July 5, 2016 By Bryan Ivey 3 min read

Researcher Yang Yu, director of Xuanwu Lab of Tencent in Beijing, recently discovered that a decades-old means of communication could be tweaked within the parameters of the protocol to hijack the targeted system. The attack relies on the means by which Windows resolves host names within uniform naming convention (UNC) or Uniform Resource Identifier (URI) syntax.

The bug, dubbed BadTunnel, affects all versions of Microsoft Windows. IBM Managed Security Services (MSS) has not observed a notable increase in event count associated with this threat, but we will continue to watch for signs of attempted exploitation in the weeks to come.

A Little Background on BadTunnel

NetBIOS was created in 1983 as a protocol for two computers to communicate over a network. Microsoft later implemented NetBIOS as the basis for its Windows-to-Windows PC communication. In 1987, support for NetBIOS over TCP/IP was developed, which encapsulated the NetBIOS packets inside TCP and UDP packets.

UNC was the initial manner of specifying access to a remote object, such as a Windows share or a file on a remote system. The syntax was of the form \\ComputerName\SharedFolder\SomeFile.ext.

For example, if a user wanted to open a file (SomeFile.ext) on a local file server (LocalServer) in a share called PublicDocuments, it could be opened in an application using the name \\LocalServer\PublicDocuments\SomeFile.ext.

URI syntax became popular in the ’90s with the advent of the World Wide Web. Everyone these days has seen examples of URI syntax, but might not have realized it: For instance, a URI is http://www.securityintelligence.com. The full URI syntax is:

protocol://[UserID:UserPassword@LocalServer[:OptionalPort]]/PathArguments[?QueryString][#SubSection]

To access the above document using URI syntax, the user would open smb://LocalServer/PublicDocuments/SomeFile.ext, where smb stands for Server Message Block, a protocol used to share access for objects such as files, directories and printers between systems on a network.

NetBIOS has its own name resolution service — the NetBIOS Name Service (NBNS) — to identify system names within the NetBIOS arena that might not be entered in a DNS environment. When opening a UNC or URI, the host name (in this case, LocalServer) is sent to the NBNS for resolution.

A Hypothetical — Yet Very Possible — Attack

Let’s look at how an innocent victim named Carol could be attacked by a cybercriminal named Ted.

Ted would need to get Carol to open a malicious UNC or URI. This could be done in a number of ways — via a malicious webpage Carol visited, a specially crafted document, an unsolicited email or even from a USB drive. The UNC or URI has Ted’s system listed in the host name portion. As long as port 137/UDP is open between victim and attacker, Carol is at risk. Ted and Carol could be on the same corporate network or in the same coffee shop using the same wireless network.

Ted’s system has ports 139 (NetBIOS Session Service) and 445 (Microsoft Directory Services) disabled on his system, but has port 137 (NetBIOS Name Service) open. His system is listening on the UDP port. Port 137 is used to query the network for the IP address of a given host name.

If Carol’s system is trying to look up the local Web Proxy Auto-Discovery (WPAD) server to obtain a web proxy configuration file, Carol’s system will send out a NetBIOS name service query over port 137/UDP. The application listening on that port on Ted’s system would then reply back that his IP address is that host in a specially crafted NBNS response. Carol’s system will add the resolved address for Ted’s system to its NBT (NetBIOS over TCP/IP) cache. Ted’s system is now Carol’s web proxy, and all of her web-based traffic will flow through Ted’s system.

Since it is the Windows operating system executing the NetBIOS name resolution, any applications running on Windows that allow file names to be in a UNC or URI format, such as web browsers, Microsoft Office products and some third-party applications, may be used as the attack vector.

Patch, Patch, Patch

Microsoft has patched this issue in its June release. We strongly suggest applying this update as soon as possible. We also encourage contacting your MSS provider to determine available signature coverage.

Yang Yu will be presenting his findings in a talk titled “BadTunnel: How Do I Get Big Brother Power?” at Black Hat USA 2016. If you have an interest in NetBIOS and are attending Black Hat, you may wish to attend his session.

More from X-Force

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today