BadTunnel: a vulnerability that affect every windows since 95

[jos]

 

Quote

A security researcher has uncovered a serious vulnerability that affects every version of Microsoft’s Windows operating system from Windows 95 to Windows 10. This vulnerability has a massive security impact – probably the widest impact in the history of Windows. 

Microsoft released a fix for the vulnerability on Tuesday in security bulletin MS16-077. Users of unsupported Windows versions such as Windows XP should disable NetBIOS over TCP/IP.

The nuts and bolts of how the vulnerability works haven’t been revealed but it has been described as a technique for NetBIOS-spoofing across networks that bypasses firewalls and NAT (Network Address Translation) devices.

In other words, it can expose you to attackers who aren’t on your network, and your firewalls won’t save you, unless you block UDP on port 137 between your network and the internet.

According to Yu, it relies on a chain of elements including “a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices.”

Microsoft’s bulletin appears to break the final link in the chain by fixing a vulnerability in WPAD (Web Proxy Autodiscovery Protocol) that was first reported in 2007.

WPAD is a way for computers to discover web browser configuration files automatically by searching specific addresses on a computer’s local network. An attacker who could find a way to occupy one of those addresses, or to change the addresses being searched, could supply their own configuration files and instruct the victim’s browser to route traffic through a man-in-the-middle attack.

Yu plans to reveal the full gory details of BadTunnel in a presentation at the upcoming BlackHat conference:

NetBIOS stands for Network basic input output system and is used in Windows for its file and printer sharing. It provides services related to the session layer allowing applications on separate computers to communicate. NetBIOS over TCP/IP (NetBT) sends the NetBIOS protocol over the Transmission Control Protocol (TCP) or the User Datagram Protocol (UDP). 

• UDP port 137 ( used for name services

Source: Link

 

[ThinkWithPortals]

3 minutes ago, jos said:

 

Paranoia mode engaged.

[y_unit265]

If it has been out there for years, we would all be infected. I could not care less. 

[exercutor5]

What's with the guy's picture lol

[jos]

7 minutes ago, exercutor5 said:

What's with the guy's picture lol

The one who discovered the vulnerability 

[Djole123]

Meanwhile at my PC, ten minutes after reading this:

[linux_man]

Thanks for the info Jos, 

Great post.

[Briggsy]

I wonder if this security hole was in anyway related to all the years of ransomware hitting people...

 

 

    

 

 

[EmeraldKiwi]

Yeah that whole thing just went straight over my head. Anyone care to explain how this networking stuff works in plain English?

[Trixanity]

50 minutes ago, EmeraldKiwi said:

Yeah that whole thing just went straight over my head. Anyone care to explain how this networking stuff works in plain English?

I'll give it a go. Although no promises. It's hard to translate technical stuff to English without using technical terms.

 

I'll put all the background info and most of the technical stuff in this box so you can read the TL;DR more easily.

Spoiler

NetBIOS is basically like a DNS (Domain Name System) - only locally on your LAN (Local Area Network) instead. It translates names to IP addresses (eg DNS translates linustechtips.com to its IP address 104.20.0.11). It allows you to more easily find and discover machines on your network (among other things). For example, when you setup Windows (or other Operating Systems) you'll be asked to give your computer a name. That is (at least partially) used to construct a NetBIOS (or other protocol) name, so that your machine is easily found on the network as "EmeraldKiwi-PC" instead of 192.168.1.29.

 

At this point NetBIOS is a legacy protocol (it was developed in 1983) on Windows. Windows has switched to LLMNR (newer protocol that also supports IPv6 for example) by default since Vista but NetBIOS is still used as a fallback (when LLMNR fails, it reverts to NetBIOS) because tons of (old) devices don't support LLMNR. Without a name resolution system things would be awful, as you can imagine. You'd have to type IP addresses every time you need to go a website or to access a device on your network.

 

Apparently there is a vulnerability somewhere. Normally (I think - been a while since I read up on it) you wouldn't be able to use NetBIOS across networks. So the fact that an attacker can bypass not only NAT (NAT usually hides your real IP address, especially on consumer networks; sort of a safety feature for consumers and makes it harder to attack your network) and it also bypasses your firewall, which usually blocks all traffic except common applications such as http (web browsing) and other necessary traffic. NetBIOS is necessary traffic, so it would be allowed by default.

If I'm understanding this correctly: this exploit tricks your machine into allowing the attacker to (among other things) change settings on your machine allowing him to eventually attack you in multiple different ways including re-directing you to malware sites, phishing sites. Or in short: a man-in-the-middle attack. The info is still very vague. 

