WPAD Name Collision Flaw Allows MitM Attacks

A vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol can be exploited by malicious actors to launch man-in-the-middle (MitM) attacks against enterprise users, researchers warned.

WPAD is used by organizations to ensure that all their systems have the same web proxy configuration. When a device is connected to the network, it uses WPAD to find the proxy configuration file via DHCP or DNS, and applies it automatically.

The protocol is enabled by default in the Microsoft Windows operating system and the Internet Explorer web browser. WPAD is not enabled by default, but it is supported on OS X and Linux operating systems, and the Chrome, Safari and Firefox browsers.

WPAD has been known to be vulnerable, but researchers from Verisign and University of Michigan have now identified a new attack vector that can pose a serious risk to enterprises.

The problem, according to experts, is related to the fact that many enterprises create internal namespaces such as .corp, .dev and .network for their corporate Active Directory and Lightweight Directory Access Protocol (LDAP) deployments. This should normally not be an issue because these internal TLDs (iTLDs) are meant to be served only from internal name servers.

However, with the introduction of many new generic TLDs (gTLDs), it’s possible that domains created for internal use also exist on the public Internet, which leads to a name collision.

WPAD DNS queries that should be resolved by enterprise DNS servers are known to reach public DNS servers and with the introduction of new gTLDs, malicious actors can take advantage of the name collision to launch MitM attacks.

For example, if an organization’s employee connects a corporate laptop to an external network (e.g. at a coffee shop or their home), the system attempts to discover the corporate WPAD server. However, instead of the organization’s internal DNS server, the request goes to public DNS servers, resulting in internal namespace WPAD query leakage.

If a malicious actor registers a domain used by an organization and configures an external proxy for network traffic, they can launch MitM attacks over the Internet and intercept credentials and other sensitive information.

“We observed that roughly 20 million vulnerable queries are seen every day that could be leveraged to exploit MitM attacks, using a combination of the WPAD protocol and name collisions,” researchers said. “What makes this vector so dangerous is that attackers need not be on path, or waiting to spoof responses to DNS queries at just the right time. Attackers can remain off-path and always on, and just wait for willing victims to query them. This effectively enables a large-scale high success probability Watering Hole attack, where an attacker knows with high confidence that victims will visit persistently and be vulnerable and easily exploited.”

The report published by researchers includes a series of recommendations that should thwart attacks. US-CERT has also released an advisory, advising organizations to consider disabling automatic proxy discovery, consider using a fully qualified domain name for the internal namespace, configure internal name servers to respond authoritatively to iTLD queries, and use firewalls and proxies to log and block outbound requests for WPAD files.