Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft Server Message Block Vulnerability

Overview

(CVE-2008-4037, MS08-068)
This remote code execution vulnerability results from the way that the Windows file sharing protocol, Microsoft Server Message Block (SMB), handles NTLM credentials when a user connects to an attacker's SMB server. This vulnerability allows an attacker to replay the user's credentials back to them, creating an SMB reflection attack.

Details

This reflection attack is a type of man-in-the middle attack. In the common form of man-in-the middle-attack, attackers listen to the SMB session between a legitimate client and server and insert themselves into the conversation, capture the packets and later replaying them against the server to make their own connection to the server. The SMB Reflection Attack, however, is a special kind of man-in-the-middle attack where the attacker and the server are the same machine.

How SMB Sessions Work

Microsoft Windows computers authenticate each other using the NTLM protocol, a challenge- response sequence in which the server generates a random 8 byte challenge key that the client uses to send back a hashed copy of  its credentials. The hash is a one way function. The client builds a hash, the server builds a hash, and if the two hashes match, the client is allowed access. Consider a normal SMB session setup between a client and server:

  1. Client connects to Server.
  2. Server sends a challenge to Client.
  3. Client computes the response to the challenge and sends it to Server.
  4. Server  performs the same calculation as the Client using the credentials it has stored.
  5. Server compares the response to its own calculated value. If the two match, the connection is a success.

How the Reflection Attack Works

During a Reflection attack, the session proceeds as follows:

  1. The client (victim) initiates a connection to the server (attacker).
  2. At this point, the attacker's system is supposed to send a challenge to the victim to allow the victim to authenticate. Instead, the attacker initiates a new connection to the victim.
  3. Victim generates a challenge for the inbound connection from the attacker and sends it to the attacker.
  4. The attacker takes the challenge received in Step 3 and sends it to the victim as the challenge for the connection the victim initiated in Step 2.
  5. The victim computes the response to the challenge and sends it to the attacker.
  6. The attacker takes the response received in Step 5 and returns it to the victim as the response to the connection initiated to the victim in Step 2.

Protection

SmartDefense can identify SMB reflection attacks. If the client and server exchange the same challenge, SmartDefense drops the connection.

To activate the protection:

  1. In the SmartDefense tab, click Application Intelligence > Microsoft Networks > Block SMB Reflection Attacks.
  2. In the configuration pane, under Settings > Mode, check Active.
  3. Install the policy on all modules.

For more information, see SBP-2008-12.