Researcher Yang Yu, director of Xuanwu Lab of Tencent in Beijing, recently discovered that a decades-old means of communication could be tweaked within the parameters of the protocol to hijack the targeted system. The attack relies on the means by which Windows resolves host names within uniform naming convention (UNC) or Uniform Resource Identifier (URI) syntax.

The bug, dubbed BadTunnel, affects all versions of Microsoft Windows. IBM Managed Security Services (MSS) has not observed a notable increase in event count associated with this threat, but we will continue to watch for signs of attempted exploitation in the weeks to come.

A Little Background on BadTunnel

NetBIOS was created in 1983 as a protocol for two computers to communicate over a network. Microsoft later implemented NetBIOS as the basis for its Windows-to-Windows PC communication. In 1987, support for NetBIOS over TCP/IP was developed, which encapsulated the NetBIOS packets inside TCP and UDP packets.

UNC was the initial manner of specifying access to a remote object, such as a Windows share or a file on a remote system. The syntax was of the form \\ComputerName\SharedFolder\SomeFile.ext.

For example, if a user wanted to open a file (SomeFile.ext) on a local file server (LocalServer) in a share called PublicDocuments, it could be opened in an application using the name \\LocalServer\PublicDocuments\SomeFile.ext.

URI syntax became popular in the ’90s with the advent of the World Wide Web. Everyone these days has seen examples of URI syntax, but might not have realized it: For instance, a URI is http://www.securityintelligence.com. The full URI syntax is:

protocol://[UserID:UserPassword@LocalServer[:OptionalPort]]/PathArguments[?QueryString][#SubSection]

To access the above document using URI syntax, the user would open smb://LocalServer/PublicDocuments/SomeFile.ext, where smb stands for Server Message Block, a protocol used to share access for objects such as files, directories and printers between systems on a network.

NetBIOS has its own name resolution service — the NetBIOS Name Service (NBNS) — to identify system names within the NetBIOS arena that might not be entered in a DNS environment. When opening a UNC or URI, the host name (in this case, LocalServer) is sent to the NBNS for resolution.

A Hypothetical — Yet Very Possible — Attack

Let’s look at how an innocent victim named Carol could be attacked by a cybercriminal named Ted.

Ted would need to get Carol to open a malicious UNC or URI. This could be done in a number of ways — via a malicious webpage Carol visited, a specially crafted document, an unsolicited email or even from a USB drive. The UNC or URI has Ted’s system listed in the host name portion. As long as port 137/UDP is open between victim and attacker, Carol is at risk. Ted and Carol could be on the same corporate network or in the same coffee shop using the same wireless network.

Ted’s system has ports 139 (NetBIOS Session Service) and 445 (Microsoft Directory Services) disabled on his system, but has port 137 (NetBIOS Name Service) open. His system is listening on the UDP port. Port 137 is used to query the network for the IP address of a given host name.

If Carol’s system is trying to look up the local Web Proxy Auto-Discovery (WPAD) server to obtain a web proxy configuration file, Carol’s system will send out a NetBIOS name service query over port 137/UDP. The application listening on that port on Ted’s system would then reply back that his IP address is that host in a specially crafted NBNS response. Carol’s system will add the resolved address for Ted’s system to its NBT (NetBIOS over TCP/IP) cache. Ted’s system is now Carol’s web proxy, and all of her web-based traffic will flow through Ted’s system.

Since it is the Windows operating system executing the NetBIOS name resolution, any applications running on Windows that allow file names to be in a UNC or URI format, such as web browsers, Microsoft Office products and some third-party applications, may be used as the attack vector.

Patch, Patch, Patch

Microsoft has patched this issue in its June release. We strongly suggest applying this update as soon as possible. We also encourage contacting your MSS provider to determine available signature coverage.

Yang Yu will be presenting his findings in a talk titled “BadTunnel: How Do I Get Big Brother Power?” at Black Hat USA 2016. If you have an interest in NetBIOS and are attending Black Hat, you may wish to attend his session.

More from X-Force

“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments

4 min read - Overprivileged plaintext credentials left on display in 33% of X-Force adversary simulations Adversaries are constantly seeking to improve their productivity margins, but new data from IBM X-Force suggests they aren’t exclusively leaning on sophistication to do so. Simple yet reliable tactics that offer ease of use and often direct access to privileged environments are still heavily relied upon. Today X-Force released the 2023 Cloud Threat Landscape Report, detailing common trends and top threats observed against cloud environments over the past…

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…