BadTunnel: Bad News?

July 5, 2016
| |
3 min read

Researcher Yang Yu, director of Xuanwu Lab of Tencent in Beijing, recently discovered that a decades-old means of communication could be tweaked within the parameters of the protocol to hijack the targeted system. The attack relies on the means by which Windows resolves host names within uniform naming convention (UNC) or Uniform Resource Identifier (URI) syntax.

The bug, dubbed BadTunnel, affects all versions of Microsoft Windows. IBM Managed Security Services (MSS) has not observed a notable increase in event count associated with this threat, but we will continue to watch for signs of attempted exploitation in the weeks to come.

A Little Background on BadTunnel

NetBIOS was created in 1983 as a protocol for two computers to communicate over a network. Microsoft later implemented NetBIOS as the basis for its Windows-to-Windows PC communication. In 1987, support for NetBIOS over TCP/IP was developed, which encapsulated the NetBIOS packets inside TCP and UDP packets.

UNC was the initial manner of specifying access to a remote object, such as a Windows share or a file on a remote system. The syntax was of the form \\ComputerName\SharedFolder\SomeFile.ext.

For example, if a user wanted to open a file (SomeFile.ext) on a local file server (LocalServer) in a share called PublicDocuments, it could be opened in an application using the name \\LocalServer\PublicDocuments\SomeFile.ext.

URI syntax became popular in the ’90s with the advent of the World Wide Web. Everyone these days has seen examples of URI syntax, but might not have realized it: For instance, a URI is http://www.securityintelligence.com. The full URI syntax is:

protocol://[UserID:[email protected][:OptionalPort]]/PathArguments[?QueryString][#SubSection]

To access the above document using URI syntax, the user would open smb://LocalServer/PublicDocuments/SomeFile.ext, where smb stands for Server Message Block, a protocol used to share access for objects such as files, directories and printers between systems on a network.

NetBIOS has its own name resolution service — the NetBIOS Name Service (NBNS) — to identify system names within the NetBIOS arena that might not be entered in a DNS environment. When opening a UNC or URI, the host name (in this case, LocalServer) is sent to the NBNS for resolution.

A Hypothetical — Yet Very Possible — Attack

Let’s look at how an innocent victim named Carol could be attacked by a cybercriminal named Ted.

Ted would need to get Carol to open a malicious UNC or URI. This could be done in a number of ways — via a malicious webpage Carol visited, a specially crafted document, an unsolicited email or even from a USB drive. The UNC or URI has Ted’s system listed in the host name portion. As long as port 137/UDP is open between victim and attacker, Carol is at risk. Ted and Carol could be on the same corporate network or in the same coffee shop using the same wireless network.

Ted’s system has ports 139 (NetBIOS Session Service) and 445 (Microsoft Directory Services) disabled on his system, but has port 137 (NetBIOS Name Service) open. His system is listening on the UDP port. Port 137 is used to query the network for the IP address of a given host name.

If Carol’s system is trying to look up the local Web Proxy Auto-Discovery (WPAD) server to obtain a web proxy configuration file, Carol’s system will send out a NetBIOS name service query over port 137/UDP. The application listening on that port on Ted’s system would then reply back that his IP address is that host in a specially crafted NBNS response. Carol’s system will add the resolved address for Ted’s system to its NBT (NetBIOS over TCP/IP) cache. Ted’s system is now Carol’s web proxy, and all of her web-based traffic will flow through Ted’s system.

Since it is the Windows operating system executing the NetBIOS name resolution, any applications running on Windows that allow file names to be in a UNC or URI format, such as web browsers, Microsoft Office products and some third-party applications, may be used as the attack vector.

Patch, Patch, Patch

Microsoft has patched this issue in its June release. We strongly suggest applying this update as soon as possible. We also encourage contacting your MSS provider to determine available signature coverage.

Yang Yu will be presenting his findings in a talk titled “BadTunnel: How Do I Get Big Brother Power?” at Black Hat USA 2016. If you have an interest in NetBIOS and are attending Black Hat, you may wish to attend his session.

Bryan Ivey
Cyber Threat and Intelligence Analyst, IBM X-Force

Bryan Ivey joined Internet Security Systems as the IT department at the end of 1996. After nearly fourteen years in IT, he joined the X-Force Threat Analysi...
read more