Abstract
The Web Proxy Auto-Discovery protocol (wpad 1) is widely used despite being flawed. Its purpose is to enable a client machine to autonomously identify an appropriate proxy, if any, to connect to. This can be useful in corporate networks, for example. Its vulnerabilities range from enabling an attacker to execute code remotely on client machines, to carry out SSL MITM attacks, to subvert Windows NTLM authentication, or even to steal Google authentication tokens. Several publications, talks, and blog posts have tried to raise awareness about some of these security issues. 23 distinct CVEs have been published. Nevertheless, wpad runs by default on Windows machines, and most users are unaware of its existence. Our goal is to offer within a single publication a survey of all the known vulnerabilities surrounding wpad, a presentation of some novel threats related to this protocol, as well as a description of mitigation and detection techniques to prevent the exploitation of its vulnerabilities. We hope that this publication will be an eye opener for all those concerned with the security of their networks and that the offered mitigation techniques will help them to deal with the numerous threats that wpad brings to their environments.
- [1] . 2002. Dynamic Host Configuration Protocol (DHCP) Domain Search Option.
RFC 3397. RFC Editor.Google ScholarDigital Library - [2] . 2007. Link-local Multicast Name Resolution (LLMNR).
RFC 4795. RFC Editor.Google ScholarDigital Library - [3] . 2010. The Domain Name System (DNS): Security Challenges and Improvements.
Technical Report . Tech. rep., Royal Holloway, University of London.Google Scholar - [4] . 1997. DHCP Options and BOOTP Vendor Extensions.
RFC 2132. RFC Editor.Google ScholarDigital Library - [5] . 2013. Fear the Evil FOCA attacking internet connections with IPv6. DEF CON. Retrieved October 31, 2022, from https://media.defcon.org/DEF%20CON%2021/DEF%20CON%2021%20presentations/DEF%20CON%2021%20-%20Alonso-Fear-the-Evil-FOCA-Updated.pdf.Google Scholar
- [6] . 2013. PAC – the Problem Auto Config. Retrieved from https://securelist.com/pac-the-problem-auto-config/57891/. Accessed 31 October 2022.Google Scholar
- [7] . 2017. Prevention of PAC file based attack using DHCP snooping. In Proceedings of the Security in Computing and Communications. , , , , , and (Eds.), Springer Singapore, Singapore, 195–204.Google ScholarCross Ref
- [8] . 2016. Over 100,000 South Korean Users Affected by BlackMoon Campaign. Retrieved from https://www.fortinet.com/blog/threat-research/over-100-000-south-korean-users-affected-by-blackmoon-campaign. Accessed 31 October 2022.Google Scholar
- [9] . 1992. NASK–research and academic computer network in Poland. Computer Networks and ISDN Systems 25, 4–5 (1992), 431–437.Google ScholarDigital Library
- [10] . 2016. Hot Potato—Windows Privilege Escalation. Retrieved from https://foxglovesecurity.com/2016/01/16/hot-potato/. Accessed 31 October 2022.Google Scholar
- [11] . 2016. Retrieved from https://bugzilla.mozilla.org/show_bug.cgi?id=1255474. Accessed 31 October 2022.Google Scholar
- [12] . 2009. Alert (TA09-069A). Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA09-069A. Accessed 31 October 2022.Google Scholar
- [13] . 2012. Alert (TA12-318A). Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA12-318A. Accessed 31 October 2022.Google Scholar
- [14] . 2016. WPAD Name Collision Vulnerability. Retrieved from https://us-cert.cisa.gov/ncas/alerts/TA16-144A. Accessed 31 October 2022.Google Scholar
- [15] . 2006. WiFiProfiler: Cooperative diagnosis in wireless LANs. In Proceedings of the 4th International Conference on Mobile Systems, Applications and Services.Association for Computing Machinery, New York, NY, 205–219.
DOI: DOI: Google ScholarDigital Library - [16] . 2016. Toxic Proxies: Bypassing HTTPS & VPNs to pwn your online identity. DEF CON 24, DEF CON, 2016. Retrieved October 31, 2022, from Google ScholarCross Ref
- [17] . 2016. MitM attack by name collision: Cause analysis and vulnerability assessment in the new gTLD era. In Proceedings of the 2016 IEEE Symposium on Security and Privacy. IEEE, 675–690.
