BadTunnel Super Vulnerability CVE-2 0 1 6-3 2 1 3 Technical Analysis and protection solution-vulnerability warning-the black bar safety net

2 0 1 6 6 1 5 November, Microsoft released 6 October Security Update, Microsoft fixes a Windows 9 5 to Windows 10 all editions of theoperating systemvulnerabilities that could become a Windows vulnerability in the history of the impact of the widest range of vulnerabilities. Do not panic, listen to the green Alliance Jun with you technical analysis and the corresponding protective measures.

It is believed that this vulnerability by Tencent basaltic laboratory finding, and is named BadTunnel it.

This vulnerability number CVE-2 0 1 6-3 2 1 3, The CVSS Score is high, Microsoft is given the rating of important.

Related CVE of the disclosure the following address:

• http://cve.scap.org.cn/CVE-2016-3213.html
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3213
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213

According to Microsoft’s description, BadTunnel from the WPAD Web Proxy Auto Discovery, Web Proxy auto-discovery Protocol generated by the vulnerability. When the WPAD Protocol fallback to the target system on the vulnerable Agent discovery process, the vulnerability could allow elevation of privilege, but this vulnerability is the essence of is actually the use of the NetBIOS Protocol defect to achieve inter-network broadcast Protocol hijacking.

Article directory

Affected version

• All current versions of Windows.

Non-Affected version

• No.

Technical analysis

Windows System in Access with the UNC path of the file, it will send a NetBIOS Node Status Request(node status request)request, confirm that the access node state. While the Windows default to open the WPAD Protocol, query the local LMHOSTS local name resolution and DNS failed, will by NetBIOS in the LAN in a broadcast Name Query Request name query request the request to resolve the WPAD IP address. As shown in Figure below:

For LAN hijack NetBIOS, in turn, poisoning the WPAD Protocol man in the middle attacks, has not fresh. But BadTunnel the key is to penetrate the network boundaries, in a NAT Network Address Translation, Network Address Translation, the case is still valid, to achieve a Cross-Segment of the hijacking. Here’s a detailed look at what this is how to do it?

According to the NetBIOS RFC1002 Protocol, you can see the NetBIOS Node Status Request node status request and the Name Query Request name query request is only a Query Type, query type differences the following figure shows. While Microsoft in the Protocol Implementation, the NAME_TRN_ID taken is incremented by the operation.

Although the Name Query Request name query request can be in the LAN in a broadcast, the gateway will not be forwarded to the external network, but the Node Status Request node status request itself is not limited to the LAN, then if the Node Status Request node status request request the the front, The Name Query Request name query request in the post, we can according to before a Node Status Request node status request in NAME_TRN_ID predict the next Name Query Request name query request in NAME_TRN_ID, forged a Name Query Response name query response, followed by the previous Node Status Response node status response returns, since both use the same port, the gateway to the external network Name Query Response name query response is forwarded back to the network, thus achieving a cross-subnet NetBIOS hijacking.

The attack diagram is as follows:

1. the attacker trick the user to click on contains links to the self-generated address for a UNC file path.

2. an attacker outside the network may also receive a Node Status Request node state in response to the request, and know the NetBIOS NAME_TRN_ID it.

3. due to the user’s machine by default WPAD configuration or again trick the user to access a WPAD name of the link, the NetBIOS will broadcast the WPAD query address, as follows:

But this broadcast packet will not be broadcast to the external network.

4. the attacker according to the previously obtained NAME_TRN_ID, you can guess after the WPAD query request NAME_TRN_ID is the previous value plus 1, So an attacker fake a WPAD Name Query Response name query responses.

5. due to NetBIOS Node Status node status and Name Query name query to use the same port, coupled with the front of the Node Status Request node status request and Response node status response has been to establish the connection. So the gateway of the external network an attacker sent the forged Name Query Response name query response will be forwarded to the inside network. The user receives fake a WPAD Response, while in the absence of the check Response whether from within the network of the case to accept this Response, so that its own WPAD is poisoning. After the user traffic will go the WPAD Protocol, the redirection to the attacker.

Protection scheme

• Microsoft has to the user to push a security update, but note that, users need to combine MS16-0 6 3 and MS16-0 7 7 in order to completely fix the vulnerability.

Microsoft Security Update address:

MS16-0 6 3:

https://technet.microsoft.com/zh-cn/library/ms16-063.aspx

MS16-0 7 7:

https://technet.microsoft.com/zh-cn/library/ms16-077.aspx

• Disable WINS/NetBT name resolution.

1. Open the network connection.

2. Click where you want to statically configure the“Local Area Connection”, then from“File”menu, click“Properties”.

3. in the Components list, click the“Internet Protocol (TCP/IP)”, then click“Properties”.

4. Click“Advanced”, click“WINS”tab, and then click the“Disable NetBIOS over TCP/IP”on. If you are using a DHCP server, it can be used in all DHCP option types to selectively enable and disable NetBIOS configurations, you can also be on the DHCP server select the“use NetBIOS”setting.

• Cancellation WPAD to automatically detect settings

• Set up a firewall, preventing external access to the host 1 3 7 port.

• The use of nsfocus remote assessment system of RSAS）Internal Network Security Assessment.

• The use of the green Union technology detection class product IDS for testing.

• The use of nsfocus protection class product WAF/IPS/NF/SG for protection.

• Already purchased the green League technology related products and services to the customer through product upgrades, detection and protection.

• Short-term services: nsfocus engineers on-site processing. Ensure that the first time elimination of network-related risk points, control events affecting range, providing event analysis report.

• Mid-term service: provide 3-6 months of risk monitoring and inspection services. The eradication of risk, to ensure that events do not recur.

• Long-term service of the Fund industry business risk solutions, Threat Intelligence+attack traceability+professional security services.

The statement

This security Bulletin only used to describe the possible existence of security, nsfocus not for this safety Bulletin provides any guarantee or commitment. Due to propagation, the use of this security Bulletin provided information and cause any direct or indirect consequences and loss, both by the user himself is responsible for, the green Union technology and security Bulletin author does not bear any responsibility. Nsfocus has this security Bulletin to modify and interpret the rights. If you wish to reprint or dissemination of this security Bulletin, you must ensure that this security Bulletin integrity, include the copyright statement and all other content. Without nsfocus allowed, shall be subjected to arbitrary modification or changes in this security Bulletin content, shall not in any way be used for commercial purposes.