WPAD trouble

Hacker conferences are more often than not a source of work for security people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would have assumed they had looked into the auto-configuration of MSIE's proxy settings deep enough to not have to fix it again. Unfortunately no such luck was with us.

wpad names in DNS or WINS that are inserted by malicious locals are enough to divert browsers to an unauthorized proxy. Apparently the issue is bad enough for Microsoft to release KB 934864 about it.

To summarize to use WPAD yourself in your DHCP:

  • dhcpd:
    add this to your config:
option option-252 "http://example.com/path/to/proxyconfig.pac";
option wpad code 252 = text
option wpad "http://example.com/path/to/proxyconfig.pac";
See more in the recently expired IETF draft.

If you can't do that, create a DNS TXT record with the name WPAD in every domainname you run to avoid MSIE finding a host with that name and do the same in WINS. (see the above mentioned KB for how to do it in Microsoft's implementations)

We've added this vulnerability in our overview table.

Swa Frantzen -- NET2S


760 Posts
Mar 26th 2007

Sign Up for Free or Log In to start participating in the conversation!