DOI: DOI: Google ScholarCross Ref - [18] . 2017. Client-side name collision vulnerability in the new gtld era: A systematic study. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security. ACM, 941–956.Google ScholarDigital Library
- [19] . 2009. Pretty-bad-proxy: An overlooked adversary in browsers’ https deployments. In Proceedings of the 2009 30th IEEE Symposium on Security and Privacy. IEEE, 347–359. Accessed 31 October 2022.Google ScholarDigital Library
- [20] . 2018. 899126 - chromium - An open-source project to help move the web forward. - Monorail. Retrieved from https://bugs.chromium.org/p/chromium/issues/detail?id=899126. Accessed 31 October 2022.Google Scholar
- [21] . 2020. Responder: Beyond WPAD \(\bullet\) NopSec. Retrieved from https://www.nopsec.com/responder-beyond-wpad/. Accessed 31 October 2022.Google Scholar
- [22] . 2015. Can Web Proxy Autodiscovery leak HTTPS URLs?Retrieved from https://security.stackexchange.com/questions/87499/can-web-proxy-autodiscovery-leak-https-urls. Accessed 31 October 2022.Google Scholar
- [23] . 2021. Zero conf protocols and their numerous man in the middle (MITM) attacks. In Proceedings of the 2021 IEEE Security and Privacy Workshops. IEEE, 410–421.Google ScholarCross Ref
- [24] . 2015. Reverse-engineering of the cryptanalytic attack used in the flame super-malware. In Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security. Springer, 586–611.Google ScholarDigital Library
- [25] . 2017. Retrieved from https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html. Accessed 31 October 2022.Google Scholar
- [26] . 1999. Web Proxy Auto-Discovery Protocol.
Internet-Draft draft-ietf-wrec-wpad-01. IETF Secretariat. Retrieved from https://www.ietf.org/archive/id/draft-ietf-wrec-wpad-01.txt. Accessed 31 October 2022.Google Scholar - [27] . [n. d.]. The NTLM Authentication Protocol and Security Support Provider. Retrieved from https://curl.se/rfc/ntlm.html. Accessed 31 October 2022.Google Scholar
- [28] . 2016. Attacking browser extensions. Ruhr-Universitat Bochum 3 (2016).Google Scholar
- [29] . 2016. badWPAD - The Lasting Menace of a Bad Protocol. Retrieved from https://www.trendmicro.com/vinfo/pl/security/news/vulnerabilities-and-exploits/badwpad-menace-of-a-bad-protocol. Accessed 31 October 2022.Google Scholar
- [30] . 2013. An empirical analysis of malicious internet banking software behavior. In Proceedings of the 28th Annual ACM Symposium on Applied Computing. ACM, 1830–1835.Google ScholarDigital Library
- [31] . 1999. Service Templates and Service: Schemes.
RFC 2609. RFC Editor.Google ScholarDigital Library - [32] . 1999. Service Location Protocol, Version 2.
RFC 2608. RFC Editor. Retrieved from http://www.rfc-editor.org/rfc/rfc2608.txt.http://www.rfc-editor.org/rfc/rfc2608.txt.Google ScholarDigital Library - [33] . 2014. IPv6 SLAAC MITM attack process and mitigation. (2014). CIS 551, Computer Security.Google Scholar
- [34] Dick Hardt. 2012. The OAuth 2.0 authorization framework. Technical Report. RFC 6749, IETF.Google Scholar
- [35] . 2019. Project Zero: Five Years of’Make 0Day Hard’. Retrieved from https://www.blackhat.com/us-19/briefings/schedule/#project-zero-five-years-of-make-day-hard-15900. Accessed 31 October 2022.Google Scholar
- [36] . [n. d.]. Browser Support. Retrieved March, 30 2021 from https://findproxyforurl.com/browser-support/. Accessed 31 October 2022.Google Scholar
- [37] . 2014. Analyzing forged SSL certificates in the wild. In Proceedings of the 2014 IEEE Symposium on Security and Privacy. IEEE, IEEE, 83–97. Accessed 31 October 2022.Google ScholarDigital Library
- [38] . 2013. New Generic Top-Level Domains. Retrieved from https://newgtlds.icann.org/en/about/program.Google Scholar
- [39] . 1987. Protocol Standard for a NetBIOS Service on a TCP/UDP Transport: Concepts and Methods.
