BadTunnel Bug Big Threat To Microsoft Windows PC

BadTunnel Bug Big Threat To Microsoft Windows PC

BadTunnel Bug Big Threat To Microsoft Windows PC

Yang Yu, founder of Tencent’s Xuanwu Lab, a researcher from China discovered a design flaw in Microsoft Windows that affects all versions of operating system including latest Windows 10. This flaw lets hacker hijack victim organization’s network traffic.

An attacker can hijack target’s web use, granting the hacker ”Big Brother power”, as soon as the victim opens a link or plugs in a USB stick, claimed Yu. He received $50,000 from Microsoft’s bug bounty program for uncovering the weakness, which the researcher has dubbed “BadTunnel”.

Microsoft this week issued a patch for the BadTunnel Bug. Yu will detail and demonstrate his findings on the Windows flaw in August at Black Hat USA in Las Vegas in his presentation BadTunnel: How Do I Get Big Brother Power?

This vulnerability is caused by a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices. It can be exploited via all versions of Microsoft Office, Edge, Internet Explorer, and via several third-party apps on Windows, he says. Unlike most attacks, it doesn’t even require malware, although an attacker could deploy malware as well, he says. That makes it even more difficult to detect when a BadTunnel attack is under way, he notes. An attacker could also execute the attack via IIS and Apache Web servers, as well as via a thumb drives – inserting the thumb drive into one of the ports on the system and the exploitation is complete.

The exploitation of the flaw can spoof connections over NetBIOS:  the attacker can get access to network traffic without being on the victim’s network, and also bypass firewall and Network Address Translation (NAT) devices.

How Does It Work

The attacker gets a victim to visit a rigged web page via IE or Edge, or to open a rigged Office document (or install a malicious flash drive). The attacker’s site appears as either a file server or a local print server, and hijacks the victim’s network traffic – HTTP, Windows Updates, and even Certificated Revocation List updates via Microsoft’s CryptoAPI.

The hacker can not only spy on non-encrypted traffic, they could intercept and tamper with Windows Update downloads. And they could inject further attacks in web pages visited by the victim. For instance, they could ensure that the “tunnel” between the target and the hacker would remain open by inserting code into web pages cached by the browser. Ollie Whitehouse, technical director at cyber security and risk mitigation specialist NCC Group , suggested the weaknesses would be difficult exploit due to the need to “chain” different vulnerabilities. But Yu claimed that as long as the hacker understood the principles of the attack chain, they could write an exploit in just 20 minutes.

Users running supported Windows versions should update as soon as they can. For those running unsupported versions of Windows, such as XP, the researcher recommended disabling NetBIOS over TCP/IP. Microsoft has step-by-step guidance for just that on its TechNet site. Blocking outbound connections over the NetBIOS port 137 would have a similar effect.

Yang Yu will present his findings at the Black Hat conference in Las Vegas this August 2016.