Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

WPAD Name Collision Flaw Allows MitM Attacks

A vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol can be exploited by malicious actors to launch man-in-the-middle (MitM) attacks against enterprise users, researchers warned.

A vulnerability in the Web Proxy Auto-Discovery (WPAD) protocol can be exploited by malicious actors to launch man-in-the-middle (MitM) attacks against enterprise users, researchers warned.

WPAD is used by organizations to ensure that all their systems have the same web proxy configuration. When a device is connected to the network, it uses WPAD to find the proxy configuration file via DHCP or DNS, and applies it automatically.

The protocol is enabled by default in the Microsoft Windows operating system and the Internet Explorer web browser. WPAD is not enabled by default, but it is supported on OS X and Linux operating systems, and the Chrome, Safari and Firefox browsers.

WPAD has been known to be vulnerable, but researchers from Verisign and University of Michigan have now identified a new attack vector that can pose a serious risk to enterprises.

The problem, according to experts, is related to the fact that many enterprises create internal namespaces such as .corp, .dev and .network for their corporate Active Directory and Lightweight Directory Access Protocol (LDAP) deployments. This should normally not be an issue because these internal TLDs (iTLDs) are meant to be served only from internal name servers.

However, with the introduction of many new generic TLDs (gTLDs), it’s possible that domains created for internal use also exist on the public Internet, which leads to a name collision.

WPAD DNS queries that should be resolved by enterprise DNS servers are known to reach public DNS servers and with the introduction of new gTLDs, malicious actors can take advantage of the name collision to launch MitM attacks.

For example, if an organization’s employee connects a corporate laptop to an external network (e.g. at a coffee shop or their home), the system attempts to discover the corporate WPAD server. However, instead of the organization’s internal DNS server, the request goes to public DNS servers, resulting in internal namespace WPAD query leakage.

If a malicious actor registers a domain used by an organization and configures an external proxy for network traffic, they can launch MitM attacks over the Internet and intercept credentials and other sensitive information.

“We observed that roughly 20 million vulnerable queries are seen every day that could be leveraged to exploit MitM attacks, using a combination of the WPAD protocol and name collisions,” researchers said. “What makes this vector so dangerous is that attackers need not be on path, or waiting to spoof responses to DNS queries at just the right time. Attackers can remain off-path and always on, and just wait for willing victims to query them. This effectively enables a large-scale high success probability Watering Hole attack, where an attacker knows with high confidence that victims will visit persistently and be vulnerable and easily exploited.”

The report published by researchers includes a series of recommendations that should thwart attacks. US-CERT has also released an advisory, advising organizations to consider disabling automatic proxy discovery, consider using a fully qualified domain name for the internal namespace, configure internal name servers to respond authoritatively to iTLD queries, and use firewalls and proxies to log and block outbound requests for WPAD files.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Cybercrime

A database containing over 235 million unique records of Twitter users is now available for free on the web, cybercrime intelligence firm Hudson Rock...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...