Windows weakness can lead to network traffic hijacks

At the ShmooCon hacker conference, researchers with security firm IOActive claimed a design bug in the system used by Windows PCs to obtain proxy settings could let attackers hijack traffic. Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol and an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, and other network services including the Domain Name System. "I can put up the equivalent of a detour sign on your network and redirect all the traffic," said Chris Paget, director of research and development at IOActive. If an attack is successful, all traffic on a network will flow through the attacker's proxy meaning the attacker can access all the data, redirect and manipulate it to his heart's content. Fortunately, an attack is possible only with access to the target network, not from the Internet: "The biggest risk inside a corporation would come from a malicious insider. This is not worthy of mass panic or critical advisories."

Microsoft acknowledged the problem in a support article on its TechNet Web site: "If an entity can surreptitiously register a WPAD entry in DNS or in WINS...clients may be able to route their Internet traffic through a malicious proxy server." In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.

News source:

Report a problem with article
Previous Story

Briefly: Apple says Leopard won't be delayed

Next Story

KMPlayer Beta


Commenting is disabled on this article.

If you've got enough access to do what is necessary why bother using this circuitous route when you can just set up rerouting through your own proxy through iptables with pretty much one line and not need to arse about with this wpad.dat crap?

Or if the malicius person is the Network Administrator - then you got an even bigger problem. Lets make a new headline with all the stuff malicius Network Administrators can get access to...

The Web Proxy Autodiscovery Protocol (WPAD) is extremely easy to implement by someone who has sufficient access to the system.

What the article is warning about is 'internal threats' from disgruntled employee's - of course they must have sufficient knowledge to setup a proxy, write the pac file implement it on a web server by adjusting the mime types and adding or altering the wpad dns record be it a host or cname.

With a proxy in place, and a available webserver it takes all of 5 minutes to get this running successfully - assuming of course the browsers are set to automatically detect via this protocol, or point directly to http://wpad/wpad.dat if the address is hardcoded.

All major browsers support this in one way or another, IE6+ and Firefox 2+ I can confirm as supporting this.
Safari prior to Mac OS X.3 will use a hard coded pac file as long as no authentication is required as it fails, but Safari on Mac OS X.4 will use a hardcoded pac file. However under 10.4 Safari/Camino will not use WPAD to find this file, it needs to be hard coded. The upcoming X.5 may support WPAD natively however. I could be wrong about it not supporting WPAD although in my experience - it will attempt to connect directly (and not use WPAD) without any proxy settings configured.

Fortunately, an attack is possible only with access to the target network, not from the Internet: "The biggest risk inside a corporation would come from a malicious insider. This is not worthy of mass panic or critical advisories.”

While the article is certainly not FUD - it is important for Network Administrators to be aware of this possible risk if numerous people have the access to modify DNS records. It is an internal risk - not an external one.

To top this off - if an organisation is using this protocol, then there is another risk that was not mentioned. Why would someone bother editing the DNS records which would be more obvious in the long run - why not simply edit the wpad.dat file directly - its only a text file and is generally less secure then the DNS is.

This is NOT A WINDOWS WEAKNESS. This same protocol is used by all of the major browsers; Safari and Firefox are subject to the same vulnerability.

OH NOES!!11!!!

More BS from (LOL what a crappy URL!!). It reminds me of the website that craptastic movie

I have to agree, this is a very picky, even disputed 'flaw' in Windows. If that's all we have to worry about now, security is fine

Its not that easy. You cannot just setup a proxy and everyone will start using it.

The domain administrator has to publish a proxy config file using DNS or DHCP.
So essentially to create an exploit you have to compromize the DHCP server.

If can poison a network's DNS server you have esentially taken over the network anyways.
This is not a weakness in the proxy discovery design or implementation.

BTW, all major browser implement proxy discovery.