STD 19. RFC Editor.Google Scholar - [40] . 2005. Detecting mass-mailing worm infected hosts by mining DNS traffic data. In Proceedings of the 2005 ACM SIGCOMM Workshop on Mining Network Data. 159–164.Google ScholarDigital Library
- [41] . 2017. Relaying credentials everywhere with ntlmrelayx. Retrieved from https://blog.fox-it.com/2017/05/09/relaying-credentials-everywhere-with-ntlmrelayx/. Accessed 31 October 2022.Google Scholar
- [42] . 2006. SPNEGO-based Kerberos and NTLM HTTP Authentication in Microsoft Windows.
RFC 4559. RFC Editor.Google ScholarDigital Library - [43] . 2019. Proposed solution for HID fileless ransomware using machine learning. In Proceedings of the International Conference on Advanced Communication Systems and Information Security. Springer, 180–192.Google Scholar
- [44] . 2016. Crippling HTTPS with unholy PAC. Retrieved from https://www.blackhat.com/us-16/briefings/schedule/#crippling-https-with-unholy-pac-3778. Accessed 31 October 2022.Google Scholar
- [45] . 2018. Retrieved from https://www.cybersecobservatory.com/wp-content/uploads/2018/04/spring-2018-state-of-the-internet-security-report.pdf. Accessed 31 October 2022.Google Scholar
- [46] . 2020. PicoDomain: A compact high-fidelity cybersecurity dataset. arXiv:2008.09192. Retrieved October 31, 2022, from https://arxiv.org/abs/2008.09192.Google Scholar
- [47] . 2013. POSTER: Sniffing and propagating malwares through WPAD deception in LANs. In Proceedings of the 2013 ACM SIGSAC Conference on Computer & Communications Security. Association for Computing Machinery, New York, NY, 1437–1440.
DOI: DOI: Google ScholarDigital Library - [48] . [n. d.]. LilyPond. Retrieved July 21, 2022 from https://lilypond.org. Accessed 31 October 2022.Google Scholar
- [49] . 2010. PAC attack redirects browsers to malicious sites using proxy hack. Network Security 2010, 4 (2010), 2–20. DOI:
DOI: Google ScholarCross Ref - [50] . [n. d.]. Package: Sensible-utils (0.0.17 and others). Retrieved July 21, 2022 from https://packages.debian.org/en/sid/sensible-utils. Accessed 31 October 2022.Google Scholar
- [51] . [n. d.]. sensible-browser - sensible-utils - Debian Manpages. Retrieved July 21, 2022 from https:// manpages.debian.org/stretch/sensible-utils/sensible-browser.1.en.html. Accessed 31 October 2022.Google Scholar
- [52] . 1999. Microsoft Security Bulletin MS99-054 - Critical. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/1999/ms99-054. Accessed 31 October 2022.Google Scholar
- [53] . 2007. Microsoft Security Advisory 945713. Retrieved from https://docs.microsoft.com/en-us/security-updates/securityadvisories/2007/945713. Accessed 31 October 2022.Google Scholar
- [54] . 2009. Retrieved from https://msrc-blog.microsoft.com/tag/ms09-008/. Accessed 31 October 2022.Google Scholar
- [55] . 2009. Microsoft Security Advisory 971888. Retrieved from https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2009/971888?redirectedfrom=MSDN. Accessed 31 October 2022.Google Scholar
- [56] . 2012. Microsoft Security Bulletin MS12-074 - Critical. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2012/ms12-074. Accessed 31 October 2022.Google Scholar
- [57] . 2017. Microsoft Security Bulletin MS16-063 - Critical. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-063. Accessed 31 October 2022.Google Scholar
- [58] . 2017. Microsoft Security Bulletin MS16-077 - Important. Retrieved from https://docs.microsoft.com/en-us/security-updates/securitybulletins/2016/ms16-077. Accessed 31 October 2022.Google Scholar
- [59] . 1999. CVE-1999-0858. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0858. Accessed 31 October 2022.Google Scholar
- [60] . 2007. CVE-2007-1692. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1692. Accessed 31 October 2022.Google Scholar
- [61] . 2007. CVE-2007-5355. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5355. Accessed 31 October 2022.Google Scholar
- [62] . 2009. CVE-2009-0093. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0093. Accessed 31 October 2022.Google Scholar
