WASHINGTON--A problem in the way Windows PCs obtain network settings could let attackers hijack traffic, security researchers said Saturday.
The problem occurs because of a design bug in the system used by Windows PCs to obtain proxy settings, researchers with security firm IOActive said at the ShmooCon hacker conference here. As a result, an attacker with access to a network at a corporation, for example, could insert a malicious proxy and see all the traffic, the researchers said.
"The upshot of it is that I can become your proxy server without you knowing about it," Chris Paget, director of research and development at IOActive, said in an interview after his presentation on the problem. "I can put up the equivalent of a detour sign on your network and redirect all the traffic."
Credit: Joris Evers/CNET News.com
Chris Paget, director of research and development at IOActive, during his ShmooCon presentation.
An attacker can set up that "detour sign" because Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol, or WPAD, Paget said. It turns out that an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, or WINS, and other network services including the Domain Name System, or DNS, he said.
"When IE starts up, it will ask the network where its proxy server is," Paget said. "It is really easy to put up your hand and say: 'Here I am.'"
Microsoft acknowledged the problem in a support article published Saturday on its TechNet Web site. "If an entity can surreptitiously register a WPAD entry in DNS or in WINS clients may be able to route their Internet traffic through a malicious proxy server," Microsoft said in its support article.
If an attack is successful, all traffic on a network will flow through the attacker's proxy. This means the attacker can access all the data, redirect and manipulate it and carry out all kinds of other nefarious acts, Paget said.
Still, the proxy problem isn't a critical security issue, Paget and fellow IOActive security expert Dan Kaminsky said. An attack is possible only with access to the target network, not from the Internet, they noted. "The biggest risk inside a corporation would come from a malicious insider," Paget said. "This is not worthy of mass panic or critical advisories."
That doesn't remove the need to fix the problem. Insider threats are real. Also, the proxy problem may be appealing to attackers who find it increasingly hard to exploit other vulnerabilities, Kaminsky said.
"Buffer overflows and other bugs have gotten a lot harder to do, so design issues like this have gotten a lot more interesting for attackers," he said.
Problems with WPAD aren't new. Seven years ago Microsoft patched IE 5 because the browser would search for a proxy server on the Internet if it failed to find one on its local network. That let a malicious hacker give settings to the browser that would facilitate a broader attack.
Such a problem was exploited by somebody who registered the domain name "wpad.org.uk" and served a "wpad.dat" file with proxy information to Windows PCs looking for it. As a result the people using those PCs ended up on an online auction Web site regardless of the address they typed into their browser.
In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.
c'mon... this would be drop-easy to set up in a place w/ free Wifi access (or in any place w/ Wifi anyway, such as companies or apartment complexes), sometimes even if the network has an existing proxy (mostly because even if there were a proxy, you can set one up anyway and still have a 50-50 shot at it, depending on setup).
Because it's so hard to UNCHECK THE BOX that says "Automatically detect settings." Please, if your company is vulnerable to this "vulnerability", you need to get a better pc deployment group - you know, one that's smart enough to specify a proxy or pac on your standard image.
They have to know there is a problem and remember to hit that box, along with dozens of other minor tasks in the middle of a busy shift. Better and safer that the auto detect default to "no".
It seems to me that a hacker from outside a company who was able to infiltrate a corporate PC and take it over could then install a proxy server on that PC and thereby gain access to network traffic on uncompromised PCs. This would really magnify the effect. Is there any reason this would not work?
DNS and WINS services in general accepting updates dynamically from DNS/WINS clients. If the service is not secured, then anything can happen, including bad proxy server updates.
Are you people really that stupid. Now we have a reputable IT company CNET blowing up a story as a major weakness in windows. Holy Crap...This is a major weakness in ANY network. But, lets jump on the bashing MS band wagon....Jeeze, I was just starting to like the updates from CNET now it appears I will have to trash it along with my Mac Mags....
Pull your heads out of the sand, discuss the problem like it really is in todays market and lets address it. I can't believe someone is writing about OS2--I have the install floppies keeping my storage table level...jeeze!
YES 70% of ALL TYPES OF corporate attacks are from the INSIDE, have been for the last 20 years!
Come on people get life, turn on the lights and open your eyes!
Or--wait...Maybe it is easier for everyone to live in your own make-believe-lands.
For me I am going to work in the real world on Monday and Yes believe it or not OS/2 is NOT AN OPTION!