 

Man-in-the-middle attacks are very bad. Man-in-the-middle is basically like you sending a letter and putting in the mailbox but instead of the mailman picking it up, it's someone else who takes your letter, reads it, alters it and puts it back for the mailman to pick up or intercepting mail delivered to you and altering it before you receive it. As you can imagine: not good.

 

I know that's still a lot of technical mumbojumbo but it can be difficult to translate without just explaining the concepts instead. I did my best and I'm a bit rusty. I'll gladly explain more if some or nothing made sense.

[Trik'Stari]

5 hours ago, EmeraldKiwi said:

Yeah that whole thing just went straight over my head. Anyone care to explain how this networking stuff works in plain English?

I have a networking degree, and I barely understand any of it lol

 

4 hours ago, Trixanity said:

I'll give it a go. Although no promises. It's hard to translate technical stuff to English without using technical terms.

 

I'll put all the background info and most of the technical stuff in this box so you can read the TL;DR more easily.

  Hide contents

NetBIOS is basically like a DNS (Domain Name System) - only locally on your LAN (Local Area Network) instead. It translates names to IP addresses (eg DNS translates linustechtips.com to its IP address 104.20.0.11). It allows you to more easily find and discover machines on your network (among other things). For example, when you setup Windows (or other Operating Systems) you'll be asked to give your computer a name. That is (at least partially) used to construct a NetBIOS (or other protocol) name, so that your machine is easily found on the network as "EmeraldKiwi-PC" instead of 192.168.1.29.

 

At this point NetBIOS is a legacy protocol (it was developed in 1983) on Windows. Windows has switched to LLMNR (newer protocol that also supports IPv6 for example) by default since Vista but NetBIOS is still used as a fallback (when LLMNR fails, it reverts to NetBIOS) because tons of (old) devices don't support LLMNR. Without a name resolution system things would be awful, as you can imagine. You'd have to type IP addresses every time you need to go a website or to access a device on your network.

 

Apparently there is a vulnerability somewhere. Normally (I think - been a while since I read up on it) you wouldn't be able to use NetBIOS across networks. So the fact that an attacker can bypass not only NAT (NAT usually hides your real IP address, especially on consumer networks; sort of a safety feature for consumers and makes it harder to attack your network) and it also bypasses your firewall, which usually blocks all traffic except common applications such as http (web browsing) and other necessary traffic. NetBIOS is necessary traffic, so it would be allowed by default.

If I'm understanding this correctly: this exploit tricks your machine into allowing the attacker to (among other things) change settings on your machine allowing him to eventually attack you in multiple different ways including re-directing you to malware sites, phishing sites. Or in short: a man-in-the-middle attack. The info is still very vague. 

 

Man-in-the-middle attacks are very bad. Man-in-the-middle is basically like you sending a letter and putting in the mailbox but instead of the mailman picking it up, it's someone else who takes your letter, reads it, alters it and puts it back for the mailman to pick up or intercepting mail delivered to you and altering it before you receive it. As you can imagine: not good.

 

I know that's still a lot of technical mumbojumbo but it can be difficult to translate without just explaining the concepts instead. I did my best and I'm a bit rusty. I'll gladly explain more if some or nothing made sense.

Any way to prevent this, without using a Windows Update? Some of us can't turn Windows Update on because of the Windows 10 crap.

[SplAdam]

3 hours ago, Trik'Stari said:

I have a networking degree, and I barely understand any of it lol

 

Any way to prevent this, without using a Windows Update? Some of us can't turn Windows Update on because of the Windows 10 crap.

According to the article, just block UDP on port 137 on your router and you should be fine. 

[Master Disaster]

NetBIOS was deprecated back in the XP days, assuming your running Vista or newer and have a modern router your fine. IMO article is very click baity as while Windows Vista and upwards do keep NetBIOS support they just don't use it anymore and you cannot attack a system via an unused protocol. 

[Misunderstood Wookie]

16 hours ago, exercutor5 said:

What's with the guy's picture lol

It's a Korean\Chinese guy why the surprised reaction? 

[exercutor5]

2 minutes ago, Misunderstood Wookie said:

It's a Korean\Chinese guy why the surprised reaction? 

Because it's not the first thing you would expect to see in a forum post lol

[Misunderstood Wookie]

9 minutes ago, Master Disaster said:

NetBIOS was deprecated back in the XP days, assuming your running Vista or newer and have a modern router your fine. IMO article is very click baity as while Windows Vista and upwards do keep NetBIOS support they just don't use it anymore and you cannot attack a system via an unused protocol. 

