Cenzic 232 Patent
Paid Advertising
web application security lab

SMBEnum

I’m going to do a small series of posts about a bunch of the topics Jabra and I covered in our presentation on Sunday at DefCon, since we had a ton to cover and a lot of it probably deserves to have a permanent home on the web where people can look at it and talk about it if need be. Also slide-deck form probably isn’t good enough. Anyway, one of the things we discussed was a way to enumerate certain types of files on Windows from within Internet Explorer. This is almost exactly the same issue as the Gregory R. Panakkal’s sysimage disclosure from 2004, for those of you who remember your browser history. Except this variant does not use sysimage, but SMB.

If you’ve got Internet Explorer you can check out an example here. Jabra has since ported it into Wade’s BeEF as well. This isn’t extremely good at enumerating the entire system because it can only find images, CSS, JavaScript and the like. Other types of files don’t have cross zone information leakage - or no well known way to do that anyway. The point being you can get somewhat granular, and then use another more granular method like David Byrne’s res timing attack or my version without JavaScript to get non-image file detection. You can’t reliably use res timing for much though because it’s too slow. But by combining the two an attacker can pretty quickly enumerate programs on a system. Why is that useful? Well the attacker can launch highly targeted attacks once you know the user has certain programs installed.

Anyway, it’s my opinion that if sysimage needed to be fixed SMBenum too needs to be fixed since they provide virtually the same insights into a computer, using the same basic technique. Either way, it seemed bad enough to me that I thought it was worth writing up a tool to do it. You’ll note that it works differently on different systems, and there may be a way to optimize it, but I didn’t bother. There’s also a lot of images associated with lots of programs that I didn’t add in, but you get the basic idea.

One Response to “SMBEnum”

  1. le renard volant Says:

    Some time ago (nearly a year), I found a design flaw in Windows Media Player 11 that has a similar impact. The design flaw allows a remote attacker to determine the presence of local files (programs, documents, etc.). I sent an e-mail to Microsoft but they never responded…

    Windows Media Player permits to open locally stored media-files. Opening non-supported files usually provokes an error message. By a simple HTTP-redirect, the error message can be circumvented. Local files can be opened. The file-opening-procedure can be controlled with the “Player.OpenStateChange Event”. If a file exists, event 8 (”MediaChanging”) is fired. This way, via JavaScript, a malicious web site could determine the presence of local (and remote) files.

    I’ve set up a demo page at: http://lrv.bplaced.net/wmp/wmp.php
    Additional infos (in German): http://lrv.bplaced.net/?p=1

    P.S.: Nice Blog! The “Vulnerability Lab” is very interesting