A vulnerability that security researchers said has “the widest impact in the history of Windows” could affect all versions of the operating system from the past 20 years, from Windows 95 to Windows 10. Chinese security researcher Yang Yu, director of Tencent’s Xuanwu Lab, discovered the flaw, which he named BadTunnel. Yu received a $50,000 bounty for discovering the flaw.
In fact, this all started when Yu simply got bored on an airplane. He said he started to imagine different security problems and suddenly came up with a brand-new attack scenario. “After the trip, I immediately started testing it on different system configurations, and finally discovered this vulnerability in the Windows operating system,” he said.
Yu demonstrated the flaw in Las Vegas at Black Hat USA in August in a presentation entitled “BadTunnel: How do I get Big Brother power?” In the presentation, Yu noted that BadTunnel has a very wide range of attack surfaces. “The attack can be performed on all versions of Internet Explorer, Edge, Microsoft Office, many third-party software, USB flash drives, and even Web servers. When this flaw is triggered, YOU ARE BEING WATCHED.”
In case you’re still not convinced how extensive this security vulnerability is, Yu explains, “It can be exploited silently with a near perfect success rate.” Users can be abused by simple activities, such as clicking a link, opening a Microsoft Office document, or plugging in a USB drive. BadTunnel is especially difficult to detect because even though malware can be applied, it isn’t required to exploit the vulnerability.
In an interview with DARK Reading, Yu explained, “This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usages of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices.” In short, this is more than a simple mistake within the code.
Essentially, Yu has described it as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices, so that the attacker can get access to network traffic without being on the victim’s network. According to web consultant Mark Stockley, “It can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the Internet.”
Stockley says that “WPAD is a way for computers to discover web browser configuration files automatically by searching specific addresses on a computer’s local network. An attacker who could find a way to occupy one of those addresses, or to change the addresses being searched, could supply their own configuration files and instruct the victim’s browser to route traffic through a man-in-the-middle attack.”
In his interview, Yu explained the attack in-depth.
“BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how IE and Edge browsers support web pages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) — all of which when lumped together make the network vulnerable to a BadTunnel attack.
- Alice and Bob can be located anywhere on their network, and have firewall and NAT devices in-between, as long as Bob’s 137/UDP port is reachable by Alice.
- Bob closes 139 and 445 port, but listens on 137/UDP port.
- Alice is convinced to access a file URI or UNC path that points to Bob, and another hostname based URI such as “http://WPAD/x.jpg” or “http://FileServer/x.jpg”. Alice will send a NBNS NBSTAT query to Bob, and also send a NBNS NB query to the LAN broadcast address.
- If Bob blocks access to 139 and 445 port using a firewall, Alice will send a NBNS NBSTAT query after approximately 22 seconds. If Bob instead closed 139 and 445 port by disabling Server Windows service or NetBIOS over TCP/IP protocol, Alice do not need to wait for connection to time out before send the query.
- When Bob received NBNS NBSTAT query sent by Alice, Bob forge a NBNS NB response by predicting the transaction id, and send to Alice. If a heartbeat packet is sent every few second, most firewall and NAT devices will keep the 137/UDP<->137/UDP tunnel open.
- Alice will now add the resolved address sent by Bob to the NBT cache. The default TTL for NBT cache entry is 600 seconds.
Yu added that Bob can also insert attack vectors in webpages visited by Alice. Because these webpages will be cached by the Web browser, the attacks can be retriggered even if the tunnel between Alice and Bob is disconnected. Also, because Bob can keep the tunnel open by sending a packet every few seconds, “even if Alice never visits Bob’s file URI or UNC path again, Bob can still send forged NBNS NB response to Alice,” Yu says.
With a full understanding of how this chain works, an attacker would only need 20 minutes to pull off an exploit. Luckily, though, all hope is not lost. Although it was reported to Windows in January, a patch for the problem was finally released in June, and just recently updated again in August.
The security update is rated Important; according to Microsoft, “The most severe of the vulnerabilities could allow elevation of privilege if the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process on a target system.”
Download the most recent update. As reported by Microsoft, “The update addresses the vulnerabilities by correcting how Windows handles proxy discovery, and WPAD automatic proxy detection in Windows.”
Yu notes that you should always download the most recent patch, but if this is not available to you, you should disable the NetBIOS over TCP/IP to prevent the BadTunnel attack. Microsoft gives detailed instructions on how to do this.
Photo credit: Pixabay