March 25, 2007 8:55 AM PDT

Windows weakness can lead to network traffic hijacks

WASHINGTON--A problem in the way Windows PCs obtain network settings could let attackers hijack traffic, security researchers said Saturday.

The problem occurs because of a design bug in the system used by Windows PCs to obtain proxy settings, researchers with security firm IOActive said at the ShmooCon hacker conference here. As a result, an attacker with access to a network at a corporation, for example, could insert a malicious proxy and see all the traffic, the researchers said.

"The upshot of it is that I can become your proxy server without you knowing about it," Chris Paget, director of research and development at IOActive, said in an interview after his presentation on the problem. "I can put up the equivalent of a detour sign on your network and redirect all the traffic."

Chris Paget
Credit: Joris Evers/CNET News.com
Chris Paget, director of research and
development at IOActive, during his
ShmooCon presentation.

An attacker can set up that "detour sign" because Internet Explorer on Windows PCs by default searches for a proxy server using the Web Proxy Autodiscovery Protocol, or WPAD, Paget said. It turns out that an attacker can easily register a proxy server on a network using the Windows Internet Naming Service, or WINS, and other network services including the Domain Name System, or DNS, he said.

"When IE starts up, it will ask the network where its proxy server is," Paget said. "It is really easy to put up your hand and say: 'Here I am.'"

Microsoft acknowledged the problem in a support article published Saturday on its TechNet Web site. "If an entity can surreptitiously register a WPAD entry in DNS or in WINS clients may be able to route their Internet traffic through a malicious proxy server," Microsoft said in its support article.

If an attack is successful, all traffic on a network will flow through the attacker's proxy. This means the attacker can access all the data, redirect and manipulate it and carry out all kinds of other nefarious acts, Paget said.

Still, the proxy problem isn't a critical security issue, Paget and fellow IOActive security expert Dan Kaminsky said. An attack is possible only with access to the target network, not from the Internet, they noted. "The biggest risk inside a corporation would come from a malicious insider," Paget said. "This is not worthy of mass panic or critical advisories."

That doesn't remove the need to fix the problem. Insider threats are real. Also, the proxy problem may be appealing to attackers who find it increasingly hard to exploit other vulnerabilities, Kaminsky said.

"Buffer overflows and other bugs have gotten a lot harder to do, so design issues like this have gotten a lot more interesting for attackers," he said.

Problems with WPAD aren't new. Seven years ago Microsoft patched IE 5 because the browser would search for a proxy server on the Internet if it failed to find one on its local network. That let a malicious hacker give settings to the browser that would facilitate a broader attack.

Such a problem was exploited by somebody who registered the domain name "wpad.org.uk" and served a "wpad.dat" file with proxy information to Windows PCs looking for it. As a result the people using those PCs ended up on an online auction Web site regardless of the address they typed into their browser.

In its support article, Microsoft lists steps for network administrators to address the WPAD problem. The steps reserve static WPAD DNS host names and to reserve WPAD WINS name records. As a result, an attacker's malicious WPAD name will no longer work, which will foil the malicious proxy trick, Paget said.

See more CNET content tagged:
attacker, WINS, researcher, traffic, DNS

39 comments

Join the conversation!
Add your comment
"The biggest risk ... would come from a malicious insider"
and the FBI reports that only about 70% of all attacks come from insiders.

Right, this isn't a big concern at all.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Heh - and WiFi networks...?
c'mon... this would be drop-easy to set up in a place w/ free Wifi access (or in any place w/ Wifi anyway, such as companies or apartment complexes), sometimes even if the network has an existing proxy (mostly because even if there were a proxy, you can set one up anyway and still have a 50-50 shot at it, depending on setup).

