back to article Reminder: IE, Edge, Outlook etc still cough up your Windows, VPN credentials to strangers

Microsoft software still leaks usernames and password information to strangers' servers – thanks to an old design flaw in Windows that was never properly addressed. These details can be used to potentially unmask VPN users and commandeer Windows accounts. They can be obtained simply by tricking victims into visiting malicious …

  1. toughluck

    Interesting

    I tried it in IE 8 under Windows 7, I got this unhelpful bit:

    No NTLM hash is leaked. Try to manually copy&paste file://witch.valdikss.org.ru/a to the address bar.

    (Works only on Windows with IE/Edge/Chrome)

    I tried to copy and paste the relevant bit, Internet Explorer says it can't be found.

    What am I doing wrong?

    1. CrashM

      Re: Interesting

      After it says file not found, go back.

      1. toughluck

        Re: Interesting

        Can't go back. It appears in a dialog: "Windows cannot find 'file://witch.valdikss.org.ru/a'. Check the spelling and try again."

        Looking at this, I can't help but think it's just a default configuration issue that should have been disabled for all ordinary users and made available for corporate types that would/should simply block smb protocol on the firewall going out, but hey, nothing like a good rap at Microsoft to brighten the day, wouldn't you agree?

    2. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      Several possible reasons:

      1. Your network or computer is blocking NetBIOS ports (139, 445)

      2. You're using some additional software that prevents such requests from leaving your computer

      3. Certain Windows configurations seem to not leak the hash on this test. That doesn't mean the Windows secure against this; Both test sites (Valdik's and Perfect Privacy's) use a python script with rudimentary samba functionality. For some Windows configurations this may not work but they might still leak the credentials if the resource was a full-blown samba server.

      1. Roland6 Silver badge

        Re: Interesting

        1. Your network or computer is blocking NetBIOS ports (139, 445)

        Arrh, Outpost Firewall v1.0 - back in circa 2002 - blocked the sending of NetBios/NetBeui traffic to end systems not on the local LAN unless you explicitly enabled such communications...

        Also my cheap as chips huawei 3G router also defaults to blocking NetBois/NetBeui traffic to the internet. So would suspect this is normal behaviour in today's routers that don't support dynamic configuration over the wire from Windows systems...

      2. CrazyOldCatMan Silver badge

        Re: Interesting

        > 1. Your network or computer is blocking NetBIOS ports (139, 445)

        Which should be the default for every home *DSL router that has a built-in firewall..

  2. ma1010 Silver badge
    FAIL

    Response time?

    So this problem has been known since 1997, although not considered a serious problem, it was something that should have been fixed, even so. And just HOW many versions of Windows have there been since 1997, BTW?

    According to the article, this became a potentially serious problem with the release of Windows 8, a few years ago. And it STILL is a problem. So, MS, just how many more years are your users supposed to wait for a fix, I wonder?

    1. streaky Silver badge

      Re: Response time?

      although not considered a serious problem, it was something that should have been fixed

      Well it's a bigger issue than ever now because of the tie in between your MSFT account and the desktop. Now it splurges the hash of your MSFT account hash over the internet for all to see and that's, y'know, risky.

    2. MrDamage

      Re: Response time?

      > And just HOW many versions of Windows have there been since 1997, BTW?

      Given that each version is supposedly written from the ground up, and yet the same flaws continue to exist in each verion, my answer is one.

      1. LDS Silver badge

        Re: Response time?

        This is not a bug. It's a design decision. Windows is designed to try to authenticate automatically to file shares, because users don't like to be prompted for credentials.

        If both machines are in a trusted domain, Kerberos will be used (an no username and password is sent around). If they are not in a trusted domain (or, even in a domain, the IP is used instead of the FQDN), Windows will fallback to NTLM and try to authenticate. That's how, for example, most users access their home NAS.

        Is today an issue? Yes, especially since now it can leak cloud credentials, and default firewall setting may not be safe enough.

        Anyway, only very naive people can believe any software can be rewritten truly from scratch each time.

        1. Mayhem

          Re: Response time?

          Yeah, if you read The Old New Thing blog at all, you soon learn that almost every unfixed legacy bug in a newer Windows OS is there deliberately, because when they fixed it, it broke something else that was relying on that behaviour to function. They frequently had to emulate specific bad behaviour to remedy institutional complaints. Raymond Chen was scathing about some of them, but since Windows has long prided itself on backwards compatibility between versions, it's a compromise they were forced to accept.

          I think that may be some of the outrage with Win8-10 - they've deliberately given up on a lot of backwards compatibility with DOS at last and that does finally break stuff.

          Apple took the same steps when they changed processor cores, they supported the old stuff for a while then made a clean break and removed the emulation.

