BadTunnel Bug Hijacks Network Traffic, Affects All Windows Versions

An anonymous reader writes: Microsoft has just patched a vulnerability that affects all Windows versions ever released. Called BadTunnel, the security flaw allows attackers to pass as a WAPD or ISATAP server and intercept all network traffic. Exploitation is trivial and firewalls are natively designed to open the port through which the attack is carried out. BadTunnel can be triggered whenever the user clicks URI or UNC links/paths in Office files, IE, Edge, or other applications that support the URI/VNC scheme (and most do). Additionally, an attacker can carry out his attack from the other side of the world, and does not need to have a foothold on the victim's network. While recent Windows OS versions received patches, exploitation points remain open for non-supported Windows operating systems such as XP, Windows Server 2003, and others. For these operating systems, and for those that can't be updated just yet, system administrators should disable NetBIOS.

Re:WinXP Patch?

[phrostie]

just upgrade to Win 10 and everything will be ok.
let go of your old OS and let MS set you free.

for a limited time only.

Re:

[uncqual]

Yes, and if you're interested in being approached for interesting jobs, once the LinkedIn acquisition is complete, Microsoft will probably punish anyone not running Windows 10 by burying their names in search results. Get with the program - NOW!

Re:

[Coren22]

Yeah, the next zero day to come along affecting XP will be a big deal since it is out of support and therefore the problem will never be patched. I totally agree that you are going to be more secure running Windows 7, 8, or 10 than XP.

Re:

[donaldm]

just upgrade to Win 10 and everything will be ok. let go of your old OS and let MS set you free.

for a limited time only.

Why would I want to install Windows 10 when my perfectly good Fedora 23 distro works perfectly?

If I want to install Malware [wikipedia.org] then Microsoft Windows 10 would be the way to go, after all, take a look at what Windows 10 is doing to get people to "upgrade" and what settings are on by default. Sure you can turn most of these settings to "off" but even after hacking the Registry, which most people can't do, are you quite sure you really have turned everything off?

Of course, we all really know that Big Brothe

Re:

[phrostie]

it was a joke.

I'm more of a debian guy myself, but fedora is good too.

Re: WinXP Patch?

[Anonymous Coward]

I wonder if this had been known and maybe even disclosed by Microsoft to the NSA, especially since it's all known windows versions.

Re:

[doccus]

Yeah. but hey. c'mon now. Net Bios? Anyone still even *using* it? ;-)

Break out my Windows 3.11 box

[jfdavis668]

16 bit software will save the day again.

Re:

[jfdavis668]

Ok, I have a copy of Windows 2.11 around here somewhere. Not sure if that counted as being released.

Re:

[jfdavis668]

Then I can play Reversi to my heart's content.

Re:

[sconeu]

Piker. I am going to install my copy of Windows 1.03. As soon as I can find a 5.25" 360K drive.

Re:

[Dave Mikulec]

Amateur. My copy's on datasette.

Re:

[Bob the Super Hamste]

I think I still have one in my basement. It probably still works given how damn near indestructible those things were.

Re:

[BronsCon]

More reliable sources say 95 and on, which makes sense as prior versions didn't ship with a network stack.

Re:

[werewolf1031]

Maybe I'm just old and senile, but didn't 3.11, ie. "Windows for Workgroups", include one?

Re:

[BronsCon]

Ah, I stand corrected, as I forgot about WFW.

However, it appears that WFW gained NetBIOS support via NWNBLink, which provided support for NetBIOS over IPX/SPX, rather than ICP/IP. That is, it would not have been vulnerable to BadTunnel.

Re:

[flyingfsck]

Well apart from having to dig up the books on IPX/SPX, the tunnel would likely work over that too. When MS creates a network backdoor for the NSA, they are very thorough...

Re: Break out my Windows 3.11 box

[BronsCon]

At worst, it could have been exploited by a system on the same LAN, as IPX/SPX was very frame-size and frame-order dependent, rendering it effectively useless as a WAN protocol.

