The Chinese researcher Yang Yu, director of Xuanwu Lab of Tencent has discovered a design flaw in Microsoft Windows that affects all versions of the popular operating system. The vulnerability could allow an attacker to hijack a target organization’s network traffic, experts at Microsoft called it BadTunnel.
Microsoft has already patched the BadTunnel that according to Yang Yu has the widest impact in the history of Windows.
Yu told to DarkReading that the flaw affects all the Microsoft Windows versions and it could be silently exploited through many different channels. BadTunnel can be triggered via all versions of Microsoft Office, Edge, Internet Explorer, via IIS and Apache Web servers, via a thumb drive, and also through a number of third-party apps on Windows.
The BadTunnel results from a combination of issues that could allow attackers to launch an exploit.
“This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific issue for an exploit.” Yu explained to DarkReading “This vulnerability is caused by a series of seemingly correct implementations, which includes a transport layer protocol, an application layer protocol, a few specific usage of application protocol by the operating system, and several protocol implementations used by firewalls and NAT devices,”
The expert classified the BadTunnel as a technique for NetBIOS-spoofing across networks, this means that the attacker can leverage on it to get access to network traffic without being on the victim’s network. The technique is very insidious and difficult to the attack is difficult to detect because it doesn’t involve malicious code and allows to bypass firewall and Network Address Translation (NAT) devices.
The attack scenario is very simple, the attacker just needs to trick victims into visit a malicious web page via IE or Edge, or to open a specifically crafted Office document. The website used by the attackers will appear as either a file server or a local print server, meantime it will allow the hijacking of the victim’s network traffic.
Then all the victim’s traffic is hijacked, including Windows Updates and Certificated Revocation List updates.
Below the attack scenario described by Yu:
Security Affairs – (BadTunnel, Microsoft Windows )