The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability alert 16611

Microsoft Windows: credentials disclosure via HTTP redirections

Synthesis of the vulnerability

An attacker who controls both an HTTP server used by a application program based on urlmon.dll and a CIFS server can use HTTP redirections to get encrypted user credentials.
Impacted products: Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP.
Severity of this bulletin: 2/4.
Consequences of an intrusion: data reading.
Hacker's origin: intranet client.
Creation date: 15/04/2015.
Références of this threat: VIGILANCE-VUL-16611, VU#672268.

Description of the vulnerability

Microsoft Windows offers a library urlmon.dll that provides an HTTP client.

This client follows HTTP redirections. However, it does so even if the URL scheme is changed from "http" to "file". So, when the redirection target is a SMB/CIFS server, the client automatically sends the user credentials (user name and password hash) to the CIFS server.

An attacker who controls both an HTTP server used by a application program based on urlmon.dll and a CIFS server can therefore use HTTP redirections to get encrypted user credentials.
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computer vulnerability database. The technology watch team tracks security threats targeting the computer system. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.