Actually  TCP/IP NetBIOS helper runs on Windows 8.1Pro it was running by default on a clean install I did yesterday (Automatic Trigger Start) so explain that one, it also runs on Win 10 as well.

2 minutes ago, exercutor5 said:

Because it's not the first thing you would expect to see in a forum post lol

It is if a hacker was involved to exploit or find a security exploit haha

[AlTech]

Well It's a good thing I'm always up to date on my PC and I don't download shady stuff or torrent anything.

[Master Disaster]

7 minutes ago, Misunderstood Wookie said:

Actually  TCP/IP NetBIOS helper runs on Windows 8.1Pro it was running by default on a clean install I did yesterday (Automatic Trigger Start) so explain that one, it also runs on Win 10 as well.

NetBIOS helper is a translator service which allows applications that rely on NetBIOS to theoretically still operate on a modern network. That service running proves that your machine is not running NetBIOS.

 

From what I've just read however NetBIOS is still used for networked hardware like printers so there might actually be instances of modern networks using it, that also explains why MS kept support for so long after it was deprecated. 

[Misunderstood Wookie]

1 hour ago, Master Disaster said:

NetBIOS helper is a translator service which allows applications that rely on NetBIOS to theoretically still operate on a modern network. That service running proves that your machine is not running NetBIOS.

 

From what I've just read however NetBIOS is still used for networked hardware like printers so there might actually be instances of modern networks using it, that also explains why MS kept support for so long after it was deprecated. 

So, I would be safe to assume that I have no plans to ever have my machines talking to anything below windows 7 I can just outright disable this service and be secured.

[Tech_Dreamer]

NSA/Feds/DOJ must be panicking real hard right now

[Master Disaster]

6 minutes ago, Misunderstood Wookie said:

So, I would be safe to assume that I have no plans to ever have my machines talking to anything below windows 7 I can just outright disable this service and be secured.

Your secure without disabling that service, that service takes legacy NETBios communications and try to covert them to the new LLMNR protocol. Assuming your not using any legacy applications on your system that service will never be in use. 

[TheGamingBarrel]

11 hours ago, Trik'Stari said:

I have a networking degree, and I barely understand any of it lol

 

Any way to prevent this, without using a Windows Update? Some of us can't turn Windows Update on because of the Windows 10 crap.

You are able to download certain updates independantly of windows update.

[Trixanity]

2 hours ago, Master Disaster said:

NetBIOS was deprecated back in the XP days, assuming your running Vista or newer and have a modern router your fine. IMO article is very click baity as while Windows Vista and upwards do keep NetBIOS support they just don't use it anymore and you cannot attack a system via an unused protocol. 

Hmm, I was under the impression that NetBIOS was enabled but only used as a fallback in case LLMNR fails. That would mean an attacker using NetBIOS could trick the machine into thinking it only supports NetBIOS therefore making the target revert to the older protocol making it vulnerable. Am I in the wrong here? I mean NetBIOS is definitely enabled on my devices. And the Legacy support is often a security issue. Happens often (Well, not often but I mean it's a common technique) for browsers where a man-in-the-middle could make your browser revert to weak encryption protocols allowing him to break it. 

 

However I could probably also disable it too which would definitely fix the problem. And others could too. Including @Trik'Stari

Although beware if one has old devices they might act up. 

[Coaxialgamer]

19 hours ago, Djole123 said:

Meanwhile at my PC, ten minutes after reading this:

Meanwhile,  on my pc :

 

You can never be too safe,  can you? 

[Master Disaster]

2 hours ago, Trixanity said:

Hmm, I was under the impression that NetBIOS was enabled but only used as a fallback in case LLMNR fails. That would mean an attacker using NetBIOS could trick the machine into thinking it only supports NetBIOS therefore making the target revert to the older protocol making it vulnerable. Am I in the wrong here? I mean NetBIOS is definitely enabled on my devices. And the Legacy support is often a security issue. Happens often (Well, not often but I mean it's a common technique) for browsers where a man-in-the-middle could make your browser revert to weak encryption protocols allowing him to break it. 

 

However I could probably also disable it too which would definitely fix the problem. And others could too. Including @Trik'Stari

Although beware if one has old devices they might act up. 

I thought the opposite but recent reading has proved me to be incorrect. While no software should have a need for NetBIOS anymore apparently a lot of networking hardware does still use the protocol which is why MS keep it active on modern operating systems. If they removed it then many networks would lose capabilities. 

 

I'm still unsure if it's running all the time or only when it's required, common sense would dictate the latter but this is Microsoft.