July 5, 2016 By Bryan Ivey 3 min read

Researcher Yang Yu, director of Xuanwu Lab of Tencent in Beijing, recently discovered that a decades-old means of communication could be tweaked within the parameters of the protocol to hijack the targeted system. The attack relies on the means by which Windows resolves host names within uniform naming convention (UNC) or Uniform Resource Identifier (URI) syntax.

The bug, dubbed BadTunnel, affects all versions of Microsoft Windows. IBM Managed Security Services (MSS) has not observed a notable increase in event count associated with this threat, but we will continue to watch for signs of attempted exploitation in the weeks to come.

A Little Background on BadTunnel

NetBIOS was created in 1983 as a protocol for two computers to communicate over a network. Microsoft later implemented NetBIOS as the basis for its Windows-to-Windows PC communication. In 1987, support for NetBIOS over TCP/IP was developed, which encapsulated the NetBIOS packets inside TCP and UDP packets.

UNC was the initial manner of specifying access to a remote object, such as a Windows share or a file on a remote system. The syntax was of the form \\ComputerName\SharedFolder\SomeFile.ext.

For example, if a user wanted to open a file (SomeFile.ext) on a local file server (LocalServer) in a share called PublicDocuments, it could be opened in an application using the name \\LocalServer\PublicDocuments\SomeFile.ext.

URI syntax became popular in the ’90s with the advent of the World Wide Web. Everyone these days has seen examples of URI syntax, but might not have realized it: For instance, a URI is http://www.securityintelligence.com. The full URI syntax is:


To access the above document using URI syntax, the user would open smb://LocalServer/PublicDocuments/SomeFile.ext, where smb stands for Server Message Block, a protocol used to share access for objects such as files, directories and printers between systems on a network.

NetBIOS has its own name resolution service — the NetBIOS Name Service (NBNS) — to identify system names within the NetBIOS arena that might not be entered in a DNS environment. When opening a UNC or URI, the host name (in this case, LocalServer) is sent to the NBNS for resolution.

A Hypothetical — Yet Very Possible — Attack

Let’s look at how an innocent victim named Carol could be attacked by a cybercriminal named Ted.

Ted would need to get Carol to open a malicious UNC or URI. This could be done in a number of ways — via a malicious webpage Carol visited, a specially crafted document, an unsolicited email or even from a USB drive. The UNC or URI has Ted’s system listed in the host name portion. As long as port 137/UDP is open between victim and attacker, Carol is at risk. Ted and Carol could be on the same corporate network or in the same coffee shop using the same wireless network.

Ted’s system has ports 139 (NetBIOS Session Service) and 445 (Microsoft Directory Services) disabled on his system, but has port 137 (NetBIOS Name Service) open. His system is listening on the UDP port. Port 137 is used to query the network for the IP address of a given host name.

If Carol’s system is trying to look up the local Web Proxy Auto-Discovery (WPAD) server to obtain a web proxy configuration file, Carol’s system will send out a NetBIOS name service query over port 137/UDP. The application listening on that port on Ted’s system would then reply back that his IP address is that host in a specially crafted NBNS response. Carol’s system will add the resolved address for Ted’s system to its NBT (NetBIOS over TCP/IP) cache. Ted’s system is now Carol’s web proxy, and all of her web-based traffic will flow through Ted’s system.

Since it is the Windows operating system executing the NetBIOS name resolution, any applications running on Windows that allow file names to be in a UNC or URI format, such as web browsers, Microsoft Office products and some third-party applications, may be used as the attack vector.

Patch, Patch, Patch

Microsoft has patched this issue in its June release. We strongly suggest applying this update as soon as possible. We also encourage contacting your MSS provider to determine available signature coverage.

Yang Yu will be presenting his findings in a talk titled “BadTunnel: How Do I Get Big Brother Power?” at Black Hat USA 2016. If you have an interest in NetBIOS and are attending Black Hat, you may wish to attend his session.

More from X-Force

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today