- [63] . 2009. CVE-2009-0094. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0094. Accessed 31 October 2022.Google Scholar
- [64] . 2009. CVE-2009-3372. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3372. Accessed 31 October 2022.Google Scholar
- [65] . 2012. CVE-2012-2915. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2915. Accessed 31 October 2022.Google Scholar
- [66] . 2012. CVE-2012-4504. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4504. Accessed 31 October 2022.Google Scholar
- [67] . 2012. CVE-2012-4505. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4505. Accessed 31 October 2022.Google Scholar
- [68] . 2012. CVE-2012-4776. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4776. Accessed 31 October 2022.Google Scholar
- [69] . 2012. CVE-2012-5580. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5580. Accessed 31 October 2022.Google Scholar
- [70] . 2016. CVE-2016-3213. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3213. Accessed 31 October 2022.Google Scholar
- [71] . 2016. CVE-2016-3236. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3236. Accessed 31 October 2022.Google Scholar
- [72] . 2017. CVE-2017-17512. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17512. Accessed 31 October 2022.Google Scholar
- [73] . 2017. CVE-2017-17523. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17523. Accessed 31 October 2022.Google Scholar
- [74] . 2017. CVE-2017-5384. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5384. Accessed 31 October 2022.Google Scholar
- [75] . 2017. CVE-2017-6410. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6410. Accessed 31 October 2022.Google Scholar
- [76] . 2018. CVE-2018-10992. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10992. Accessed 31 October 2022.Google Scholar
- [77] . 2018. CVE-2018-18358. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18358. Accessed 31 October 2022.Google Scholar
- [78] . 2018. CVE-2018-18506. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18506. Accessed 31 October 2022.Google Scholar
- [79] . 2019. CVE-2019-8454. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8454. Accessed 31 October 2022.Google Scholar
- [80] . 2020. CVE-2020-26154. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26154. Accessed 31 October 2022.Google Scholar
- [81] . 2021. CVE-2021-0393. Retrieved from https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0393. Accessed 31 October 2022.Google Scholar
- [82] David Moher, Alessandro Liberati, Jennifer Tetzlaff, Douglas G. Altman, and the PRISMA Group. 2009. Preferred reporting items for systematic reviews and meta-analyses: The PRISMA statement. PLoS Medicine 6, 7 (2009), e1000097.Google ScholarCross Ref
- [83] . 2017. MITM6: Compromising IPv4 networks via IPv6 - Fox-IT. Retrieved from https://www.fox-it.com/en/news/blog/mitm6-compromising-ipv4-networks-via-ipv6/. Accessed 31 October 2022.Google Scholar
- [84] . 2010. Tactical exploitation. Course Slides], Black Hat USA (2010).Google Scholar
- [85] . 2017. Security vulnerabilities fixed in Firefox 51. Retrieved from https://www.mozilla.org/en-US/security/advisories/mfsa2017-01/. Accessed 31 October 2022.Google Scholar
- [86] . 2020. Detecting and remediating highly vulnerable domain names using passive DNS measurements.
US Patent 10,652,271 .Google Scholar - [87] . 2003. A cautionary note on automatic proxy configuration. In Proceedings of the IASTED International Conference on Communication, Network, and Information Security. Citeseer, 153–158.Google Scholar
- [88] . 2001. An Achilles’ heel in signature-based IDS: Squealing false positives in SNORT. In Proceedings of RAID. Citeseer.Google Scholar
- [89] . 1999. Bro: A system for detecting network intruders in real-time. Computer Networks 31, 23–24 (1999), 2435–2463.Google ScholarDigital Library
- [90] . [n. d.]. The Zeek network intrusion detection monitor. Retrieved July 09, 2021 from https://zeek.org. Accessed 31 October 2022.Google Scholar
- [91] . 2015. Multicast DNS (mDNS) Threat Model and Security Consideration.
