Among the more than three dozen vulnerabilities Microsoft patched on Tuesday was a fix for a bug that the researcher who found it said has “probably the widest impact in the history of Windows.”
“There were also some wide impact vulnerabilities before, but maybe not like this extensive,” Chinese researcher Yang Yu, founder of Tencent’s Xuanwu Lab told Threatpost.
The flaw, which he’s called BadTunnel, exposes local area networks to cross-network NetBIOS Name Service spoofing. An attacker can remotely attack a firewall- or NAT-protected LAN and steal network traffic or spoof a network print or file server.
“In combination with other system mechanisms, it can hijack the network traffic, and even run any program,” Yang said.
The flaw was addressed yesterday by Microsoft in security bulletin MS16-077 and in CVE-2016-3213.
“An elevation of privilege vulnerability exists in Microsoft Windows when the Web Proxy Auto Discovery (WPAD) protocol falls back to a vulnerable proxy discovery process,” Microsoft said in its advisory; it rated the flaw as “Important.” “An attacker who successfully exploited this vulnerability could bypass security and gain elevated privileges on a targeted system.”
The flaw is particularly serious because it affects every version of Windows, including long-unsupported versions of the OS going back to Windows 95.
“To successfully implement a BadTunnel attack, [you] just need the victim to open a URL (with Internet Explorer or Edge), or open a file (an Office document), or plug in a USB memory stick,” Yang said. “[You] even may not need the victim to do anything when the victim is a web server.”
Yang wrote in a technical paper provided to Threatpost that the attack works anywhere a file URI scheme or UNC patch can be embedded, such as in IE or Edge, or an Office document.
“For example, if a file URI or UNC path is embedded into a shortcut link file (Microsoft’s LNK), the BadTunnel attack can be triggered at the moment the user views the file in the Windows Explorer,” Yang wrote. “It therefore can be exploited via webpage, email, flash drive and many other medias. It can even be effective against servers.”
An attacker would need to understand how to chain together exploits to pull off the attack, but with this understanding, it would take someone 20 minutes to write an exploit.
“The exploit is just a simple UDP packing sending tool,” he said.
Yang is no stranger to writing Microsoft exploits. He has twice before won Microsoft’s Mitigation Bypass bounty worth $145,000; for this bug he was awarded $50,000.
In his paper, Yang describes the chain of events needed to attack this bug. The key is the apparent predictability of a NetBios Name Service transaction ID, which an attacker can abuse by getting the victim to visit a URL hosting an exploit, or open a crafted document, for example. The victim’s machine will trust the attacker and they will be able to hijack traffic or force the victim to visit malicious sites and initiate more trouble.
Windows admins are advised to patch at once, or block UDP port 137.
“On a corporate network, to mitigate BadTunnel, it is a good idea to block 137 / UDP communication between the internal network and the Internet on the perimeter firewall,” Yang said. “Individual users can consider disabling the NetBIOS over TCP/IP.”