/P
Posted by Penguinisto (5042 comments )
Link Flag
OMG! BE AFRAID! BE VERY AFRAID!
Because it's so hard to UNCHECK THE BOX that says "Automatically detect settings." Please, if your company is vulnerable to this "vulnerability", you need to get a better pc deployment group - you know, one that's smart enough to specify a proxy or pac on your standard image.
Posted by McAdmin77 (1 comment )
Reply Link Flag
Or
buy Mac OS 6.6.00.
Posted by paulsecic (298 comments )
Link Flag
Knowledge
They have to know there is a problem and remember to hit that box, along with dozens of other minor tasks in the middle of a busy shift. Better and safer that the auto detect default to "no".
Posted by Phillep_H (497 comments )
Link Flag
Insiders From The Outside
It seems to me that a hacker from outside a company who was able to infiltrate a corporate PC and take it over could then install a proxy server on that PC and thereby gain access to network traffic on uncompromised PCs. This would really magnify the effect. Is there any reason this would not work?
Posted by Stating (869 comments )
Reply Link Flag
This has more to do with...
DNS and WINS services in general accepting updates dynamically from DNS/WINS clients. If the service is not secured, then anything can happen, including bad proxy server updates.
Posted by EnvisionOne (2 comments )
Reply Link Flag
What is going on.
Are you people really that stupid. Now we have a reputable IT company CNET blowing up a story as a major weakness in windows. Holy Crap...This is a major weakness in ANY network. But, lets jump on the bashing MS band wagon....Jeeze, I was just starting to like the updates from CNET now it appears I will have to trash it along with my Mac Mags....

Pull your heads out of the sand, discuss the problem like it really is in todays market and lets address it. I can't believe someone is writing about OS2--I have the install floppies keeping my storage table level...jeeze!

YES 70% of ALL TYPES OF corporate attacks are from the INSIDE, have been for the last 20 years!

Come on people get life, turn on the lights and open your eyes!

Or--wait...Maybe it is easier for everyone to live in your own make-believe-lands.

For me I am going to work in the real world on Monday and Yes believe it or not OS/2 is NOT AN OPTION!
Posted by esblake (3 comments )
Reply Link Flag
Lotus Notes 8.0 Is About To Be Launched; And....
... God help you if OS/2 becomes one of the "Eclipse Stack" options (as LINUX is) for old times sake and if this be the case then--your lunches and dinners may be gone ("work in the real world" disrupted) because of your apparent Windows Only Ways! Ha! Ha! Ha!
Posted by Commander_Spock (3123 comments )
Link Flag
This makes matters even worse.
Many times on a lan people from work bring in routers from home so they can use more than one pc at a time.

Little do they know that router is handing out new ip addresses which is another way to sniff the network.
Posted by inachu (963 comments )
Reply Link Flag
Any IT group in a company large enough to fear
This that has not known about this issue or dealt with it should be fired.

It is not only MS, its Mac, its Linux, all are vulnerable.

Lots of company's are dealing with inside users who set up there own proxy's and tunnel out through the firewall. Its always fun catching them and letting HR deal with them.

Now how much of a threat is this? Well depends, on what the heck your allowing out on the Internet from the inside, what data is avalible, how its accessed how its viewed.

There are so many questions on this.

I still am boggled at how elaborate some internal users get when they just need to be able to get there home email, IM from within the company network. That they risk there job and criminal charges just to do it.

I feel very sorry for some of these people when I sit in on there exit interview as HR fires them.

And every once in a while, I laugh, when someone says its there right to be able to do what they want with the internet.

Any how again, not a real worthy article.
Posted by wolivere (780 comments )
Reply Link Flag
Of course No one has WIRELESS - DUH!
Especially not wireless configured by a PHB, so it's not secured, and has a foot print that reaches to the coffee shop across the street...

So yeah, no one needs to worry about this possible hijack vector. <sticks head back into the sand>.
Posted by ZenOfJazz (3 comments )
Reply Link Flag
Per C2 Security
Per C2 Security, ALL unnecessary protocols and programs should be Disabled including WPAD.

But per Microsoft, they've kindly enabled WPAD as with a bunch of other security weak protocols. But sadly,the only way to remove it is via editing the registry. Microsoft can be thanked for that one too... (* GRIN *)

For those who want to disable it, Microsoft recommendation is here: <a class="jive-link-external" href="http://support.microsoft.com/kb/271361" target="_newWindow">http://support.microsoft.com/kb/271361</a>

Editing the registry is like water off a duck's back for me, but for the "not so PC guru" types... make sure you backup your registry before you use the scalpel to modify the registry!

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Lest We Forget....
... as in STAR FLEET... there has to be "HMS ARCH ROYAL" Sailing The Atlantic To Be Near You--To Be Free--Do the have a Real-Time (OS/2 WARP) Secure Network too!

TO BOLDLY GO!!

BEAM US DOWN SCOTTY!
Posted by Commander_Spock (3123 comments )
Reply Link Flag
Commander_Spock is a talkbot
Not human.
Posted by lesfilip (496 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.