StarWind is a hyperconverged (HCI) vendor with focus on Enterprise ROBO, SMB & Edge

BadTunnel Bug, which Hijacks Network Traffic and Affects All Windows Versions, has been patched by Microsoft

  • June 21, 2016
  • 6 min read
Online Marketing Manager at StarWind. In touch with virtualization world, may know stuff you are interested in.
Online Marketing Manager at StarWind. In touch with virtualization world, may know stuff you are interested in.

The works of Yang Yu, founder of Tencent’s Xuanwu Lab, have helped Microsoft to patch a significant security issue in its implementation of the NetBIOS protocol that affected all Windows existing versions.

It was found out that the attacker can exploit this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker. Network traffic here means not just Web HTTP and HTTPS, but also OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance

Yu writes that the attack can succeed even when there are firewall and NAT devices between the attacker and their target.

As UDP is a connectionless protocol, firewalls won’t stop the attack.  UDP is used for establishing tunnels, which is where the ‘BadTunnel’ comes from.

The attack doesn’t exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in Windows.

In order to provide the attacker with an access, a user just has to access a file URI or UNC path (links and shortcuts in applications). An attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths which link back to the attacker’s device. The attack can also be performed from a USB flash drive or a Web server.

The CVE-2016-3213 vulnerability is a cross-network NetBIOS spoofing attack that allows intercepting NetBIOS requests sent from the target to the attacker. Exploitation allows the attacker to respond to NetBIOS name requests and pretend to be a WPAD or ISATAP server.

Once the attacker has presented himself as a valid WPAD or ISATAP server, there are different methods for maintaining persistence, even after the WPAD / ISATAP cache gets expired.

As Yang Yu says, attackers that are in control of someone’s HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker’s host, reinitiating the attack. This is one of the methods through which an attacker can stay in a permanent middle-man position.

Microsoft declared that it corrected they way how Windows handles proxy discovery.

Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these and other not-updated operating systems NetBIOS should be disabled by system administrators.

More details about the issue can be found in Yu’s coming presentation  “BadTunnel: How Do I Get Big Brother Power?

This is the review of an article.



Found Oksana’s article helpful? Looking for a reliable, high-performance, and cost-effective shared storage solution for your production cluster?
Dmytro Malynka
Dmytro Malynka StarWind Virtual SAN Product Manager
We’ve got you covered! StarWind Virtual SAN (VSAN) is specifically designed to provide highly-available shared storage for Hyper-V, vSphere, and KVM clusters. With StarWind VSAN, simplicity is key: utilize the local disks of your hypervisor hosts and create shared HA storage for your VMs. Interested in learning more? Book a short StarWind VSAN demo now and see it in action!