Comments on: WPAD: Internet Explorer’s Worst Feature

By: Grant Bugher

Grant Bugher — Tue, 26 Jan 2010 21:10:51 +0000

I’m not quite sure what sort of attacks against IE “over SSL” you mean. There have, in the past, been attacks against browsers by embedding faulty strings designed to cause buffer overruns directly into the X.509 certificate — the only defenses against these are running a fully-patched browsers (to my knowledge, there are no known attacks of this type that still work on current versions of any major browser) and being cautious as to what you browse to. If you mean simply being attacked by an SSL site (e.g. embedded malware), it’s once again the same mitigations — avoid sites that are often malicious (e.g. warez) and use a current browser. The only thing SSL affects is that network-based IDS systems will not protect you in the case of an SSL site, since they can’t read the encrypted traffic — you’re reliant on host-based protection like anti-virus or anti-spyware software on your own computer. Of course, most people aren’t browsing behind a NIDS anyway, so this is no change unless you’re in a corporate environment.

On the other hand, if you mean attacks not against IE but against SSL itself, such as Moxie’s SSLSniff, they’re hard to detect. One thing that helps is actually opening and verifying the certificate — just because the padlock icon is there doesn’t mean you’re communicating with what you think you’re communicating with. Most of the time attackers don’t forge an entire certificate, just the domain name, so everything else may look wrong (or the certificate may be for * rather than a specific domain.) Once again, use a current, fully-patched browser, as this protects you from null-byte certificates (which actually may look perfect if you inspect them.) And most importantly of all, don’t use insecure wireless networks. Attacks like SSLSniff rely on being a man-in-the-middle — that is, an attacker must be able not just to read your communication but also to modify it. This means either he has to control a router between you and the website you’re talking to, or he has to be on a wireless network with you. The only safe thing to do on an insecure (open or WEP) wireless network is to VPN to a secure network. Anything else is vulnerable.

By: Tom

Tom — Tue, 26 Jan 2010 20:45:47 +0000

I understand the countermeasures for IE attacks, but how can you detect an attack against Internet Explorer over SSL?

By: Melvin Guaganik

Melvin Guaganik — Fri, 01 May 2009 19:20:18 +0000

I have a small update. I have successfully disabled the Vista service “WinHTTP Web Proxy Auto-Discovery Service” and I believe I have finally stopped the implementation of the Web Proxy Auto-Discovery (WPAD) protocol.

As of now, I’m not sure what side effects I’ll encounter. Disabling this service may also impact COM Automation and the Win32 API components for sending and receiving HTTP requests from applications. Actually, I might like this since I really don’t like apps accessing the web without my control. My browser still works … that’s good! Well see.

By the way, with Wireshark I now see a lot of different activity on initialization of my internet connection. I need to look into this….

By: Melvin Guaganik

Melvin Guaganik — Sun, 19 Apr 2009 16:49:54 +0000

In my investigation, I found that Vista does attempt to download the WPAD file regardless of the browser setting. I have both Firefox and IE 7 with autodiscovery disabled, but still Vista is looking for WPAD on initial startup of my network connection (verified with wireshark).

I have investigated a large number of articles and comments to try to find a solution, and unfortunately, none that I’ve found fully stop the problem. The best solution I found was to set my computer’s name to WPAD, and thus limit the number of DNS queries that are attempting to locate the WPAD server. Now, it’ll only query the following:

WPAD.XXXX.YYYYY.COM

and then

XXXX.YYYYY.COM

(where XXXX.YYYYY is my ISP’s domain name).

Before this change, I have a lot of queries for various forms of WPAD addresses, which didn’t exist. I tried to disable devolution as mentioned in …

http://www.microsoft.com/technet/security/advisory/945713.mspx

… but it DID NOT WORK. According to the advisory, I should be able to disable devolution by setting the following registry entry to 0 (FALSE):

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\UseDomainNameDevolution

It didn’t work. Using ProcessMonitor, I also tracked down two different registry entries for devolution that my system was accessing prior to devolution, and neither stopped devolution. It must be hardcoded.

By: Grant Bugher

Grant Bugher — Fri, 02 Jan 2009 06:41:21 +0000

I’m not aware of any changes; in IE8 there’s still the usual “Automatically Detect Settings” box in Internet Options, which should still toggle WPAD usage on and off. It’s possible that IE still looks for the PAC file even if it doesn’t intend to use it, though I admit that would be somewhat bizarre behavior. I’ll have to look into it.

By: Bootsy

Bootsy — Fri, 02 Jan 2009 03:33:42 +0000

Hello, has something changed in IE recently, I first discovered wpad because I was playing around with wireshark and wanted to know what wpad is. I’ve gone into connections, Lan Connections and everything is unchecked, yet it is always showing up in wireshark. Is there any other way to shut it down?

By: Uno

Uno — Thu, 13 Nov 2008 19:18:45 +0000

Hi Grant,
interesting post, but have you ever managed to make this work? I haven’t seen any article describing how it work. I’m a pentester but for some reason the attack in not working in my test environment.

By: Grant Bugher

Grant Bugher — Mon, 06 Oct 2008 05:40:04 +0000

If you specify the location of WPAD using the DHCP auto-proxy-config option, your network is relatively secure against this sort of attack (i.e. secure enough that an attacker is likely to use another avenue altogether rather than doing the sort of thing it would require to get past this, such as spoofing DHCP or playing games with ARPs.)

The problem isn’t so much with corporate networks. The problem is more that these laptops from corporate networks are all set up to rely on WPAD for proxy information, and then people carry them off to other networks, like open wireless, with those same configuration settings intact. Suddenly, they’re asking for WPAD on networks that are potentially hostile.

By: Jack S.

Jack S. — Wed, 24 Sep 2008 17:28:58 +0000

So am I correct in saying that the exploits you are reffering to are for all intents and purposes, elliminated if you DO use wpad in your enterprise network? (entries being in DHCP and DNS).

- JS

By: Coova.org » Blog Archive » DHCP Discovery

Coova.org » Blog Archive » DHCP Discovery — Fri, 25 Jan 2008 13:14:52 +0000

[...] from a network. The Web Proxy Auto Discovery (WPAD) protocol provides browsers (primarily Windows Internet Explorer, and maybe others) with a proxy configuration file. This Proxy Auto-Config (PAC) file can configure [...]