BadTunnel Bug, which Hijacks Network Traffic and Affects All Windows Versions, has been patched by Microsoft

Posted by Oksana Zybinskaya on June 21, 2016
Share on Facebook0Share on Google+0Share on LinkedIn0Share on Reddit0Tweet about this on Twitter0
No ratings yet.

The works of Yang Yu, founder of Tencent’s Xuanwu Lab, have helped Microsoft to patch a significant security issue in its implementation of the NetBIOS protocol that affected all Windows existing versions.

It was found out that the attacker can exploit this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker. Network traffic here means not just Web HTTP and HTTPS, but also OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance

Yu writes that the attack can succeed even when there are firewall and NAT devices between the attacker and their target.

As UDP is a connectionless protocol, firewalls won’t stop the attack.  UDP is used for establishing tunnels, which is where the ‘BadTunnel’ comes from.

The attack doesn’t exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in Windows.

In order to provide the attacker with an access, a user just has to access a file URI or UNC path (links and shortcuts in applications). An attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths which link back to the attacker’s device. The attack can also be performed from a USB flash drive or a Web server.

The CVE-2016-3213 vulnerability is a cross-network NetBIOS spoofing attack that allows intercepting NetBIOS requests sent from the target to the attacker. Exploitation allows the attacker to respond to NetBIOS name requests and pretend to be a WPAD or ISATAP server.

Once the attacker has presented himself as a valid WPAD or ISATAP server, there are different methods for maintaining persistence, even after the WPAD / ISATAP cache gets expired.

As Yang Yu says, attackers that are in control of someone’s HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker’s host, reinitiating the attack. This is one of the methods through which an attacker can stay in a permanent middle-man position.

Microsoft declared that it corrected they way how Windows handles proxy discovery.

Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these and other not-updated operating systems NetBIOS should be disabled by system administrators.

More details about the issue can be found in Yu’s coming presentation  “BadTunnel: How Do I Get Big Brother Power?

This is the review of an article.


Related materials:


Views All Time
Views Today

Please rate this

To download the software products, please, make your choice below. An installer link and a license key will be sent to the e-mail address you’ve specified. If you consider StarWind Virtual SAN but are uncertain of the version, please check the following document Free vs. Paid. The recent build of Release Notes. A totally unrestricted NFR (Not For Resale) version of StarWind Virtual SAN is available for certain use cases. Learn more details here.

Return to all posts

How To Install Microsoft MultiPoint Service On Windows Server 2016
Manage storage QoS Policies from VMM 2016
The following two tabs change content below.
Oksana Zybinskaya
Oksana Zybinskaya
Online Marketing Manager at StarWind. In touch with virtualization world, may know stuff you are interested in.