SMBRelay Bible 4: SMBrelay with no action or attacking security software ( Kaspersky AV,Symantec DLP, GFI Languard 0-days)
When we talk about the SMB Relay attacks we describe some attacker actions aiming to make the Incoming NTLM authentication process from server “A” possible and then relay it to the server “B”. Finally the attacker becomes successfully authenticated to server “B” by using the account from server “A”. We have already described this type of actions, that initialized authentication process from server “A” by using ERP functions or RDBMS stored procedures. There are many ways for server “A” to provide the SMB connection to attacker.
SMB Relay with no action
In this post I would talk about the situations where an attacker doesnt’t have to do anything. In these cases server “A” makes connection by SMB by itself without attacker’s manipulations. How it can be? Very easily big corporate networks can use some server with the software that does automated scan of the subnet for some purpose. This scan uses the SMB protocol and, of course, the NTLM authentication. If an attacker’s host will be in the same subnet he can make SMB Relay. The attacker needs just to wait.
Which system is affected? It can be any client-server systems. It can be DLP server that works with agents on workstations via SMB, it can be Antivirus, which tries to deploy the remote agent, and do other things. Here are some real examples that can prove this theory.
1. GFI LanGuard
It is very useful tool for Security Administrators. This software is aimed to grab all the information from a target by using a Domain account, and also it has a schedule. If an administrator has to install it on some server “A” and configure it for scanning subnet by schedule (one scan in a week) with account that has local or (which is worse) domain admin rights, so here is a loophole. A malicious user can install some fake SMB server on his PC and relay this credentials to have an unfettered access to the network.
2. Kaspersky AV
The famous antivirus software has a dangerous function “Scan IP subnets” that is enabled by default in Kaspersky Administration Kit (6/8). This function makes ICMP scan and also tries to use SMB protocol by using service account which can be used to run SMBrelay attack and gain full control over a secured network. When we talk about Kaspersky Administration Kit 6, we must know that it is difficult for an administrator to give right privileges to a service account that are demanded by AV. By reading documentation you finally make decision that this account needs to be in the Local Administrators group. By default “Scan IP subnets” scans your subnet every 7 hours. An attacker just needs to wait. As an AV agent is everywhere, and the server’s account has local administrator right, it is very dangerous for a company but very useful for penetration testing. We have done some internal penetration tests by using only this 0-day vulnerability.
Update by 16 March (Just found on current pentest)
3. Symantec DLP
The Symantec DLP is also vulnerable to this attack when it tries to search critical data on workstations but exploitability depends on user rights.
P.S. Kaspersky vulnerability team has answered after bug report – http://support.kaspersky.com/faq/?qid=208284121
Good Luck!Alexey Sintsov