At the ShmooCon hacker conference, researchers with security firm IOActive claimed a design bug in the system used by Windows PCs to obtain proxy settings could let attackers hijack traffic. Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol and an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, and other network services including the Domain Name System. "I can put up the equivalent of a detour sign on your network and redirect all the traffic," said Chris Paget, director of research and development at IOActive. If an attack is successful, all traffic on a network will flow through the attacker's proxy meaning the attacker can access all the data, redirect and manipulate it to his heart’s content. Fortunately, an attack is possible only with access to the target network, not from the Internet: "The biggest risk inside a corporation would come from a malicious insider. This is not worthy of mass panic or critical advisories.”
Microsoft acknowledged the problem in a support article on its TechNet Web site: "If an entity can surreptitiously register a WPAD entry in DNS or in WINS…clients may be able to route their Internet traffic through a malicious proxy server.” In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.
News source: News.com
Microsoft acknowledged the problem in a support article on its TechNet Web site: "If an entity can surreptitiously register a WPAD entry in DNS or in WINS…clients may be able to route their Internet traffic through a malicious proxy server.” In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.
News source: News.com
The domain administrator has to publish a proxy config file using DNS or DHCP.
So essentially to create an exploit you have to compromize the DHCP server.
If can poison a network's DNS server you have esentially taken over the network anyways.
This is not a weakness in the proxy discovery design or implementation.
BTW, all major browser implement proxy discovery.
More BS from news.com.com (LOL what a crappy URL!!
What the article is warning about is 'internal threats' from disgruntled employee's - of course they must have sufficient knowledge to setup a proxy, write the pac file implement it on a web server by adjusting the mime types and adding or altering the wpad dns record be it a host or cname.
With a proxy in place, and a available webserver it takes all of 5 minutes to get this running successfully - assuming of course the browsers are set to automatically detect via this protocol, or point directly to http://wpad/wpad.dat if the address is hardcoded.
All major browsers support this in one way or another, IE6+ and Firefox 2+ I can confirm as supporting this.
Safari prior to Mac OS X.3 will use a hard coded pac file as long as no authentication is required as it fails, but Safari on Mac OS X.4 will use a hardcoded pac file. However under 10.4 Safari/Camino will not use WPAD to find this file, it needs to be hard coded. The upcoming X.5 may support WPAD natively however. I could be wrong about it not supporting WPAD although in my experience - it will attempt to connect directly (and not use WPAD) without any proxy settings configured.
While the article is certainly not FUD - it is important for Network Administrators to be aware of this possible risk if numerous people have the access to modify DNS records. It is an internal risk - not an external one.
To top this off - if an organisation is using this protocol, then there is another risk that was not mentioned. Why would someone bother editing the DNS records which would be more obvious in the long run - why not simply edit the wpad.dat file directly - its only a text file and is generally less secure then the DNS is.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.