By that I'm guessing you mean local networks ala coffeeshop/public wifi. What about networks that NSA/[insert three letter agency here] controls? Can PAC be affected by those?
Wait, what... malicious dhcp can "force" browsers to execute essentially arbitrary code for every request? And this is by design? Is there some flag to nuke that feature from eg Firefox?
Yes, WPAD (web proxy auto discover) is for locating a piece of javascript code specified by Proxy auto-config [1], which consists of a single javascript function that is given the url & the host, and returns a proxy to use.
Edit: note that in addition to SOCKS proxies, this also allows one to provide HTTP proxies. I'm not familiar with the interaction of https traffic with HTTP proxies, but I'd hope browsers avoid using them? Anyone familiar with this care to comment? (specs are sparse in this area)
It's not arbitrary code, it is a DHCP option to push a proxy setting. It is DHCP option 252, and isn't really any different than any other DHCP option, like router or default domain.
Setting network settings is exactly what DHCP was for.
1: proxy manually configured in Firefox preferences, no PAC file.
2: Use the PAC file found at the URL given by the value of the "network.proxy.autoconfig_url" preference.
4: Use WPAD to get the PAC file.
5: Do whatever the OS says to do in terms of proxy settings (including what PAC file to use, if any).
The default value is 5. I believe setting the preference to 0 will ensure that you always use a direct, not proxied, connection to the target site, and in particular that no PAC file is used.
Edit: Ah, just noticed that kuschku points to UI for all this stuff below too.
This is a well known attack and has been for a while. There are established domain suffixes which block registration for 'wpad' (as well as a few other domains) for exactly this reason. Which is only a partial mitigation in a world where MITM is a potential attack vector.
I have domains which receive a steady stream of 'wpad.$domain' queries from machines which have nothing to do with me. I don't know who owns the machines. I also don't think anyone would notice if I decided to actually provide them with the proxy service they keep requesting from my infrastructure.
On OS X, it is set in the system network preference pane. Click a connection, then Advanced..., then Proxies, and there's a service listed called "Automatic Proxy Discovery" that you can enable if you want it (it is disabled by default.)
There are a number of API calls that leak DNS queries, such as isInNet. If you have optimized a PAC for performance, you absolutely would avoid this from happening, but if you're evil and you want to leak dns queries... then whatever. I would add a filter to include only the required transactions (i.e., url contains samltoken or something).
On the flip side the article isn't correct about IE truncating hosts, what it does is cache the PAC results on a per-host basis, so only the first URL a client accesses to a host will get processed.
The other main threat of the WPAD is that it affects Zones. In a corporate environment, things that go through the proxy server are assumed to be on the internet and in the Internet zone. Things that go direct are assumed to be Intranet Zone, which has reduced security posture. An evil WPAD that just returns "DIRECT" all the time will lower IE's posture for all sites to Intranet Zone, enabling IWA (making credential harvesting possible), reducing warnings on active content, etc.
"We show that HTTPS cannot provide security when WPAD is enabled."
That's effectively a lie. The HTTPS connection itself is definitely still secure. The only difference is the browser is telling an attacker what URL it wants to go to. You can also watch what virtual hosts someone is visiting by sniffing DNS requests, statistical packet analysis can show exactly what you're looking at, and there are plenty of attacks on browsers and the client OS to get more data that don't require wpad.
If you want to browse securely, you have to tunnel everything. You should not assume a browser will ever be able to hide all possible traceable data about your connection & request.
The full URL contains much more than just the host.
Open fiddler, log in to a Google account, see how much sensitive data is sent inside URL params.
All of this data is disclosed in this attack.
I'm confused. Is this a real problem under default OS X settings? Is the OS X GUI misleading me?
In my settings in Network -> Advanced -> Proxies, all the little boxes are unchecked. There is an "Automatic Proxy Configuration" line but only when I check it do I see a method to enter the URL to a .pac file.
So, as a naive user, when I see everything unchecked I assume that everything is disabled. But perhaps the checkbox only provides a method to supply information that a DHCP server omits?
So if the DHCP server does return an URL to a .pac file, will OS X will accept it regardless of the check box?
The "Automatic Proxy Configuration" setting allows you to manually set the URL of the PAC file for automatic configuration. Maybe setting a custom PAC file can override the one sent by the DHCP server. Anyway, unchecking that one will not protect you.
However, in the same list, you should see a checkbox labeled "Auto Proxy Discovery". This is the one you want to uncheck so that OS X does not accept the URL sent by the DHCP server.
This is why I don't trust public wifi, anywhere. I use my phone as a hot spot everywhere I go unless there's no other option. And I still don't trust my phone that much either so I don't do any online banking unless I VPN back to my house first.