        2. paulf Silver badge
          Flame

          Re: Response time?

          @ LDS

          "Anyway, only very naive people can believe any software can be rewritten truly from scratch each time."

          So why do Microsoft keep claiming that to be the case? You're not trying to suggest their marketing department are lying I hope? My faith in Microsoft would be shaken to its very core by such a suggestion.

          1. LDS Silver badge

            Re: Response time?

            Do you believe everything marketing says? Software gets rewritten, just you don't start from a blank screen every time. Large parts of Windows has been rewritten, just not at once.

            Anyway, as already pointed out, even re-writing from scratch would have not resolved that issues. This is how SMB is designed to work. If you don't change the requirements and design - probably introducing compatibility issues - code will work the same way. This is not a software bug.

            Peer-to-peer authentication implies credentials has to be sent to the peer. Other systems need more actors, and are more complex. Should NTLM die? Probably. The issue is it is too widely used - not only by Windows, think how many systems rely on samba without a windows domain.

            It's not that NFSv3 security is far better, for example... and it is still widely used instead of v4 for compatibility reasons as well. Even Apple preferred SMB as the default network file protocol over NFS.

            It is true browsers AFAIK don't try to mount an NFS share automatically.

            1. paulf Silver badge
              Facepalm

              Re: Response time?

              "Do you believe everything marketing says?" No - It's more like I believe nothing Sales and Marketing say unless it can be separately verified. Do you take every commentard's scribblings as serious? Perhaps I should have added a </sarcasm> to flag my deadpan delivery. PS I up voted your original comment.

              1. LDS Silver badge
                Happy

                Re: Response time?

                Ah, OK. Thank you. The fact it was addressed at me explicitly made me think it was less sarcastic <G> Really need some vacations, just two days left!

      2. streaky Silver badge
        Alien

        Re: Response time?

        Given that each version is supposedly written from the ground up, and yet the same flaws continue to exist in each verion, my answer is one.

        Because they write these bugs in intentionally to support old things and keep customers - they're worried that if they make they make their OS actually secure but break people's software that relies on these bugs that those customers might just start fresh. I think that's unreasonable and also have serious concerns about anybody who actually relies on a flaw like this; but I don't work for microsoft.

        Intel and AMD do the same thing with CPUs - once a bug exists it tends to stay around unless it's completely game breaking. Problem is a lot of Microsoft's are isues in security context and they still keep them around. Itanium was supposed to be a clean sweep of historical bugs that people rely on but we all know how that went - don't think Microsoft would ever try to emulate that unfortunate failure :)

        Also in my earlier comment I was supposed to write "hash of your MSFT account password".

    3. Anonymous Coward
      Anonymous Coward

      Re: Some would say...

      It is intentional.

      [Black Helicopter icon is reserved for those who log in and post unanonymously. However I thought I'd add some fun for those who can hack it in themselves. ;) ]

      1. Anonymous Coward Silver badge
        Black Helicopters

        Re: Some would say...

        Anonymous black helicopter for you.

  3. JassMan Silver badge
    FAIL

    Bollocks to security by obscurity

    This is INSECURITY by design. WTF? Why does SMB pass your credentials in the clear with just a simple hash of your password? Surely the entire authentication process should always be encrypted if passed over a network.

    1. LDS Silver badge

      Re: Bollocks to security by obscurity

      Encryption won't save you in this case. It's the malicious server that receives the username and hashed password, it's not a man-in-the-middle attack.

      SMB was designed to be a LAN protocol, it should be blocked at the firewall both incoming and outgoing. Local firewalls should allow SMB connections only to trusted networks.

      Still, SMB can use stronger settings (see, for example, Compute Configuration -> Windows Settings -> Security Opotions in any Group Policy editor). But most of them are set by default with settings to ensure interoperability with old versions of Windows. See, for example "Restrict NTLM: Outgoing NTLM traffic to remote servers".

      The solution should be to treat all remote server not in your domain(s) - in a domain authentication happens via Kerberos, not NTLM (unless you use an IP address directly) - as untrusted by default - but probably many users will start to complain they can't any longer easily access their files on a NAS which probably uses a very simple samba setup...

  4. kars1997

    Unbelievable

    Just.... unbelievable.

    1. Keef

      Sorry kars1997 but you are so very wrong.

      It is believable, just believable.

  5. Anonymous Coward
    Anonymous Coward

    teh internets

    Hey IE, stop being "helpful". If I want to connect to an SMB share with my username and password, prompt me for the info (or at least give me the option to permanently store for that location).

