[Dailydave] How is this WPAD redirect even a "hack"?
James (njan) Eaton-Lee
james.mailing at gmail.com
Tue Mar 27 10:00:36 EDT 2007
George Ou wrote:
> I'm waiting for MS clarification if said surreptitious activity is a new
> vulnerability or purely hypothetical.
It's definitely exploitable; it just relies upon the environment being
configured in a particular way.
In a well setup windows infrastructure, DNS will be configured to
require Secure Dynamic Updates - ie. authenticated updates a la RFC2845.
This means you shouldn't be able to just craft a DNS update using scapy
(or whatever else you'd normally use) to create a WPAD record in the
forward lookup zone from $randomclient. If you're able to authenticate
to the DNS Server, however, you can create whatever records you like,
and ANY domain client can do this.
Case in point; in a best-practice Win2003 AD environment, I've just done
the following:
+ Renamed a Vista client to "WPAD" (this requires local admin on the box)
+ Joined it to the domain (in most domains, any domain user can do this
up to 10 times)
At this point, the machine's registered itself via Secure Dynamic
Updates in DNS, and lo and behold...
C:\Users\james>nslookup wpad.mydomain.com
Server: DNSSERVER.mydomain.com
Address: 10.1.1.1:53
Name: wpad.mydomain.com
Address: 10.1.1.118
Now, if I enable automatic proxy detection in IE on a domain client, and
close/reopen IE, I get the following, dumped via ethereal:
GET /wpad.dat HTTP/1.1
Accept: */*
User-Agent: System.Net.AutoWebProxyScriptEngine/2.0.50727.312
Host: 10.0.1.118
Connection: Close
HTTP/1.1 404 Not Found
Content-Type: text/html
Server: Microsoft-IIS/7.0
Date: Tue, 27 Mar 2007 13:48:47 GMT
Connection: close
Content-Length: 1203
(rest of the IIS7 404 page snipped).
I didn't bother configuring a wpad.dat on the Vista System. (Hey, I'm lazy.)
As soon as I enabled DHCP Option 252 (the WPAD option), this stopped
happening. (Actually, I forgot to do this first, and it wouldn't work; I
had to disable the scope option temporarily and re-acquire my DHCP lease).
So yes, it definitely works, and it's not hypothetical. Vulnerability,
or mis-configuration? Up to you.
- James.
--
James (njan) Eaton-Lee | UIN: 10807960 | http://www.jeremiad.org
"The universe is run by the complex interweaving of three
elements: Energy, matter, and enlightened self-interest." - G'Kar
https://www.bsrf.org.uk | ca: https://www.cacert.org/index.php?id=3
--
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3521 bytes
Desc: S/MIME Cryptographic Signature
Url : http://lists.immunitysec.com/pipermail/dailydave/attachments/20070327/124f40b2/attachment.bin
More information about the Dailydave
mailing list