Rabitə və İnformasiya Texnologiyaları Nazirliyinin elektron xəbər xidməti
‘BadTunnel’ social engineering attack hijacks your network traffic
A researcher in China has discovered a design flaw in Microsoft Windows that affects all versions of the operating system using NetBIOS spoofing —including Windows 10— and lets an attacker hijack your organization’s network traffic with a simple social engineering attack. It can be exploited silently with a near perfect success rate.
The scenario is very simple; the bad guy just uses social engineering to trick an employee into visiting a malicious web page via IE or Edge or to open a specifically crafted Office document. The website used by the attackers will appear as either a file server or a local print server, but in the background it will hijack your network traffic including things like Windows Updates.
“This vulnerability has a massive security impact – probably the widest impact in the history of Windows,” Yu said in an interview with DarkReading conducted via email. “It not only can be exploited through many different channels, but also exists in all Windows versions released during the past 20 years.”
Microsoft this week issued a patch for the so-called “BadTunnel” bug found by Yang Yu, director of Xuanwu Lab of Tencent in Beijing. Yu will detail and demonstrate his findings on the Windows flaw in August at Black Hat USA in Las Vegas in his presentation BadTunnel: How Do I Get Big Brother Power?
The expert classified the BadTunnel as a technique for NetBIOS-spoofing across networks, this means that the attacker can leverage it to get access to network traffic without being on the victim’s network. The technique is very insidious and difficult to detect because it doesn’t involve malicious code and allows to bypass firewall and Network Address Translation (NAT) devices.
BadTunnel exploits a series of security weaknesses, including how Windows resolves network names and accepts responses; how IE and Edge browsers support webpages with embedded content; how Windows handles network paths via an IP address; how NetBIOS Name Service NB and NBSTAT queries handle transactions; and how Windows handles queries on the same UDP port (137) -- all of which when lumped together make the network vulnerable to a BadTunnel attack.
The vulnerability has already been eliminated in the latest versions of Windows – early in June, Microsoft issued corresponding security bulletins MS16-063 and MS16-077. But the vulnerability has remained in the outdated and unsupported versions Windows such as Windows XP and Windows Server 2003. The user of these versions of Windows can protect themselves from cyber-attracts by blocking UDP port (137).
08/07/16 Çap et