BadTunnel – Critical vulnerability allows to intercept all network traffic of Windows users

Researchers from the Internet Security department of the company Tecent called Xuanwu Lab have discovered a serious bug in the implementation of the NetBIOS protocol used by Windows. A critical vulnerability has received the name BadTunnel and it allows hackers to get complete control of the network traffic of the victims.

BadTunnel allows cyber criminals to control not only HTTP and HTTPS requests, but the entire network activity of the operating system. For example, with it help hackers can intervene in the loading of system updates and the process of obtaining the list of certificates. All of the Windows versions are vulnerable.

According to the researcher who discovered the vulnerability Yang Yu, the redirection of victim’s traffic can be carried out with the help of fake WPAD-file (Web Proxy Auto Discovery) or ISATAP-server.


The experts from Positive Technologies have described a possible attack using the vulnerability BadTunnel. For its implementation it is necessary to convince the victim to open at least one URI or UNC path – it may be a malicious website address, address of the folder or document. In this case will be used NetBIOS over TCP/IP instead of standard sockets. The path must contain the IP address of the attacker’s server, for example: <img src=\\\BadTunnel>.

When processing this address, initially will be sent requests to ports 139 (NetBIOS Session) or 445 (Microsoft-DS Active Directory, Windows shares). If these ports are closed, the victim sends NetBIOS Name Service (NBNS) NBSTAT message to port 137, thereby opening the UDP-tunnel and allowing the attackers to send requests directly to the victim, bypassing the NAT and Firewall.

If the victim’s computer has a standard configuration of WPAD, from time to time it sends a broadcast request in search of a node with the name WPAD. Since the attacker has established a tunnel with the victim’s computer, it is enough to generate a plurality of false answers to the WPAD name request, which would specify the server address, on which attackers keep the proxy settings of the server.

Sometime later, after the vulnerable computer takes a fake response to the WPAD request – it starts to look for proxy settings at WPAD address. After finding them, the connection will be established and the attackers gain complete control over the victim’s traffic.

How to protect yourself

Using tools such as firewalls or NAT cannot attacks using the BadTunnel vulnerability. According to Yang Yu, the reason for this is that the UDP protocol does not establish a connection and is used to create a tunnel. Microsoft has released security bulletins MS16-063 and MS16-077, which fix this vulnerability in the latest versions of Windows.
The essence of these updates is that now the periodic determination of the WPAD name is disabled by default, and NBSTAT requests from the home network are also blocked by default. These changes are regulated by the registry keys and make it impossible to establish UDP tunnel for attacks using BadTunnel.

However, the vulnerability remained in the outdated and unsupported operating system versions such as Windows XP and Windows Server 2003. The users of these systems in order to protect themselves need to block UDP port 137. According to Yang Yu, this is not the first vulnerability which leads to the possibility of attacks by intercepting WPAD. Similar cases were recorded in 1999, 2007 and 2012, when there was a surge of activity of the worm called Flame.

Existing Proof-of-Concept scripts do not include information about the Transaction ID in NBSTAT request and based on the huge flow of fake responses to the request with all possible values of the field Transaction ID from 0 to 65535. However, for the successful attack it is enough to have a minimum number of fake packets.

Experts from Positive Technologies has developed a number of signatures for IDS Suricata, capable to detect NetBIOS name spoofing stages and establishing of UDP tunnel, blocking attempts to substitute WPAD and ISATAP addresses and alerting of a possible attempt of attack. They are available on the official Twitter and github account.

Information added: 07/07/2016 10:25 PM;