    Oh, and Windows Explorer, while we're at it, if I want to go to a web site, I'll open my browser on my own. If I mistype something in the address bar, don't assume that I want to go to teh internets and I'm just too stooopid to get there on my own.

  6. Anonymous Coward
    Black Helicopters

    Windows for Warships won't work without it

    I really can't come up with any other reason. There must be some big customer behind it, if it has to be on by default.

    A registry setting to disable this behaviour exists!

    1. streaky Silver badge

      Re: Windows for Warships won't work without it

      I'd assume it's purely for backwards compat reasons, possibly even with samba.

      1. LDS Silver badge

        Re: Windows for Warships won't work without it

        I wonder is samba is affected too.

        1. streaky Silver badge

          Re: Windows for Warships won't work without it

          I wonder is samba is affected too

          It's affected by the fact that the protocol itself is shitty on unsecured (see: WAN) networks, the actual issue is a browser specific bug completely unrelated to SMB itself.

    2. ma1010 Silver badge
      Big Brother

      Re: Windows for Warships won't work without it

      I wonder just WHO that "Big" customer might be?

    3. Kane Silver badge
      Black Helicopters

      Re: Windows for Warships won't work without it

      "I really can't come up with any other reason. There must be some big customer TLA behind it, if it has to be on by default."

      Your welcome.

  7. Anonymous Coward
    Anonymous Coward

    A Web browser is for Web pages

    Not file shares. There. Design fail fixed.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Web browser is for Web pages

      But what if the web page IS a file share and the file share is ALSO a web page? They're NOT mutually exclusive, you know?

      1. Anonymous Coward
        Anonymous Coward

        Re: A Web browser is for Web pages

        "But what if the web page IS a file share and the file share is ALSO a web page? They're NOT mutually exclusive, you know?"

        Then use a web browser for the web pages, and File Explorer for files.

        Microsoft browsers should not be taking credentials (used for local/domain authentication or remote VPN), and passing them to untrusted Internet based web pages just because that web page/SMB share on the internet asks for them!

        Microsoft obsession with 'everything on the desktop goes into the cloud' is making this worse not better.

        1. LDS Silver badge

          Re: A Web browser is for Web pages

          I may agree with you, but it's not a MS obsession. It's the obsession born when everything had to become a URL. Most browsers process far more than http(s):// - they may process mailto: ftp: about: and so on. If you look in the registry under HKCR\PROTOCOLS\Handler you will find the protocol handlers IE supports - you can write and register your own, if you need your own specific ones (once for leisure I implemented the rtfm:// handler, beside some needed for an application. It was very useful....!)

          Other browser may have similar mechanisms. IMHO the problem is in the file protocol handler which is used to open local files (including web pages...) without the need of setting up an http server - it will probably try to access files on shares, and outside a domain it will trigger the default NTLM behaviour. You can even trigger it in a domain just using an IP address instead of a fqdn, probably.

      2. Wensleydale Cheese

        Re: A Web browser is for Web pages

        "But what if the web page IS a file share and the file share is ALSO a web page? They're NOT mutually exclusive, you know?"

        Exactly.

        A lot of products supply documentation as a bunch of html files, and it's extremely convenient to drop them to disk and browse from there, no web server required, and works totally offline.

    2. Ottman001

      Re: A Web browser is for Web pages

      A real fix requires that windows does not give credentials for server A to server B.

  8. jacksawild

    Screw you Redmond

    So the "solution" to this would be to use a password which is unlikely to be in any password dictionary.

    Not much of a solution, really.

    1. streaky Silver badge

      Re: Screw you Redmond

      The solution is to disable msft browsers sending these requests or as somebody else noted blocking smb from leaving the local network at the firewall.

  9. a_yank_lurker Silver badge

    Ouch

    It's been almost 20 years and no fix. And Slurp wants users to trust them with their credentials which are potentially leaked everywhere. From the article it seems as if this would be an easy flaw to exploit and could explain many security failures blamed on the hapless user.

    1. david 12 Bronze badge

      Re: Ouch

      >From the article it seems as if this would be an easy flaw to exploit and could explain many security failures blamed on the hapless user.<

      A feature possible to exploit NOW. Because (1) the hash can be cracked in a couple of hours now, and (2) the information can now be used to subvert your cloud account.

      (I don't see that it could have explained many security failures that were based on a hapless user.) (And neither did anyone else).

      The world has certainly changed in the last 5 years. Where once "single log in" was the aim, that has changed to "leave your devices logged in",

      1. Dead Parrot

        Re: Ouch

        >...the hash can be cracked in a couple of hours now...

