Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: WPAD trouble SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
WPAD trouble

Hacker conferences are more often than not a source of work for security people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would have assumed they had looked into the auto-configuration of MSIE's proxy settings deep enough to not have to fix it again. Unfortunately no such luck was with us.

wpad names in DNS or WINS that are inserted by malicious locals are enough to divert browsers to an unauthorized proxy. Apparently the issue is bad enough for Microsoft to release KB 934864 about it.

To summarize to use WPAD yourself in your DHCP:

  • dhcpd:
    add this to your config:
option option-252 "http://example.com/path/to/proxyconfig.pac";
or
option wpad code 252 = text
option wpad "http://example.com/path/to/proxyconfig.pac";
See more in the recently expired IETF draft.

If you can't do that, create a DNS TXT record with the name WPAD in every domainname you run to avoid MSIE finding a host with that name and do the same in WINS. (see the above mentioned KB for how to do it in Microsoft's implementations)

We've added this vulnerability in our overview table.

--
Swa Frantzen -- NET2S

Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!