BadTunnel: a vulnerability all Windows users need to patch


A security researcher has uncovered a serious vulnerability that affects every version of Microsoft’s Windows operating system from Windows 95 to Windows 10.

The vulnerability could give attackers a way to set up man-in-the-middle attacks against victims by getting them to click on a link, open a Microsoft Office document or plug in a USB drive.

In an interview with Dark Reading, Yang Yu, who earned a whopping $50,000 bug bounty for the discovery he’s nicknamed BadTunnel, described the impact in grandiose terms:

This vulnerability has a massive security impact – probably the widest impact in the history of Windows.

Microsoft released a fix for the vulnerability on Tuesday in security bulletin MS16-077. Users of unsupported Windows versions such as Windows XP should disable NetBIOS over TCP/IP.

The nuts and bolts of how the vulnerability works haven’t been revealed but it has been described as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices.

In other words, it can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.

According to Yu, it relies on a chain of elements including “a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices.”

Microsoft’s bulletin appears to break the final link in the chain by fixing a vulnerability in WPAD (Web Proxy Autodiscovery Protocol) that was first reported in 2007.

WPAD is a way for computers to discover web browser configuration files automatically by searching specific addresses on a computer’s local network. An attacker who could find a way to occupy one of those addresses, or to change the addresses being searched, could supply their own configuration files and instruct the victim’s browser to route traffic through a man-in-the-middle attack.

Until BadTunnel, the attacker had to gain access to a victim’s network (or rely on opportunistic domain name collisions) which made it a difficult trick to pull off.

Yu plans to reveal the full gory details of BadTunnel in a presentation at the upcoming BlackHat conference:

This presentation will introduce a new threat model. Based on this threat model, we found a flaw in the Windows system. It affects all Windows released in the last two decades, including Windows 10. It also has a very wide range of attacks surface. The attack can be performed on all versions of Internet Explorer, Edge, Microsoft Office, many third-party software, USB flash drives, and even Web server. When this flaw is triggered, YOU ARE BEING WATCHED.