Additionally, read up on how the vulnerability functions. I had to read up on it a bit more than I already had in order to write this reply, but here's a summary: The attack involved convincing a Windows machine, via a flaw in NetBIOS over TCP/IP, that the attacking machine is a valid WPAD or ISATAP server. ISATAP is an IPv6 transition mechanism so we can rule that out as a WFW attack vector. WPAD hadn't been created by Netscap yet in 1993 when WFW was released (it was developed in 1996 as part of Netscape Navigator 2.0), so that's ruled out as well.

Looks like WFW was safe.

Re:

[BronsCon]

Did they support WPAD and/or ISATAP?

Re:

[wierd_w]

WFW used NETBEUI, and IPX, yes.

It did have a TCP/IP implementation though. It just didnt do netbios over it.

win3.1 needed trumpet tcp, or some other 3rd party stack, but WFW had it natively. This was the era where Netscape was really starting to hit the scene, and the web was an emerging phenomenon. IIRC, there was an early version of IE for WFW.

That is why when win95 rolled out, with IE preinstalled (but not thuroughly baked in), it started MS's ascendency. When win98 hit with it permanently baked in, it s

Re:

[BronsCon]

For the sake of those who will only read up to the quoted line:

It did have a TCP/IP implementation though. It just didnt do netbios over it.

This is correct; and BadTunnel is initiated via an exploit in NetBIOS over IPX/SPX and relies on one of two additional services for which WFW had no support.

Re:

[BronsCon]

GAH!! I meant:

BadTunnel is initiated via an exploit in NetBIOS over TCP/IP

Proofread.
Every.
Post.

Re:

[drolli]

Yay! I'll filter everthing which is not IPX in the router!

Re:

[DarkOx]

Microsoft did provide a tcp driver for wfw3.11 as an add on.

I

Re:

[BronsCon]

Yes, but NetBIOS didn't gain the ability to use it until Win95 and WFW never supported WPAD or ISATAP, one or the other of which was required, in conjunction with NetBIOS over TCP/IP, in order to exploit the flaw.

Re:

[Maritz]

I don't even think the first win95 had TCP/IP stack. What did they call it, winsock? I think they rolled it out in a service pack. I realise I could just google this, but I don't care enough.

Re:

[BronsCon]

They actually released the Windows TCP/IP stack in 3.11a or b, I forget which. NetBIOS didn't use it until Win95, though.

Re:

[Anonymous Coward]

Kind of hard when that version doesn't have an IP stack.

All versions of Windows, ever released?

[evilviper]

Wow! And to think, Windows 1.0, 2.0 and 3.0 didn't have any networking support! Yet they somehow have bugs that allows diverting network traffic that they don't and can't generate!

Windows 3.11 was the first to include networking, and I'm going to bet it wasn't affected, either.

Re:

[evilviper]

Nope.

in August 1994, Microsoft released an add-on package (codenamed Wolverine) that provided TCP/IP support in Windows for Workgroups 3.11. Wolverine was a 32-bit stack

https://en.wikipedia.org/wiki/... [wikipedia.org]

Re:

[MikeBabcock]

Some of us remember installing Trumpet Winsock on Windows 3.1; it certainly was not DOS.

Re:

[drinkypoo]

Some of us remember installing Trumpet Winsock on Windows 3.1; it certainly was not DOS.

If you were very very lucky you had the TCP stack from TGV (Two guys and a vax) instead. They got bought by Cisco at the same time that Windows 95 came out with its own TCP stack, so they abandoned the main product and turned them into a cable modem development facility because Cisco.

Re:

[Dave Mikulec]

Yup. Along with Spry Mosaic!

Re:

[msauve]

"Microsoft has just patched a vulnerability that affects all Windows versions ever released."

But fortunately, according to the summary, they still patched all versions. Where do I get the patch for XP?

Re:

[flyingfsck]

It's OK, Peter Tattam's Trumpet Winsock network stack will fix that little problem for you: http://www.trumpet.com.au/ [trumpet.com.au]

Microsoft please stop this madness

[WaffleMonster]

For the life of me I can't figure out why all of these tunneling/transition protocols are enabled by default in Windows. Who uses automatic IPv6 transition schemes in 2016? They certainly are not now nor have they ever been sufficiently reliable for production use and TTL for IPv6 amateur hour has long since expired. Why is this worth the massive security headaches these things invite?