Even ISPs will do all sorts of obnoxious things like this, although some public wifi is horrible. I got a $15/year ramnode VPS about a year and a half ago and removed all services except ssh on port 80 with chacha/poly1305 and public key encryption. I mostly use SOCKS with sshuttle to catch anything not configured for SOCKS (sshuttle in theory is a better method, but in practice it leaks DNS requests somehow). Quite simple and I highly recommend it. Traffic accounting seems to undercount substantially with this usage so I didn't get anywhere near my limit (I don't have the highest bandwidth usage, but not the smallest either). One public wifi I would like to use more often somehow manages to break this setup (and half the internet even without a VPN so no idea what they are doing), but I haven't had trouble anywhere else. I started doing this after getting SSL downgrade errors using public wifi.
the chance that a mobile network provider will use DHCP for phone connections over Edge, 3G, LTE, etc... is extremly high.
And I would guess Android and iPhone will actually honor WPAD
I am dubious that any of my Debian machines would fall for this.
BUT... I was unaware of this DHCP attack surface for WPAD. Does anybody know if Debian has some scripts for receiving a URL via that mechanism and then visiting it? I guess this would be achieved by libproxy or something?
I'm also going to be talking a bit about WPAD in my Blackhat talk this year.
To over simplify: attacker stays at AirBnb/rental, attacker pwns local router and adds their dns server, attacker listens for wpad request and respond with malicious PAC to gain MitM. Oh, the dangers of AirBnB/rental networks.
From the briefing:
We will demonstrate that, by forcing your browser/system to use
a malicious PAC (Proxy AutoConfiguration) resource, it is
possible to leak HTTPS URLs.
Would be interesting to see the exploit in action. However, malicious PAC redirection has existed for a while [0].
What isn't quite clear is whether this would work even with HSTS sites.
The takeaway seems to be that never trust any unknown network.
[0] https://blogs.technet.microsoft.com/mmpc/2014/02/28/maliciou....
[+] [-] 0xmohit|9 years ago|reply
What isn't quite clear is whether this would work even with HSTS sites.
The takeaway seems to be that never trust any unknown network.
[0] https://blogs.technet.microsoft.com/mmpc/2014/02/28/maliciou...
[+] [-] valievkarim|9 years ago|reply
[+] [-] dmix|9 years ago|reply
By that I'm guessing you mean local networks ala coffeeshop/public wifi. What about networks that NSA/[insert three letter agency here] controls? Can PAC be affected by those?
[+] [-] zokier|9 years ago|reply
[+] [-] codys|9 years ago|reply
1: https://en.wikipedia.org/wiki/Proxy_auto-config
Edit: note that in addition to SOCKS proxies, this also allows one to provide HTTP proxies. I'm not familiar with the interaction of https traffic with HTTP proxies, but I'd hope browsers avoid using them? Anyone familiar with this care to comment? (specs are sparse in this area)
[+] [-] kuschku|9 years ago|reply
Menu > Preferences > Advanced > Network > Settings… > No Proxy.
Very simple and easily discoverable setting.
Google Chrome uses your OS's settings for proxy, though, so you can't easily turn it off in most cases, but you can go toSettings (scroll down a page) > Advanced Settings > Network > Configure System Proxy Settings
(that redirects you to the system settings for proxies, usually).
[+] [-] mhurron|9 years ago|reply
Setting network settings is exactly what DHCP was for.
[+] [-] bzbarsky|9 years ago|reply
Yes. In Firefox, the "network.proxy.type" preference is an integer that can take on the values 0, 1, 2, 3, 4, 5 with the following meanings:
0,3: no proxy (see https://bugzilla.mozilla.org/show_bug.cgi?id=115720 for the history on why 3 is the same as 0)
1: proxy manually configured in Firefox preferences, no PAC file.
2: Use the PAC file found at the URL given by the value of the "network.proxy.autoconfig_url" preference.
4: Use WPAD to get the PAC file.
5: Do whatever the OS says to do in terms of proxy settings (including what PAC file to use, if any).
The default value is 5. I believe setting the preference to 0 will ensure that you always use a direct, not proxied, connection to the target site, and in particular that no PAC file is used.
Edit: Ah, just noticed that kuschku points to UI for all this stuff below too.
[+] [-] DanielDent|9 years ago|reply
I have domains which receive a steady stream of 'wpad.$domain' queries from machines which have nothing to do with me. I don't know who owns the machines. I also don't think anyone would notice if I decided to actually provide them with the proxy service they keep requesting from my infrastructure.
