Founder of the Tencent Xuanwu Lab, Yang Yu, has collaborated with Microsoft to patch a major security flaw. A bug in the implementation of the NetBIOS protocol affected all versions of the Windows OS by creating a vulnerable area.
The vulnerability created an opportunity for hackers to redirect all network traffic through a controlled point. The attacker could pass as a WPAD or ISATAP server. Mr. Yu explained that this security flaw affected all traffic. This encompasses Web HTTP and HTTPS, software upgrades, system updates, Certificate Revocation List updates via Microsoft’s Crypto API and other OS maintenance tasks.
BadTunnel not affected by Firewalls
In a preview for Softpedia, Yu elaborated that “It does not require the attacker [to] reside in the same network. The attack can even succeed when there are firewall and NAT devices in between.”
The researcher went on to explain the origin of the BadTunnel name: “Firewalls won’t stop the attack, because UDP is a connectionless protocol. We are using it to establish a tunnel. That is why it be named ‘BadTunnel’.”
An unusual specification about this penetration mechanism is that it does not exploit a protocol weakness. The core of the problem is within the implementation of the NetBIOS in the Windows OS. In order to get access to a user’s system, the attacker simply needs him to access a file URC or a UNC path. Making the user click on a link or shortcut from an application is enough to open the door for the hacker. All programs, supporting URI and UNC paths, are a viable option. Internet Explorer, Microsoft Edge and the Office package are prime examples. Yang Yu explains that the bug creates the option to exploit other sources, besides software. For example, USB flash drives and Web servers can be used.
Fake NetBIOS requests pose as WPAD and ISATAP servers
NetBIOS is a standard protocol. It is used in many operating systems to enable communication between computers from a local network. WPAD is an abbreviation for Web Proxy Auto-Discovery. This is a protocol, used for broadcasting common proxy configurations across a network. ISATAP stands for Intra-Site Automatic Tunnel Addressing Protocol. It is classified as an IPv4-IPv6 transition mechanism.
The CVE-2016-3213 vulnerability allows an attacker to embed URI and UNC paths, linking back to his device. This cross-network NetBIOS spoofing attack makes it possible to intercept NetBIOS requests which the victim sends to his host.
Exploiting the latter vulnerability, an attacker can pose as a WPAD or ISATAP server and answer to NetBIOS name requests.
BadTunnel attacks can be indefinite
According to Yang Yu, the attacker can maintain persistence upon establishing himself as a valid WPAD or ISATAP server. The hacker can continue to have access even after the WPAD or ISATAP cache has expired.
One of the methods for a hacker to maintain his accessibility is by redirecting the user to a corrupted URI or UNC path. This is done by controlling the HTTP traffic. Once a hacker attains access to the HTTP traffic, he can do periodical redirects to reinitiate the attack. This will give him a permanent MitM position. The user will not be aware of the redirects.
Microsoft issued a statement on the matter to explain the details around the problem. The company said that the cause of the vulnerability is due to the way Windows operating systems handle NetBIOS hostname discovery requests. Microsoft announced in MS16-077 that its engineers have made a modification on “how Windows handles proxy discovery.”
The patch has been completed, yet many operating systems continue to be at risk
Both Microsoft and Mr. Yu were unaware of any exploits taking advantage of this flaw. This may be a bit concerning for end users. Doing an update right now is advisable for anyone who has been postponing it.
It needs to be noted that some versions of the Windows OS do not have patches developed. While the latest versions of the Microsoft operating system have been taken care of, the unsupported are still at risk. If you are using XP, Windows Server 2003 and other early versions, you should use your system administrator to disable the NetBIOS protocol.
Yu is scheduled to participate in the upcoming Black Hat USA security conference. In his presentation, “BadTunnel: How Do I Get Big Brother Power?”, Mr. Yu will further discuss this issue.
Yang Yu highlighted that BadTunnel gives way for cyber criminals across the globe to perform attacks from a distant location. The researcher made a comparison with previous WPAD hijacking waves, taking place in 1999, 2007 and 2012 with the use of the Flame worm. In all of these cases, the attacker needed to be present on the same network segment. The current bug allows for attacks to be made from any location.