... God help you if OS/2 becomes one of the "Eclipse Stack" options (as LINUX is) for old times sake and if this be the case then--your lunches and dinners may be gone ("work in the real world" disrupted) because of your apparent Windows Only Ways! Ha! Ha! Ha!
This that has not known about this issue or dealt with it should be fired.
It is not only MS, its Mac, its Linux, all are vulnerable.
Lots of company's are dealing with inside users who set up there own proxy's and tunnel out through the firewall. Its always fun catching them and letting HR deal with them.
Now how much of a threat is this? Well depends, on what the heck your allowing out on the Internet from the inside, what data is avalible, how its accessed how its viewed.
There are so many questions on this.
I still am boggled at how elaborate some internal users get when they just need to be able to get there home email, IM from within the company network. That they risk there job and criminal charges just to do it.
I feel very sorry for some of these people when I sit in on there exit interview as HR fires them.
And every once in a while, I laugh, when someone says its there right to be able to do what they want with the internet.
Per C2 Security, ALL unnecessary protocols and programs should be Disabled including WPAD.
But per Microsoft, they've kindly enabled WPAD as with a bunch of other security weak protocols. But sadly,the only way to remove it is via editing the registry. Microsoft can be thanked for that one too... (* GRIN *)
For those who want to disable it, Microsoft recommendation is here: <a class="jive-link-external" href="http://support.microsoft.com/kb/271361" target="_newWindow">http://support.microsoft.com/kb/271361</a>
Editing the registry is like water off a duck's back for me, but for the "not so PC guru" types... make sure you backup your registry before you use the scalpel to modify the registry!
... as in STAR FLEET... there has to be "HMS ARCH ROYAL" Sailing The Atlantic To Be Near You--To Be Free--Do the have a Real-Time (OS/2 WARP) Secure Network too!
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Game on: European Union grants unconditional approval for $12.5 billion deal, but says it will keep an eye on Google. The company says it aims to "supercharge" Android with the acquisition.
The Samsung Galaxy Mini 2 S6500 could make its debut at the Mobile World Congress in Barcelona later this month, according to a leaked promotional image.
BMW released photos and specifications about its new M6 today, the high performance version of its 6 series. The new car pushes the automotive technology envelope.
The Washington State Senate passed a bill that would charge electric car owners $100 per year to compensate for not paying gas taxes. The bill still has to pass the House.
they have just switched the concept around on something else.
interesting, but nothing new to see here.
Right, this isn't a big concern at all.
/P
Pull your heads out of the sand, discuss the problem like it really is in todays market and lets address it. I can't believe someone is writing about OS2--I have the install floppies keeping my storage table level...jeeze!
YES 70% of ALL TYPES OF corporate attacks are from the INSIDE, have been for the last 20 years!
Come on people get life, turn on the lights and open your eyes!
Or--wait...Maybe it is easier for everyone to live in your own make-believe-lands.
For me I am going to work in the real world on Monday and Yes believe it or not OS/2 is NOT AN OPTION!
Little do they know that router is handing out new ip addresses which is another way to sniff the network.
It is not only MS, its Mac, its Linux, all are vulnerable.
Lots of company's are dealing with inside users who set up there own proxy's and tunnel out through the firewall. Its always fun catching them and letting HR deal with them.
Now how much of a threat is this? Well depends, on what the heck your allowing out on the Internet from the inside, what data is avalible, how its accessed how its viewed.
There are so many questions on this.
I still am boggled at how elaborate some internal users get when they just need to be able to get there home email, IM from within the company network. That they risk there job and criminal charges just to do it.
I feel very sorry for some of these people when I sit in on there exit interview as HR fires them.
And every once in a while, I laugh, when someone says its there right to be able to do what they want with the internet.
Any how again, not a real worthy article.
So yeah, no one needs to worry about this possible hijack vector. <sticks head back into the sand>.
But per Microsoft, they've kindly enabled WPAD as with a bunch of other security weak protocols. But sadly,the only way to remove it is via editing the registry. Microsoft can be thanked for that one too... (* GRIN *)
For those who want to disable it, Microsoft recommendation is here: <a class="jive-link-external" href="http://support.microsoft.com/kb/271361" target="_newWindow">http://support.microsoft.com/kb/271361</a>
Editing the registry is like water off a duck's back for me, but for the "not so PC guru" types... make sure you backup your registry before you use the scalpel to modify the registry!
Walt
TO BOLDLY GO!!
BEAM US DOWN SCOTTY!