The research of Yang Yu, founder of Tencent's Xuanwu Lab, has helped Microsoft patch a severe security issue in its implementation of the NetBIOS protocol that affected all Windows versions ever released.

Yu says an attacker could leverage this vulnerability to pass as a WPAD or ISATAP server and redirect all the victim's network traffic through a point controlled by the attacker.

By network traffic, Yu refers to all traffic, not just Web HTTP and HTTPS. This includes OS updates, software upgrades, Certificate Revocation List updates via Microsoft's Crypto API, and other OS maintenance operations.

Firewalls won't stop BadTunnel

"It does not require the attacker [to] reside in the same network," Yu writes in a technical preview offered to Softpedia. "The attack can even succeed when there are firewall and NAT devices in between."

"Firewalls won't stop the attack, because UDP is a connectionless protocol. We are using it to establish a tunnel. That is why it be named 'BadTunnel,'" Yu explains.

The attack doesn't exploit any weaknesses in the protocol itself, but only how Microsoft implemented the NetBIOS in Windows.

All that's required is for some simple social engineering. The attacker only needs to convince a user to access a file URI or UNC path (links and shortcuts in applications). Yu says an attacker can exploit BadTunnel via Internet Explorer, Edge, Office, and other applications that support URI and UNC paths. Exploitation is not limited to software, and the attack also be performed from a USB flash drive or a Web server.

Spoofing NetBIOS requests to pass as a WPAD or ISATAP server

The attacker embeds URI and UNC paths that link back to their device. The vulnerability, CVE-2016-3213, is a cross-network NetBIOS spoofing attack that allows an attacker to intercept NetBIOS requests sent from the victim to their host.

Exploitation allows the attacker to respond to NetBIOS name requests and masquerade as a WPAD or ISATAP server.

NetBIOS is a standard protocol found in many operating systems, and it was developed to allow computers to talk over a local network. WPAD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. ISATAP stands for Intra-Site Automatic Tunnel Addressing Protocol and is an IPv4-IPv6 transition mechanism.

BadTunnel attacks can persist indefinitely

Once the attacker has established themselves as a valid WPAD or ISATAP server, Yu says there are different methods through which they can maintain persistence, even after the WPAD / ISATAP cache expires.

Yu adds that attackers who are in control of someone's HTTP traffic can periodically redirect users, without their knowledge, to tainted URI or UNC paths that lead back to the attacker's host, reinitiating the attack. This is just one of the methods through which an attacker is left in a permanent MitM position.

As mentioned above, the issues reside in how Windows operating systems deal with NetBIOS hostname discovery requests. Microsoft said in MS16-077 that it corrected "how Windows handles proxy discovery."

Microsoft patches issue, many operating systems remain vulnerable

Neither Yu nor Microsoft was aware of any exploits using this vulnerability. To be on the safe side, users should update as soon as possible.

Exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others, for which patches have not been released. For these operating systems, and for those that can't be updated just yet, system administrators should disable NetBIOS.

Yu is scheduled to present more details on this bug at this year's Black Hat USA security conference. The title of his presentation is "BadTunnel: How Do I Get Big Brother Power?"

Yu highlighted that, in the past, there were many other WPAD hijacking attacks, in 1999, 2007, and in 2012 with the Flame worm. The difference is that these needed an attacker to have a presence on the same network segment whereas BadTunnel can attack anyone from anywhere.