‘BadTunnel’ a gateway to hell

PhoneMicrosoft has a bounty program, which pays if you find a bug and explain why it’s a bug (or exploit).  They pay upto $50,000 USD for the information.  Yang Yu, founder of Tencent’s Xuanwu Lab has made previous successful bounty claims as well but this one is a whopper.  It affects every version of Windows back to Windows 95 (no patches coming for those old OS either).

The flaw, which he’s called BadTunnel, exposes local area networks to cross-network NetBIOS Name Service spoofing. An attacker can remotely attack a firewall- or NAT-protected LAN and steal network traffic or spoof a network print or file server.

“In combination with other system mechanisms, it can hijack the network traffic, and even run any program,” Yang said.  The flaw was addressed recently by Microsoft in security bulletin MS16-077 and in CVE-2016-3213.

“To successfully implement a BadTunnel attack, [you] just need the victim to open a URL (with Internet Explorer or Edge), or open a file (an Office document), or plug in a USB memory stick,” Yang said. “[You] even may not need the victim to do anything when the victim is a web server.”

The key is the apparent predictability of a NetBios Name Service transaction ID, which an attacker can abuse by getting the victim to visit a URL hosting an exploit or open an exploited document. The victim’s machine will trust the attacker and they will be able to hijack traffic or force the victim to visit malicious sites.

Windows admins are advised to patch at once, or block UDP port 137.