The research of Yang Yu, founder of Tencent's Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.
Yu says the attacker can leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim's network traffic through a point controlled by the attacker.
By network traffic, Yu refers to all traffic, not just Web HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft's Crypto API, and other OS maintenance operations.
Firewalls won't stop BadTunnel
"It does not require the attacker [to] reside in the same network," Yu writes in a technical preview offered to Softpedia. "The attack can even succeed when there are firewall and NAT devices in between."
The reason why firewalls won't stop the attack is because they are intentionally designed to open port 137 used for NetBIOS name discovery requests.
The attack, named BadTunnel, doesn't exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in its OS.
All that's needed is for some simple social engineering. The attacker only needs to convince a user to access a file URI or UNC path (links and shortcuts in applications). Yu says an attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths. Exploitation is not limited to software, and the attack also be performed from a USB flash drive or a Web server.
Spoofing NetBIOS requests to pass as a WAPD or ISATAP server
The attacker embeds URI and UNC paths that link back to his device. The vulnerability, CVE-2016-3213, is a cross-network NetBIOS spoofing attack that allows an attacker to intercept NetBIOS requests sent from the victim to his host.
Exploitation allows the attacker to respond to NetBIOS name requests and masquerade as a WPAD or ISATAP server.
NetBIOS is a standard protocol found in many operating systems that was developed to allow computers to talk over a local network. WAPD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. ISATAP stands for Intra-Site Automatic Tunnel Addressing Protocol, and is an IPv4-IPv6 transition mechanism.
BadTunnel attacks can persist indefinitely
Once the attacker has established himself as a valid WAPD or ISATAP server, Yu says there are different methods through which he can maintain persistence, even after the WAPD / ISATAP cache expires.
Yu says that attackers that are in control of someone's HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker's host, reinitiating the attack. This is just one of the methods through which an attacker is left in a permanent MitM position.
As mentioned above, the issues reside in how Windows operating systems deal with NetBIOS hostname discovery requests. Microsoft said in MS16-077 that it corrected "how Windows handles proxy discovery."
Microsoft patches issue, many operating systems remain vulnerable
Neither Yu nor Microsoft were aware of any exploits using this vulnerability. To be on the safe side, users should update as soon as possible.
Full Article: BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions
Yu says the attacker can leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim's network traffic through a point controlled by the attacker.
By network traffic, Yu refers to all traffic, not just Web HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft's Crypto API, and other OS maintenance operations.
Firewalls won't stop BadTunnel
"It does not require the attacker [to] reside in the same network," Yu writes in a technical preview offered to Softpedia. "The attack can even succeed when there are firewall and NAT devices in between."
The reason why firewalls won't stop the attack is because they are intentionally designed to open port 137 used for NetBIOS name discovery requests.
The attack, named BadTunnel, doesn't exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in its OS.
All that's needed is for some simple social engineering. The attacker only needs to convince a user to access a file URI or UNC path (links and shortcuts in applications). Yu says an attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths. Exploitation is not limited to software, and the attack also be performed from a USB flash drive or a Web server.
Spoofing NetBIOS requests to pass as a WAPD or ISATAP server
The attacker embeds URI and UNC paths that link back to his device. The vulnerability, CVE-2016-3213, is a cross-network NetBIOS spoofing attack that allows an attacker to intercept NetBIOS requests sent from the victim to his host.
Exploitation allows the attacker to respond to NetBIOS name requests and masquerade as a WPAD or ISATAP server.
NetBIOS is a standard protocol found in many operating systems that was developed to allow computers to talk over a local network. WAPD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. ISATAP stands for Intra-Site Automatic Tunnel Addressing Protocol, and is an IPv4-IPv6 transition mechanism.
BadTunnel attacks can persist indefinitely
Once the attacker has established himself as a valid WAPD or ISATAP server, Yu says there are different methods through which he can maintain persistence, even after the WAPD / ISATAP cache expires.
Yu says that attackers that are in control of someone's HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker's host, reinitiating the attack. This is just one of the methods through which an attacker is left in a permanent MitM position.
As mentioned above, the issues reside in how Windows operating systems deal with NetBIOS hostname discovery requests. Microsoft said in MS16-077 that it corrected "how Windows handles proxy discovery."
Microsoft patches issue, many operating systems remain vulnerable
Neither Yu nor Microsoft were aware of any exploits using this vulnerability. To be on the safe side, users should update as soon as possible.
Full Article: BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions
