Newly Discovered Windows Bad Tunnel Attack Has Been Around For 20 Years

A Chinese researcher has “discovered” a Windows flaw which affects all versions of Windows released in the last 20 years.  It does not require installing malware and it can be executed silently with near perfect success.

While no one seems to be saying this, I wonder if the Chinese have known about this attack for years or decades and just now, for some reason, are making it public.

Yu says BadTunnel is basically a technique for NetBIOS-spoofing across networks: the attacker can get access to network traffic without being on the victim’s network, and also bypass firewall and Network Address Translation (NAT) devices.

It can be exploited via Office, Edge, Internet Explorer and some third party apps.

Without going into a lot of details, here is how it works.  The researcher is going to present a paper on the attack at Black Hat.

BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how  IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) — all of which when lumped together make the network vulnerable to a BadTunnel attack.

Since it affects all versions of Windows released in the last 20 years, including desktops and servers, installing the patch ranks as “pretty important”.

If for some reason you cannot install the patch, make sure you disable all Netbios traffic through your firewall.

The interesting thing about this is that this bug has been around for 20 years.  Which means that the code that is affected, including that in Windows 10, is 20 years old.  This goes back to my soap box conversation of software supply chain security.  This is just another example of how the software libraries that you integrate into your new code (like the old Netbios libraries into Windows 10) can come back to haunt you in a serious way.

Information for this post came from Dark Reading.

Leave a Reply

Your email address will not be published.