WPAD Protocol Bug Puts Windows Users at Risk

Share this…

WPAD name collision issue can lead to MitM attacks. US-CERT has issued a public alert after researchers from the University of Michigan and Verisign Labs discovered a method of leveraging the WAPD protocol to launch MitM (Man in the Middle) attacks against corporate networks.

WAPD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. The protocol’s client is active only when the user connects to a network, searching for a WPAD server via DHCP or DNS, from where it requests a proxy configuration file, if one is available, and applies it to the local computer.

New gTLD domains are the root of the problem

The Michigan and Verisign researchers discovered that the introduction of the new custom top-level domains has created an unwanted name collision bug in how WPAD operates.

The researchers explain that companies have a tendency to use custom domains for their internal network, for which they employ internal name servers to resolve the names. For example, instead of an IP, system administrators often rename crucial servers with authentication.network or apiserver.dev URLs.

These servers are only reachable inside the local network because the user needs to be connected to the internal name server to resolve the domain.

Traveling employees can have their computers compromised via WAPD

The research team explains that many of these custom URLs are actually quite common and use many of the new global top-level domains introduced in the past year.

Researchers claim that when the user is outside the company network, on a public network, the DNS requests for these internal name servers get automatically forwarded to public Internet DNS servers.

WAPD name collision issue visually exlained

Verisign explains that, during tests, it saw over 20 million queries sent out to unregistered custom top-level domains, which looked like internal corporate addresses.

An attacker could register some of these URLs and host a WPAD server that would broadcast a malicious proxy configuration sending all of the victim’s traffic through one of their servers. Using this method, attackers could intercept the victim’s private and public traffic, and sniff for sensitive corporate credentials.

Windows computers at risk, by default

The attack affects Windows computers the most, where the protocol is enabled by default. WPAD is installed on OS X and Linux, but users need to turn it on manually.

Even worse, because the protocol is turned on by default in Windows, the user’s company wouldn’t even have to use WPAD inside its network for the user to be vulnerable because the OS would check for it automatically. Nevertheless, if companies use WPAD for their network, it automatically means that both OS X and Linux machines would need to have it turned on, exposing this class of users as well.

Previously, in 2007, 2009, and 2012, security researchers highlighted other flaws in the WAPD protocol that also allowed for MitM attacks.

To counteract some of the issues caused by this latest issue in WPAD setups, Verisign has published a series of mitigation techniques.