Dailydave mailing list archives
Re: How is this WPAD redirect even a "hack"?
From: "James (njan) Eaton-Lee" <james.mailing () gmail com>
Date: Tue, 27 Mar 2007 15:00:36 +0100
George Ou wrote:
I'm waiting for MS clarification if said surreptitious activity is a new vulnerability or purely hypothetical.
It's definitely exploitable; it just relies upon the environment being configured in a particular way.
In a well setup windows infrastructure, DNS will be configured to require Secure Dynamic Updates - ie. authenticated updates a la RFC2845.
This means you shouldn't be able to just craft a DNS update using scapy (or whatever else you'd normally use) to create a WPAD record in the forward lookup zone from $randomclient. If you're able to authenticate to the DNS Server, however, you can create whatever records you like, and ANY domain client can do this.
Case in point; in a best-practice Win2003 AD environment, I've just done the following:
+ Renamed a Vista client to "WPAD" (this requires local admin on the box)+ Joined it to the domain (in most domains, any domain user can do this up to 10 times)
At this point, the machine's registered itself via Secure Dynamic Updates in DNS, and lo and behold...
C:\Users\james>nslookup wpad.mydomain.com Server: DNSSERVER.mydomain.com Address: 10.1.1.1:53 Name: wpad.mydomain.com Address: 10.1.1.118Now, if I enable automatic proxy detection in IE on a domain client, and close/reopen IE, I get the following, dumped via ethereal:
GET /wpad.dat HTTP/1.1 Accept: */* User-Agent: System.Net.AutoWebProxyScriptEngine/2.0.50727.312 Host: 10.0.1.118 Connection: Close HTTP/1.1 404 Not Found Content-Type: text/html Server: Microsoft-IIS/7.0 Date: Tue, 27 Mar 2007 13:48:47 GMT Connection: close Content-Length: 1203 (rest of the IIS7 404 page snipped). I didn't bother configuring a wpad.dat on the Vista System. (Hey, I'm lazy.)As soon as I enabled DHCP Option 252 (the WPAD option), this stopped happening. (Actually, I forgot to do this first, and it wouldn't work; I had to disable the scope option temporarily and re-acquire my DHCP lease).
So yes, it definitely works, and it's not hypothetical. Vulnerability, or mis-configuration? Up to you.
- James. -- James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org "The universe is run by the complex interweaving of three elements: Energy, matter, and enlightened self-interest." - G'Kar https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3 --
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- How is this WPAD redirect even a "hack"? George Ou (Mar 27)
- Message not available
- Message not available
- Re: How is this WPAD redirect even a "hack"? James (njan) Eaton-Lee (Mar 27)
- Message not available
- Message not available
- Re: How is this WPAD redirect even a "hack"? Ronald L. Rosson Jr. (Mar 27)
- Re: How is this WPAD redirect even a "hack"? James (njan) Eaton-Lee (Mar 28)
- <Possible follow-ups>
- Re: How is this WPAD redirect even a "hack"? James (njan) Eaton-Lee (Mar 27)
- Re: How is this WPAD redirect even a "hack"? McGean, Joseph (Mar 27)
- Re: How is this WPAD redirect even a "hack"? george_ou (Mar 28)
- Re: How is this WPAD redirect even a "hack"? Steve Shockley (Mar 31)