Internet-Draft draft-rafiee-dnssd-mdns-threatmodel-03. IETF Secretariat. Retrieved from http://www.ietf.org/internet-drafts/draft-rafiee-dnssd-mdns-threatmodel-03.txt. Accessed 31 October 2022.Google Scholar - [92] . 2021. Farsight DNSDB API Documentation. Retrieved from https://docs.dnsdb.info/. Accessed 31 October 2022.Google Scholar
- [93] . 2013. Local Network Attacks: LLMNR and NBT-NS Poisoning. Retrieved from https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning/. Accessed 31 October 2022.Google Scholar
- [94] . 2006. Lightweight Directory Access Protocol (LDAP): The Protocol.
RFC 4511. RFC Editor. Retrieved from http://www.rfc-editor.org/rfc/rfc4511.txt. Accessed 31 October 2022.Google ScholarDigital Library - [95] . 2012. Zero configuration networking: Implementation, performance, and security. Computers and Electrical Engineering 38, 5 (2012), 1129–1145.Google ScholarDigital Library
- [96] . 2005. Intra-Site Automatic Tunnel Addressing Protocol (ISATAP).
RFC 4214. RFC Editor.Google ScholarDigital Library - [97] . 2008. Hacking random clients using WPAD. Retrieved from http://blog.teusink.net/2008/11/about-two-weeks-ago-i-registered-wpad.html. Accessed 31 October 2022.Google Scholar
- [98] . 2016. White paper: Enterprise remediation for WPAD name collision vulnerability. (
May 2016). Retrieved from https://www.verisign.com/assets/Enterprise_Remediation_for_WPAD_Name_Collision_Vulnerability.pdf. Accessed 31 October 2022.Google Scholar - [99] . 2019. Detecting man-in-the-middle attacks.
US Patent 10,250,636 .Google Scholar - [100] . 2018. NTLM Relay Is Dead, Long Live NTLM Relay. Retrieved from https://conference.hitb.org/hitbsecconf2018dxb/sessions/ntlm-relay-is-dead-long-live-ntlm-relay/. Accessed 31 October 2022.Google Scholar
- [101] . 2016. BadTunnel: How Do I Get Big Brother Power?Retrieved from https://www.blackhat.com/us-16/briefings/schedule/#badtunnel-how-do-i-get-big-brother-power-3915. Accessed 31 October 2022.Google Scholar
- [102] . 2016. BadTunnel: NetBIOS name service spoofing over the internet. Tencents Xuanwu Lab (2016).Google Scholar
- [103] . 2014. Issue 222: Windows: Local WebDAV NTLM Reflection Elevation of Privilege. Retrieved from https://bugs.chromium.org/p/project-zero/issues/detail?id=222&redir=1. Accessed 31 October 2022.Google Scholar
- [104] . 2013. The middle east under malware attack dissecting cyber weapons. In Proceedings of the 2013 IEEE 33rd International Conference on Distributed Computing Systems Workshops. IEEE, 11–16.Google ScholarDigital Library
- [105] . 2019. Retrieved from https://blog.redteam.pl/search?q=wpadblocking.com. Accessed 31 October 2022.Google Scholar
Index Terms
- WPAD: Waiting Patiently for an Announced Disaster
Recommendations
A novel algorithm to prevent man in the middle attack in LAN environment
SpringSim '10: Proceedings of the 2010 Spring Simulation MulticonferenceSecure web sites usually use HTTPS connection to secure transactions such as money transactions, online payment, and e-commerce. The use of HTTPS gives a sense of protection against attacks such as man in the middle (MITM) attack. This paper analyzes ...
Man-in-the-Middle Attack to the HTTPS Protocol
As defenders, it is extremely dangerous to be ignorant of how attackers can disrupt our systems. Without a good understanding of the relative ease of certain attacks, it's easy to adopt poor policies and procedures. A good example of this is the ...
Developing certificate-based projects for web security classes
Increasing number of applications are using the Internet to exchange data, varying from online chatting to credit card numbers and other sensitive information. Accompanying the widespread use of inter-networks is the ubiquitous problem of malicious ...
Comments