Share on Facebook0Share on Google+0Share on LinkedIn0Share on Reddit0Tweet about this on Twitter0

The works of Yang Yu, founder of Tencent’s Xuanwu Lab, have helped Microsoft to patch a significant security issue in its implementation of the NetBIOS protocol that affected all Windows existing versions.

It was found out that the attacker can exploit this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker. Network traffic here means not just Web HTTP and HTTPS, but also OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance operations.microsoft

Yu writes that the attack can succeed even when there are firewall and NAT devices between the attacker and their target.

As UDP is a connectionless protocol, firewalls won’t stop the attack.  UDP is used for establishing tunnels, which is where the ‘BadTunnel’ comes from.

The attack doesn’t exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in Windows.

In order to provide the attacker with an access, a user just has to access a file URI or UNC path (links and shortcuts in applications). An attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths which link back to the attacker’s device. The attack can also be performed from a USB flash drive or a Web server.

The CVE-2016-3213 vulnerability is a cross-network NetBIOS spoofing attack that allows intercepting NetBIOS requests sent from the target to the attacker. Exploitation allows the attacker to respond to NetBIOS name requests and pretend to be a WPAD or ISATAP server.

Once the attacker has presented himself as a valid WPAD or ISATAP server, there are different methods for maintaining persistence, even after the WPAD / ISATAP cache gets expired.

As Yang Yu says, attackers that are in control of someone’s HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker’s host, reinitiating the attack. This is one of the methods through which an attacker can stay in a permanent middle-man position.

Microsoft declared that it corrected they way how Windows handles proxy discovery.

Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these and other not-updated operating systems NetBIOS should be disabled by system administrators.

More details about the issue can be found in Yu’s coming presentation  “BadTunnel: How Do I Get Big Brother Power?

This is the review of an article.

Source: news.softpedia.com

 

Views All Time
4
Views Today
7
Appreciate how useful this article was to you?
No Ratings Yet
Loading...
Back to blog
The following two tabs change content below.
Oksana Zybinskaya
Oksana Zybinskaya
Online Marketing Manager at StarWind. In touch with virtualization world, may know stuff you are interested in.