Windows weakness can lead to network traffic hijacks

WASHINGTON--A problem in the way Windows PCs obtain network settings could let attackers hijack traffic, security researchers said Saturday.

The problem occurs because of a design bug in the system used by Windows PCs to obtain proxy settings, researchers with security firm IOActive said at the ShmooCon hacker conference here. As a result, an attacker with access to a network at a corporation, for example, could insert a malicious proxy and see all the traffic, the researchers said.

"The upshot of it is that I can become your proxy server without you knowing about it," Chris Paget, director of research and development at IOActive, said in an interview after his presentation on the problem. "I can put up the equivalent of a detour sign on your network and redirect all the traffic."

Credit: Joris Evers/CNET News.com

Chris Paget, director of research and
development at IOActive, during his
ShmooCon presentation.

An attacker can set up that "detour sign" because Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol, or WPAD, Paget said. It turns out that an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, or WINS, and other network services including the Domain Name System, or DNS, he said.

"When IE starts up, it will ask the network where its proxy server is," Paget said. "It is really easy to put up your hand and say: 'Here I am.'"

Microsoft acknowledged the problem in a support article published Saturday on its TechNet Web site. "If an entity can surreptitiously register a WPAD entry in DNS or in WINS clients may be able to route their Internet traffic through a malicious proxy server," Microsoft said in its support article.

If an attack is successful, all traffic on a network will flow through the attacker's proxy. This means the attacker can access all the data, redirect and manipulate it and carry out all kinds of other nefarious acts, Paget said.

Still, the proxy problem isn't a critical security issue, Paget and fellow IOActive security expert Dan Kaminsky said. An attack is possible only with access to the target network, not from the Internet, they noted. "The biggest risk inside a corporation would come from a malicious insider," Paget said. "This is not worthy of mass panic or critical advisories."

That doesn't remove the need to fix the problem. Insider threats are real. Also, the proxy problem may be appealing to attackers who find it increasingly hard to exploit other vulnerabilities, Kaminsky said.

"Buffer overflows and other bugs have gotten a lot harder to do, so design issues like this have gotten a lot more interesting for attackers," he said.

Problems with WPAD aren't new. Seven years ago Microsoft patched IE 5 because the browser would search for a proxy server on the Internet if it failed to find one on its local network. That let a malicious hacker give settings to the browser that would facilitate a broader attack.

Such a problem was exploited by somebody who registered the domain name "wpad.org.uk" and served a "wpad.dat" file with proxy information to Windows PCs looking for it. As a result the people using those PCs ended up on an online auction Web site regardless of the address they typed into their browser.

In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.

[n3td3v]

not new

the same concept is used when trying to intercept data on a wireless connection.

they have just switched the concept around on something else.

interesting, but nothing new to see here.

[rcrusoe]

"The biggest risk ... would come from a malicious insider"

and the FBI reports that only about 70% of all attacks come from insiders.

Right, this isn't a big concern at all.

[McAdmin77]

OMG! BE AFRAID! BE VERY AFRAID!

Because it's so hard to UNCHECK THE BOX that says "Automatically detect settings." Please, if your company is vulnerable to this "vulnerability", you need to get a better pc deployment group - you know, one that's smart enough to specify a proxy or pac on your standard image.

[Stating]

Insiders From The Outside

It seems to me that a hacker from outside a company who was able to infiltrate a corporate PC and take it over could then install a proxy server on that PC and thereby gain access to network traffic on uncompromised PCs. This would really magnify the effect. Is there any reason this would not work?

[EnvisionOne]

This has more to do with...

DNS and WINS services in general accepting updates dynamically from DNS/WINS clients. If the service is not secured, then anything can happen, including bad proxy server updates.

[esblake]

What is going on.

Are you people really that stupid. Now we have a reputable IT company CNET blowing up a story as a major weakness in windows. Holy Crap...This is a major weakness in ANY network. But, lets jump on the bashing MS band wagon....Jeeze, I was just starting to like the updates from CNET now it appears I will have to trash it along with my Mac Mags....

Pull your heads out of the sand, discuss the problem like it really is in todays market and lets address it. I can't believe someone is writing about OS2--I have the install floppies keeping my storage table level...jeeze!

YES 70% of ALL TYPES OF corporate attacks are from the INSIDE, have been for the last 20 years!

Come on people get life, turn on the lights and open your eyes!

Or--wait...Maybe it is easier for everyone to live in your own make-believe-lands.

For me I am going to work in the real world on Monday and Yes believe it or not OS/2 is NOT AN OPTION!

[inachu]

This makes matters even worse.

Many times on a lan people from work bring in routers from home so they can use more than one pc at a time.

Little do they know that router is handing out new ip addresses which is another way to sniff the network.

[wolivere]

Any IT group in a company large enough to fear

This that has not known about this issue or dealt with it should be fired.

It is not only MS, its Mac, its Linux, all are vulnerable.

Lots of company's are dealing with inside users who set up there own proxy's and tunnel out through the firewall. Its always fun catching them and letting HR deal with them.

Now how much of a threat is this? Well depends, on what the heck your allowing out on the Internet from the inside, what data is avalible, how its accessed how its viewed.

There are so many questions on this.

I still am boggled at how elaborate some internal users get when they just need to be able to get there home email, IM from within the company network. That they risk there job and criminal charges just to do it.

I feel very sorry for some of these people when I sit in on there exit interview as HR fires them.

And every once in a while, I laugh, when someone says its there right to be able to do what they want with the internet.

Any how again, not a real worthy article.

[ZenOfJazz]

Of course No one has WIRELESS - DUH!

Especially not wireless configured by a PHB, so it's not secured, and has a foot print that reaches to the coffee shop across the street...

So yeah, no one needs to worry about this possible hijack vector. <sticks head back into the sand>.

[wbenton]

Per C2 Security

Per C2 Security, ALL unnecessary protocols and programs should be Disabled including WPAD.

But per Microsoft, they've kindly enabled WPAD as with a bunch of other security weak protocols. But sadly,the only way to remove it is via editing the registry. Microsoft can be thanked for that one too... (* GRIN *)

For those who want to disable it, Microsoft recommendation is here: http://support.microsoft.com/kb/271361

Editing the registry is like water off a duck's back for me, but for the "not so PC guru" types... make sure you backup your registry before you use the scalpel to modify the registry!

Walt

[Commander_Spock]

Lest We Forget....

... as in STAR FLEET... there has to be "HMS ARCH ROYAL" Sailing The Atlantic To Be Near You--To Be Free--Do the have a Real-Time (OS/2 WARP) Secure Network too!

TO BOLDLY GO!!

BEAM US DOWN SCOTTY!