic by default.
For ease of use you can simply copy this into a “Deny_outgoing_SMB.reg” file. I added some demo PC names so you’ll have to (!) edit the registry after importing. Then export with your own local server names and apply on all Windows clients. One PC name per row. (We see ,00,00 as line break here:)
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0]
“RestrictSendingNTLMTraffic”=dword:00000002
“ClientAllowedNTLMServers”=hex(7):4d,00,79,00,53,00,65,00,72,00,76,00,65,00,72,\
00,31,00,00,00,4d,00,79,00,50,00,43,00,00,00,4d,00,79,00,44,00,65,00,73,00,\
6b,00,74,00,6f,00,70,00,00,00,41,00,6e,00,64,00,57,00,68,00,61,00,74,00,45,\
00,76,00,65,00,72,00,44,00,65,00,76,00,69,00,63,00,65,00,73,00,00,00,00,00
It would be nicer to have some firewall rules that block outgoing SMB except in the local subnet. But I didn’t get it running, and its quite late now. I also disabled all default SMB rules and tested with “telnet ipv4.localserver 445” and “telnet ipv4.mywanserver.de 445″ but not (yet) with the desired result.
Do you find my mistake?
netsh advfirewall firewall delete rule name=”Block SMB outgoing TCP”
netsh advfirewall firewall delete rule name=”Block SMB outgoing UDP”
netsh advfirewall firewall delete rule name=”Allow SMB outgoing LAN TCP”
netsh advfirewall firewall delete rule name=”Allow SMB outgoing LAN UDP”
pause
netsh advfirewall firewall add rule name=”Allow SMB outgoing LAN TCP” dir=out action=allow protocol=tcp remoteport=139,445 remoteip=localsubnet
REM 10.0.0.0/8,192.168.0.0/16
netsh advfirewall firewall add rule name=”Allow SMB outgoing LAN UDP” dir=out action=allow protocol=udp remoteport=137,138 remoteip=localsubnet
REM 10.0.0.0/8,192.168.0.0/16
netsh advfirewall firewall add rule name=”Block SMB outgoing TCP” dir=out action=block protocol=tcp remoteport=139,445
REM remoteip=0.0.0.0-9.255.255.255,11.0.0.0-192.167.255.255,192.169.0.0-255.255.255.255
netsh advfirewall firewall add rule name=”Block SMB outgoing UDP” dir=out action=block protocol=udp remoteport=137,138
REM remoteip=0.0.0.0-9.255.255.255,11.0.0.0-192.167.255.255,192.169.0.0-255.255.255.255
— ok, should use PowerShell:
https://technet.microsoft.com/en-us/library/jj554908(v=wps.630).aspx
(examples at the end)
These are old ports opened for LAN Offices and medium to big companies. So, M$ never closed them. Good. NOW Win 10 is more a tablet toy than a business OS…
Isn’t time to adapt the rules? Script and Firewall rules can be applied, but that’s easy for a medium user of Windows, not my grandma or my nephew. M$ just keeps failing.
So, if I don’t use Edge, Outlook or Internet Explorer, I’m safe, am I not?
Yes.
Thanks! I’m happy and safe with my win7 and Firefox. :)
Avoid AND Boycott. I spent hours on XP to secure it years ago. It worked well.
New Laptops and Desktop with the newest, allegedly improved Win 7 or Win 8 or Win 10 couldn’t be secured AT ALL. Sysinternals tools that could close anything running on XP sometimes fail on these operative systems. It’s spyware embedded systems now.
Go to secpol.msc, configure Restrict NTLM: Add remote server exceptions for NTLM authentication. Then set outgoing NTLM traffic to Deny All. No hash will be leaked now. Impractical in a domain though with thousands of computers. This will allow you to keep SMB file shares on your local network working until MS fixes it.
Thank you Henk, that was an easy solution.
Thanks for the alert Martin. Great article as always.
Well, one more reason (of many) to link your Windows installation to a local account, not to a Microsoft account.
Fwiw, I just tried out the demo/test link given by Martin, using my local-account Windows 8.1 desktop system, with a default connection (no filtering proxies or VPNs) and the worst possible browser (IE 11 with default settings). The test result: nothing was leaked, not even local account data. But probably this was because on my system, I keep network file sharing turned off anyway.
So perhaps the easiest safety measure others might want to consider, is just disabling this network sharing feature (if you can live without it). Open Network and Sharing Center, then in the left column, click “Change advanced sharing settings”, then in the next window, expand your current profile and tick “Turn off file and printer sharing”.
@ Henk van Setten
Thanks Henk for the easy fix.
To get back to the vulnerability for a moment, ignoring all the posturing and hype … here is a simple Windows firewall rule that will block this vulnerability:
C:\>netsh advfirewall firewall show rule name=”Do not use SMB over internet” verbose
Rule Name: Do not use SMB over internet
———————————————————————-
Enabled: Yes
Direction: Out
Profiles: Domain,Private,Public
Grouping:
LocalIP: Any
RemoteIP: Any
Protocol: TCP
LocalPort: Any
RemotePort: 137-139,445
Edge traversal: No
InterfaceTypes: LAN
Security: NotRequired
Rule source: Local Setting
Action: Block
The “InterfaceTypes: LAN” line means this: on the Advanced Tab, go into Interface Types/Customize and set it to only “Local Area network” and/or “Wireless”. This will permit accessing shares over “Remote Access” links, which includes all the corporate VPNs I use for work. (I don’t have any servers actually inside my house that I need to access.)
