BadTunnel Attack : Hackers can exploit bad NetBios implementation in all Windows versions to hijack network traffic

Security researchers from Tencent’s Xuanwu Labs have discovered a new vulnerability which could let potential hackers hijack network traffic on all Windows version PCs. The research team led by Yang Yu, founder of Tencent’s Xuanwu Lab found the vulnerability affecting all Windows versions in the way Microsoft implemented NetBIOS protocol.

Yu says the attacker can leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim’s network traffic through a point controlled by the attacker. The vulnerability is so critical that it means the potential hacker can hijack all traffic, not HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft’s Crypto API, and other OS maintenance operations.

In a hypothetical scenario, if a hacker exploits the NetBios implementation exploit, he/she can redirect all of victims traffic to a malware laden point from where he/she can remotely takeover the PC. The severity of the issue can be assessed from the fact that all Windows versions including Windows 10 are affected by the flaw.

In a technical preview of the flaw which Yu presented to Softpedia, he says, “It does not require the attacker [to] reside in the same network.” He adds, “The attack can even succeed when there are firewall and NAT devices in between.” “Firewalls won’t stop the attack, because UDP is a connectionless protocol. We are using it to establish a tunnel. That is why it be named ‘BadTunnel‘,” Yu explains.

The attack doesn’t exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in Windows.

All that’s needed is for some simple social engineering. The attacker only needs to convince a user to access a file URI or UNC path (links and shortcuts in applications). Yu says an attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths. Exploitation is not limited to software, and the attack also be performed from a USB flash drive or a Web server.

Yu said that he had informed Microsoft, who has patched the exploit. However, PCs running on non supported versions of Windows like Windows XP, Windows Server 2003, etc. continue to remain vulnerable. Yu says that he has noticed the flaw being exploited in the wild but has recommended that older systems managers should disable NetBios till Microsoft patch reaches them.

Microsoft has stated that the issue has been patched in MS16-077  and PCs with patched NetBios correctly handle proxy discovery.

Yu is scheduled to present more details on this bug at this year’s Black Hat USA security conference. The name of his presentation is “BadTunnel: How Do I Get Big Brother Power?