Pierluigi Paganini June 21, 2016

The Chinese researcher Yang Yu, director of Xuanwu Lab of Tencent has discovered a design flaw in Microsoft Windows that affects all versions of the popular operating system. The vulnerability could allow an attacker to hijack a target organization’s network traffic, experts at Microsoft called it BadTunnel.

Microsoft has already patched the BadTunnel that according to Yang Yu has the widest impact in the history of Windows.

Yu told to DarkReading that the flaw affects all the Microsoft Windows versions and it could be silently exploited through many different channels. BadTunnel can be triggered via all versions of Microsoft Office, Edge, Internet Explorer, via IIS and Apache Web servers, via a thumb drive, and also through a number of third-party apps on Windows.

The BadTunnel results from a combination of issues that could allow attackers to launch an exploit.

“This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific issue for an exploit.” Yu explained to DarkReading “This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,” 

The expert classified the BadTunnel as a technique for NetBIOS-spoofing across networks, this means that the attacker can leverage on it to get access to network traffic without being on the victim’s network. The technique is very insidious and difficult to the attack is difficult to detect because it doesn’t involve malicious code and allows to bypass firewall and Network Address Translation (NAT) devices.

The attack scenario is very simple, the attacker just needs to trick victims into visit a malicious web page via IE or Edge, or to open a specifically crafted Office document. The website used by the attackers will appear as either a file server or a local print server, meantime it will allow the hijacking of the victim’s network traffic.

Then all the victim’s traffic is hijacked, including Windows Updates and Certificated Revocation List updates.

Below the attack scenario described by Yu:

• Alice and Bob can be located anywhere on their network, and have firewall and NAT devices in-between, as long as Bob’s 137/UDP port is reachable by Alice.
• Bob closes 139 and 445 port, but listens on 137/UDP port.port, but listens on 137/UDP port.
• Alice is convinced to access a file URI or UNC path that points to Bob, and another hostname based URI such as “http://WPAD/x.jpg” or “http://FileServer/x.jpg”. Alice will send a NBNS NBSTAT query to Bob, and also send a NBNS NB query to the LAN broadcast address.
• If Bob blocks access to 139 and 445 port using a firewall, Alice will send a NBNS NBSTAT query after approximately 22 seconds. If Bob instead closed 139 and 445 port by disabling Server Windows service or NetBIOS over TCP/IP protocol, Alice donot needdo to wait for connection to time sendout before the query.
• When Bob received NBNS NBSTAT query sent by Alice, Bob forge a NBNS NB response by predicting the transaction id, and send to Alice. If a heartbeat packet is sent every few second, most firewall and NAT devices will keep the 137/UDP<->137/UDP tunnel open.
• Alice will now add the resolved address sent by Bob to the NBT cache. The default TTL for NBT cache entry is 600 seconds.
• Bob then hijacks Alice’s network traffic by posing as a Web Proxy Auto-Discovery Protocol (WPAD) or Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) server. WPAD hijacking is nothing new, Yu notes: HD Moore & Valsmith presented research on this in 2007 at Black Hat USA, and the Flame worm employed a similar attack method.

[adrotate banner=”9″]

Pierluigi Paganini

Security Affairs – (BadTunnel, Microsoft Windows )