The works of Yang Yu, founder of Tencent’s Xuanwu Lab, have helped Microsoft to patch a significant security issue in its implementation of the NetBIOS protocol that affected all Windows existing versions.

It was found out that the attacker can exploit this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker. Network traffic here means not just Web HTTP and HTTPS, but also OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance

Yu writes that the attack can succeed even when there are firewall and NAT devices between the attacker and their target.

As UDP is a connectionless protocol, firewalls won’t stop the attack.  UDP is used for establishing tunnels, which is where the ‘BadTunnel’ comes from.

The attack doesn’t exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in Windows.

In order to provide the attacker with an access, a user just has to access a file URI or UNC path (links and shortcuts in applications). An attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths which link back to the attacker’s device. The attack can also be performed from a USB flash drive or a Web server.

The CVE-2016-3213 vulnerability is a cross-network NetBIOS spoofing attack that allows intercepting NetBIOS requests sent from the target to the attacker. Exploitation allows the attacker to respond to NetBIOS name requests and pretend to be a WPAD or ISATAP server.

Once the attacker has presented himself as a valid WPAD or ISATAP server, there are different methods for maintaining persistence, even after the WPAD / ISATAP cache gets expired.

As Yang Yu says, attackers that are in control of someone’s HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker’s host, reinitiating the attack. This is one of the methods through which an attacker can stay in a permanent middle-man position.

Microsoft declared that it corrected they way how Windows handles proxy discovery.

Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these and other not-updated operating systems NetBIOS should be disabled by system administrators.

More details about the issue can be found in Yu’s coming presentation  “BadTunnel: How Do I Get Big Brother Power?

This is the review of an article.



Back to blog