Posted on

VU#598349: Automatic DNS registration and proxy autodiscovery allow spoofing of network services

The Web Proxy Automatic Discovery(WPAD)protocol is used to automatically provide proxy configuration information to devices on a network. Clients issue a special DHCP request to obtain the information for the proxy configuration,but will fall back on a DNS request to one of several standardized URLs making use of the subdomain name of“wpad” if a DHCP response is unavailable. An attacker with local area network(LAN)access may be able to add a device with the name“wpad” to the network,which may produce a collision with a standardized WPAD DNS name. Many customer premise home/office routers(including,but not limited to,Google Wifi and Ubiquiti UniFi)automatically register device names as DNS A records on the LAN,which may allow an attacker to utilize a specially named and configured device to act as a WPAD proxy configuration server. The attacker-served proxy configuration can result in the loss of confidentiality and integrity of any network activity by any device that utilizes WPAD. Other autodiscovery names such as ISATAP may also be exploitable.

Leave a Reply

Your email address will not be published. Required fields are marked *