Have a script that I run on any new windows boxes. Part of it does the following.

netsh interface teredo set state disabled
netsh interface isatap set state disabled
netsh interface 6to4 set state disabled

I'm honestly perplexed and dumbfounded why Microsoft is (still) doing this.

Re:

[skids]

That... really depends on the distro. There are plenty of unnecessary discovery services distros can be tempted to install because they want their product to satisfy users who expect their OS to "see their printer" and such crap without being told to. All such services offer more potential code surface for network-borne attacks.

Re:

[Monoman]

IIRC it all started with Windows 7/Server 2008and some features that *required* IPV6. You didn't really have to be running IPv6 running on your network because MS was enabling tunneling and IPv6 by default so things would work automagically.

https://en.wikipedia.org/wiki/... [wikipedia.org]
https://technet.microsoft.com/... [microsoft.com]

So sorry

[Dunbal]

I'm sorry but I'm done with Microsoft patches. If hackers want to watch me play CS:GO or post on slashdot they're welcome to do it, but I won't risk Microsoft's definite installation of spyware.

Re:

[Nunya666]

I'm sorry but I'm done with Microsoft patches. If hackers want to watch me play CS:GO or post on slashdot they're welcome to do it, but I won't risk Microsoft's definite installation of spyware.

On my own laptops, I agree completely. Unfortunately, my day job requires Microcrap Windoze.

Even though my wife is not computer savvy and is a little resistant to change, her next laptop will get Windoze wiped from it and replaced with some version of Linux.

I am currently configuring a second-hand laptop for a young family friend who is starting college this fall. It will have Linux on it, not Windoze. I warned him that he has to give Linux a try for two weeks. I will only install Windoze on it if he

Can I patch my Win7 without "upgrading" to Win10?

[KWTm]

Agree! I am trying to decide whether to allow Windows Update on my precious Windows 7 laptop which I finally bought for work after having been subject to Windows 8 crap (I'm trying to avoid the freshly-crapped Windows 10 with which one co-worker was saddled). Never thought I'd ever actually type the sequence of characters "precious Windows" in my lifetime, but after a lot of looking, I found a laptop Dell was selling that still had Windows 7 (Dell Vostro); it comes with a "Recovery CD-ROM" that installs W

Re:

[ShaunC]

Do some Googling for the make and model of your modem, and of the router if it's a separate piece of equipment. There are exploits going around for some CPE, cable modems in particular, that allow a remote attacker to change the configured name servers among other things. If rebooting the modem or router fixed the problem, it's more likely that's what was compromised, not a NetBIOS tunnel in Windows.

Nothing to do with VNC protocol

[scdeimos]

I'm assuming that's a typo in the summary, that "URI/VNC" should read "URI/UNC".

Natively

[Anonymous Coward]

firewalls are natively designed to open the port

My firewalls don't open any ports without me saying so.

Researcher doesn't understand firewalls

[Anonymous Coward]

"Firewalls won't stop the attack, because UDP is a connectionless protocol. We are using it to establish a tunnel. That is why it be named 'BadTunnel'," Yu explains.

My border firewall certainly stops this attack from outside the network since it does not allow IP protocol 41 which is used by ISATAP.

Submitter doesn't understand firewalls either:

firewalls are natively designed to open the port through which the attack is carried out

That's may be true of the built-in Windows firewall, but it is not generally true for other ("real") firewalls.

will never be patched

[cellocgw]

Given how many "stealth Win10 install" patches are lined up in all our "windows updates" notifications, and that plenty of people on /. and elsewhere have stated clearly they've just plain shut down all updates rather than try to weed out the crapware ones, it's pretty clear this vulnerability will remain on plenty of machines for a long time.

NetBIOS should be disabled anyway

[evolutionary]

NetBIOS was always a bit of a hack anyway. We shouldn't be using it anymore, period. An internal DNS is enough and easy to setup.

Re:

[Pikoro]

I tend to use a philosophy of "less is more"

That's why you have a multi megabyte host file right?

Also. Bing? Really?

Re:

[cellocgw]

I tend to use a philosophy of "less is more"

Actually, less is more than more.

Just ask any csh jock.