Microsoft Live Account Credentials Leaking from Windows 8 and Above

[takkaria 4]

Hi,

not sure if there's already a thread on this exploit, I couldn't find one, if so please delete.

 

It seems Windows 8 and up is leaking login credentials (windows username/live email and hashed password) and vpn credentials if you are using IPsec, PPTP, L2TP.

For the exploit to work it's necessary to use Internet Explorer, Edge, or any application which use standard Windows API or Internet Explorer as a HTML renderer (Outlook, Explorer) and opening the prepared attack website.

 

Here's a nice write-up on the exploit:

https://medium.com/@ValdikSS/deanonymizing-windows-users-and-capturing-microsoft-and-vpn-accounts-f7e53fe73834#.6gxx24w7x

Included are tips on how to avoid the leak:

 

Another way is to block all SMB traffic to the internet using Windows firewall. 
Just black all traffic to TCP port 137, 139 and 445 except to the destination IP ranges:
192.168.0.0/16
169.254.0.0/16
172.16.0.0/12
10.0.0.0/8
fd00::/8
fe80::/10
 

 

It's also mentioned that "Some VPN providers have been told about this issue and most of them has fixed it by blocking access to SMB ports or by blocking it locally in their client software."

I tested with the newest experimental airvpn client and activated network lock and had credentials leak.

It'd be nice if you guys could look into that until there's patch from MS.

 

edit: the regedit fix seems to work fine, no leaks anymore on the test site

[Staff 9972]

Hello,

 

this is a Windows bug that must be fixed by Microsoft. You can use your firewall in the meantime. Our client software can help but of course we can't be charged with the duty to fix any possible Windows or other systems vulnerability. We will never insert anti-malware functions in an OpenVPN wrapper and for the same reason it would be questionable to insert code to patch extremely specific OS vulnerabilities. Modularity is important.

 

And apparently one should be quite idiot to be effectively exploited with this: you should use weak system password (otherwise the attacker can't rebuild your password from the hash), and use the same weak credentials on a variety of services around. Agreed that the average Windows user is not so smart, but in this case ValdikSS presumption (apparently) is that this user is unrealistically stupid.

 

 

I tested with the newest experimental airvpn client and activated network lock and had credentials leak.

 

 

 

You mean leak of HASH of your Windows system account password, right?

 

Kind regards

[takkaria 4]

Yes the hash of the system password is leaked, not the airvpn credentials! Sorry for the confusion!

[zhang888 1066]

The issue dates back to 1997 when LM and SMB were first introduced, and it is known to Microsoft ever since.

When you try to connect to a remote SMB share, Windows will try to auth using your domain credentials first.

This was done for usability in mind, so Microsoft classifies this behavior as an intended "feature" for years.

 

The only new surface here is that you can now setup a Microsoft account for it, but from Windows 7 and

above the hashing algorithm is NTLM and not LM, which will take much longer to crack.

This is one of the reasons why the hashes are not being cracked anymore when you attack Windows domains.

A technique called "pass the hash" is used in order to enroll the hash for various AD resources.

 

Microsoft accounts have also password complexity requirements when setting up the account. So this makes

the attack even harder to accomplish with 3 steps - phishing, victim use of IE/Edge/Outlook, NTLM cracking.

[OpenSourcerer 1435]

A quick test can be done with Valdik's WITCH

[go558a83nk 362]

crap.  my windows 10 machines don't use a microsoft account, just local user/pass.  at least as far as I know.  but that WITCH was able to tell me my login password in Edge.

 

I edited the registry and that fixed it.

[Guest]

crap.  my windows 10 machines don't use a microsoft account, just local user/pass.  at least as far as I know.  but that WITCH was able to tell me my login password in Edge.

 

I edited the registry and that fixed it.

 

Edited the registry for what?

 

 

Also this is an interesting one however unless you use anything but local user/pass I'd imagine this method is useless unless as Staff said if people use the same password and username for several services. I only have 3 default passwords, one protects my PC, another is for shit I don't care one bit about but still need to remember it, and the last one is the hardest of all my passwords which protect my Password database with over 200 generated passwords with at least 20 characters and digits in length

[go558a83nk 362]

 

crap.  my windows 10 machines don't use a microsoft account, just local user/pass.  at least as far as I know.  but that WITCH was able to tell me my login password in Edge.

 

I edited the registry and that fixed it.

 

Edited the registry for what?

 

 

Also this is an interesting one however unless you use anything but local user/pass I'd imagine this method is useless unless as Staff said if people use the same password and username for several services. I only have 3 default passwords, one protects my PC, another is for shit I don't care one bit about but still need to remember it, and the last one is the hardest of all my passwords which protect my Password database with over 200 generated passwords with at least 20 characters and digits in length

 

The link in the OP has a registry edit that prevents the "leak".