Almost correct, TCP ports are 139 & 445, but 137 & 138 are UDP.
Thanks d3x. I will update my rule.
@ Ross Presser
“To get back to the vulnerability for a moment, ignoring all the posturing and hype … here is a simple Windows firewall rule that will block this vulnerability:”
IF it is so easy to fix, why didn’t Microsoft publish the firewall patch when Win 8 was released OR, worst case, when Win 10 was released?
Why does Martin have to blog about it before someone like you posts the fix.
That is why there is “posturing and hype”. Nobody wants to have security holes in an OS which can be exploited by hackers.
Because circumstances are different. People working on an office LAN would be crazy to use the rule as I gave it; it would block all file sharing to local servers. On the other hand, people who don’t use corporate VPNs at all would have no reason to limit the rule to Local. There is no one size fits all. File sharing is a sharp knife; it can be dangerous but it can also be fabulously useful. I could point at dozens of similarly useful but dangerous features in *ANY* OS.
NTLMv2 is attack able since Vista and even earlier, it never get’s patched because it would destroy backward compatibility and it takes too much effort to fix all problems, so that#s why it is unpatched. I guess this is well known, the thing is if someone really can ‘easily’ abuse this, because it usually requires additional steps like external software to be installed + the fact it requires internet connection.
I not use MS products in general and store my passwords simply not in plain text on the pc.
First we find out that there is still remnants of MS DOS in Win 10. NOW we find out that a Win 95 bug is STILL embedded in Win 8 / Win 10.
So, rather than writing a new OS, MS has piled layer upon layer of new code on top of old. No wonder Windows is so bloated.
WHY did MS not take a clean sheet after Win 7 and write a new OS, instead of rushing 8.1 / 10 to the market.
What a fiasco !!! How can anybody trust MS after this ?
I second Corky’s comments, including the sarcasm.
Tom Hawack is correct. MS is starting to give at the seams and it is really beginning to show.
Mr. Nadella, pull your finger out and fix it before it too late !
Not only do I not use Microsoft software but have I moreover added a Microsoft blocking list to my PeerBlock application.
I feel truly sorry for users having to deal with this account credentials flaw. The cloud, the IoT, this general hysteria which considers markets before privacy and security, profit before users. And that’s bad, very bad. Here we avoid (avoid, not boycott) Microsoft products, services, links as a whole, except for the Win7 OS which will be abandoned as well between now and January 2020. Rather than doing more the company could consider doing better, in terms of privacy and security. A pity for what was once a leader, a major actor. We are many to have lost confidence.
“Here we avoid (avoid, not boycott)”
Here since years we make pressure on the authorities, for 2016 it’s going to succeed.
http://www.numerama.com/tech/135953-les-logiciels-libres-conseilles-par-letat-pour-2016.html
Here about Microsoft, and particularly considering privacy and security, we will continue in this way by all legal means at our disposal, (not only boycott).
http://o.nouvelobs.com/high-tech/20130417.OBS8191/l-embarrasant-contrat-entre-l-armee-francaise-et-microsoft.html
@ Tom Hawack
Considering your high level in psychology, I’m surprised i can still surprise you… or as an expert you’re just blinded by general French’s attitudes on which you suppose I’m “based”. That said, reading things like “furious”, “excessive ego”, “excessive passion”, “hatred”, “lâchez-moi les baskets”, “insult”, you make me regret not having been married “twenty years” together.
Merci pour votre intérêt à la chose humaine que vous croyez deviner en moi et à bientôt de vous lire.
@yapadkoi,
“(avoid, not boycott)” was NOT my way to make you understand a second time what I had pointed on a previous post about boycott. I never proceed with allusions. You are mistaking your interpretation most likely based on an excessive ego with an impartial lecture of comments. If I had wished to do so I would have mentioned you, or my past comment, explicitly. I’m surprised, I considered you more aware than that. I appreciate reading and debating with you among us all but please do not include me in your excessive passions.
“(avoid, not boycott)” was your way in this article to make me understand a second time what you already pointed there about boycott :
https://www.ghacks.net/2016/08/01/browserprint-advanced-browser-fingerprinting-test/
So please stop saying it’s me that should give you a break. Thanks.
Give me a break, will you? (“lachez-moi les baskets” in French). To avoid, to boycott the result is the same so don’t get so excited. The result is the same but not the intention. Two words and call Semantics for a choice. I believe there’s no point in getting mad, furious when extreme passions may be reserved for extreme dramas. Hatred towards a company is not my choice, I avoid for the time being without anticipating on the future and in memory of the past. Too much, excessive passion makes some men insult the lady who shared their lives for twenty years the day they divorce. Keep it cool, no point in calling the “Chambardement” who’s occupied in true war territories. This is only the Web, computers and software. It’s not essentially substantial.
Well this just can’t be true, people kept telling me how Windows 10 is more secure. ;)
/Sarcasm
Being serious though It always seems people who say Windows 10 is more secure fail to understand one of the main pillars of computer security, that the best way to reduce your risk is to reduce the attack surface, it seems each new version of Windows increases the amount of attack vectors and Windows 10 takes that to a new level with Microsoft’s approach of enabling everything when from a security point of view services, features, and other things should only be enabled when needed.
Minimizing the attack surface should the OS vendor’s first thought. Make as many features as possible optional with the default as disabled. Then let users who want to use the feature enable it.