[+] [-] johncolanduoni|9 years ago|reply
If you did so, it would make for a really interesting CFAA (or your country's equivalent) case. Unless there is precedent for this kind of thing?
[+] [-] newman314|9 years ago|reply
I tried searching for an OS X disable to no avail.
PS. I did find this which came out in May: https://www.us-cert.gov/ncas/alerts/TA16-144A
[+] [-] gergles|9 years ago|reply
[+] [-] zhuzhuor|9 years ago|reply
[+] [-] th0rning|9 years ago|reply
On the flip side the article isn't correct about IE truncating hosts, what it does is cache the PAC results on a per-host basis, so only the first URL a client accesses to a host will get processed.
The other main threat of the WPAD is that it affects Zones. In a corporate environment, things that go through the proxy server are assumed to be on the internet and in the Internet zone. Things that go direct are assumed to be Intranet Zone, which has reduced security posture. An evil WPAD that just returns "DIRECT" all the time will lower IE's posture for all sites to Intranet Zone, enabling IWA (making credential harvesting possible), reducing warnings on active content, etc.
[+] [-] caf|9 years ago|reply
[+] [-] jodrellblank|9 years ago|reply
https://en.wikipedia.org/wiki/Server_Name_Indication
[+] [-] peterwwillis|9 years ago|reply
That's effectively a lie. The HTTPS connection itself is definitely still secure. The only difference is the browser is telling an attacker what URL it wants to go to. You can also watch what virtual hosts someone is visiting by sniffing DNS requests, statistical packet analysis can show exactly what you're looking at, and there are plenty of attacks on browsers and the client OS to get more data that don't require wpad.
If you want to browse securely, you have to tunnel everything. You should not assume a browser will ever be able to hide all possible traceable data about your connection & request.
[+] [-] cpitman|9 years ago|reply
[+] [-] keyme|9 years ago|reply
[+] [-] Chlorus|9 years ago|reply
[+] [-] valievkarim|9 years ago|reply
[+] [-] PhantomGremlin|9 years ago|reply
In my settings in Network -> Advanced -> Proxies, all the little boxes are unchecked. There is an "Automatic Proxy Configuration" line but only when I check it do I see a method to enter the URL to a .pac file.
So, as a naive user, when I see everything unchecked I assume that everything is disabled. But perhaps the checkbox only provides a method to supply information that a DHCP server omits?
So if the DHCP server does return an URL to a .pac file, will OS X will accept it regardless of the check box?
[+] [-] nmc|9 years ago|reply
However, in the same list, you should see a checkbox labeled "Auto Proxy Discovery". This is the one you want to uncheck so that OS X does not accept the URL sent by the DHCP server.
[+] [-] AndyMcConachie|9 years ago|reply
Here's another recent one. https://ripe72.ripe.net/wp-content/uploads/presentations/49-...
[+] [-] double051|9 years ago|reply
[+] [-] blazespin|9 years ago|reply
[+] [-] TenOhms|9 years ago|reply
[+] [-] joveian|9 years ago|reply
[+] [-] Godel_unicode|9 years ago|reply
2) this only leaks URLs, your banking creds are safe.
[+] [-] merb|9 years ago|reply
[+] [-] amluto|9 years ago|reply
https://bugzilla.mozilla.org/show_bug.cgi?id=1289626
[+] [-] daveloyall|9 years ago|reply
BUT... I was unaware of this DHCP attack surface for WPAD. Does anybody know if Debian has some scripts for receiving a URL via that mechanism and then visiting it? I guess this would be achieved by libproxy or something?
Do the browsers do some WPAD stuff independently?
[+] [-] kuschku|9 years ago|reply
If you're using KDE, you can disable it under
System Settings > Network > Settings > Proxy > No Proxy.
If you want to disable it for the browsers, see https://news.ycombinator.com/item?id=12167767
[+] [-] cypherg|9 years ago|reply
To over simplify: attacker stays at AirBnb/rental, attacker pwns local router and adds their dns server, attacker listens for wpad request and respond with malicious PAC to gain MitM. Oh, the dangers of AirBnB/rental networks.
https://www.blackhat.com/us-16/briefings.html#airbnbeware-sh...
[+] [-] djsumdog|9 years ago|reply
Wait, don't they mean Defcon?
[+] [-] 0xmohit|9 years ago|reply
https://twitter.com/BlackHatEvents/status/748215791779217409
[+] [-] peterwwillis|9 years ago|reply
[+] [-] colechristensen|9 years ago|reply
[+] [-] a2tech|9 years ago|reply
[+] [-] Galinakot|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] williesleg|9 years ago|reply
[deleted]