        Well, that depends how strong the password is. I think most home users use passwords around the 6-7 letter mark (and re-use it for everything): Even with numbers in the mix that's only ever been a few minutes work with a decent NTLM rainbow table, and they've been around for 15+ years. Hell, just knowing that 8846F7EAEE8FB117AD06BDD830B7586C is the NTLM hash for "password" will open a few doors. This is why we have salt (but not at Redmond).

        1. streaky Silver badge

          Re: Ouch

          Strictly speaking it's why protocols tend to use nonces not salts (though technically speaking they're the same thing in some ways they work differently and are used for different purposes). Salts prevent dictionary attacks and nonces stop the hash being used in different contexts.

  10. Paul 129
    FAIL

    NSFW FACEPALM

    FAIL FAIL NTLANMANAGER FAIL OMG. I KNEW IT WAS DODGY BUT DIDNT LOOK HERE FAIL

    FAIL FAIL FAIL FAIL FAIL FAIL FAIL A BILLION TIMES FAIL!

    1. Paul 129

      Re: NSFW FACEPALM

      Oh hang on blocked by the standard SMB firewall rules....Oh that old thing....

      Yes it would affect a horde of home windows users.... YUK!

      FAIL FAIL FAIL FAIL FAIL FAIL FAIL a billion times (mitigated by most firewall products) fail

  11. Winkypop Silver badge
    Facepalm

    What the actual

    fuck!

  12. J J Carter Silver badge
    Boffin

    I'm calling FUD

    Detected OS = Windows 7 or 8 <<- Bzzt! Wrong, I'm on 10 Anniversary Edition

    No NTLM hash is leaked. Try to manually copy&paste file://witch.valdikss.org.ru/a to the address bar.

    (Works only on Windows with IE/Edge/Chrome)

    Nothing to see here.

    1. monty75

      Re: I'm calling FUD

      Same here. Tried it on Windows 7 and Windows 10. No NTLM hash for either.

  13. Anonymous Coward
    Anonymous Coward

    it's only a vulnerability if you use a stupidly simple password though

    "Plaintext password not found in our small dictionary"

    1. disgruntled yank Silver badge

      Re: it's only a vulnerability if you use a stupidly simple password though

      a. "[our] small dictionary."

      b. Then you trust their reassurance? Why?

  14. Pascal Monett Silver badge
    Facepalm

    "Microsoft released guidance to help protect customers and if needed, we’ll take additional steps"

    Microsoft released guidance - yeah, because all 350 million Win 1 0 users know about your guidance.

    if needed, we’ll take additional steps - hint : it's needed !!

    Foot meets bullet - again. This is karma for having stupidly decided to graft a browser into the OS for no technical reason whatsoever and not paying attention to the impact of internet-related bright ideas on core OS functionality.

    1. toughluck

      Is that limited to Windows?

      A couple of Linux DE file explorers will let you browse the Internet from the same interface as they use for local files.

  15. Oengus Silver badge

    What are these?

    OneDrive cloud storage, Office account, Xbox Live account, Bing search history, any associated Windows Mobile device, Outlook inbox, and Skype account.

    Wow another list of Internet services I don't have accounts with... I did have a Skype account for one project but stopped using it after the project finished.

    Windows 8 encouraged people to use their Microsoft cloud accounts to sign into their PCs, and Windows 10 made it the default.

    When I got a Windows 10 PC it wanted me to create a Microsoft account to log in. I deftly avoided that step.

  16. John Robson Silver badge

    Dirty network...

    Has SMB outbound blocked. To be fair it most things blocked, I had to explicitly enable some streaming a little while ago.

  17. lvm

    NTML could've been a typo, hadn't it been used twice.

    1. Anonymous Coward
      Anonymous Coward

      I always use ROT13 twice to encrypt my data

  18. ntevanza

    Auth

    Use made-up outlook.com MS accounts on non-domain machines. There is also no need to tie them to Windows user accounts. This is common sense.

    Edit: this is common sense paranoia.

  19. Expat-Cat

    Settings?

    Default setting for IE is to turn this behaviour off for Internet zone connections, and on for Intranet zone.

    May explain why those who have tried the test site did not see anything wrong.

    Could still be an issue if you try on a potentially hostile network e.g. hotel, restaurant etc. if the PC decides the SMB connection is local.

  20. Anonymous Coward
    Anonymous Coward

    I'm pretty sure file:// links were blocked by default in the internet security zone previously because I've had to workaround it stopping intranet functionality. So when did that block get taken out of the default behavior?

  21. DaveNullstein

    In other news...

    ...if someone points a gun at your head and tricks you into pulling the trigger, you might die.

    Stop all the presses.

  22. Captain Scarlet Silver badge
    Coat

    we’ll take additional steps

    What you mean like providing a link to this guidance that I can't be bothered to Google?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019