MS09-008: Web Proxy Auto-Discovery (WPAD), Illustrated

It's not every day we get to talk about a ten year old vulnerability like it's new, but this week, Microsoft has given me just this opportunity with MS09-008, aka, "Vulnerabilities in DNS and WINS Server Could Allow Spoofing." A lot of people may not know about the role of WPAD in their desktop environment, so hopefully, this post will clear the air about what WPAD is and isn't, its sketchy security history, what MS09-008 proposes, and a quickie demo.

Amidst the global Y2k freakout in December of 1999, Microsoft released MS99-054, which purports to patch WPAD spoofing....

"Wait, what's WPAD?" you ask? Well, WPAD is a browser control protocol that allows network administrators let your browser figure out what proxy it ought to use to talk to the rest of the world. For IE, this functionality is on by default, and IE asks about WPAD with a DHCP request when it's first enabled. If it doesn't find one there, then it asks DNS.

Oh, and there's no cryptographic security at all built in to WPAD. DNS (or, more rarely, DHCP) tells your browser where to fetch the wpad.dat file... which is really just a series of Javascript directives to configure your browser for you... silently... without any real guarantee about where it came from aside from a DNS name.

Well, this is a bit of a problem, thanks to some built-in recursive searching. See, if your browser -- which is determined to reconfigure itself based on some unauthenticated guy's say-so -- couldn't find a machine called "wpad.site.yourcompany.com," it would ask about "wpad.yourcompany.com." Lucky for users of the time, it wouldn't automatically try to hit wpad.com, who could be anybody (but is in reality a nice guy named Duane Wessels). Unlucky for the fine people at haggisunlimited.co.uk, Internet Explorer thought that "co.uk" was still one step away from the world at large. Legend has it, Microsoft fixed that up in December of 1999. Also according to rumor and heresay, Microsoft fixed it again in 2005 (after some people got phished by wpad.org.uk), and later published a frank and useful KB article about the vagaries of DNS and WPAD around 2007.

So this week, the whole matter is finally behind us, right? Surely, the MS09-008 patch is going to be the end of this heady, devil-may-care decade of trusting DNS with auto-configuring proxy settings, right?

Sadly, not quite. MS09-008 does make it harder for a local attacker to sneak a new A record into your local DNS via a WINS registration, so that's good. But we're still relying on DNS to give us a trustworthy source for proxy configuration -- and that trust is really based on nothing. DNS spoofing and cache poisoning has been all the rage lately -- heck, MS09-008 also lumps in a couple more fixes to Windows DNS precisely for a couple spoofing attacks CVE-2009-0223 and CVE-2009-0224). Color me jaded, but I somehow doubt these are the last tricks we're going to pull out of DNS's hat.

Don't get me wrong; automatically configuring a proxy is not, in and of itself, a Bad Idea. It's plenty clever. It's just more clever when it's part of a DHCP request (which is baked in to Internet Explorer). At least that's somewhat more limited to a local(ish) network -- after all, if the adversary can compromise your local DHCP service, he can just hand you an evil gateway and monkey with all your traffic, not just web traffic. It would be more clever if the wpad.dat config file could be cryptographically signed in the same way that other critical paths are, like VPN connections. But for my money, it would be the cleverest of all if there was a way to force your browser to trust only WPAD information if and only if it's signed by some specific entity. At least, then, if something goes horribly, horribly wrong with DNS (ahem), users still will get a red button to ignore when they get an evil wpad.dat.

"Hey, where's my demo?" I hear you ask. Never fear, I didn't forget. So here we go, the magic of untrustable proxy configuration, just in case you're curious and haven't seen it in action. For this, you'll have to trust me... and some anonymous person in China who I've never met, since we're going to use his open proxy that he's advertising to the world. Hey, you can't back out now, you were the one rhetorically complaining in the first place. But, to make it fair, I won't give you screenshots of each button click -- honestly, performing the below without knowing what you're getting into is a Very Bad Idea. Oh, and since this whole problem isn't just Microsoft's bag, we'll do this thing with Firefox running on Windows XP.

First, you'll want to pretend to join my domain. Go to your Network Connections control panel, then navigate to TCP/IP Properties: Advanced, and add the domain "example.classself.com" to your DNS search order and as your DNS suffix. Hit OK, and close that out. Mind the spelling -- three es's.

Next, open up Firefox, and navigate to Edit: Preferences: Settings: Advanced: Network: Settings, and click on the "Auto-detect proxy settings." button. Hit okay, close that out.

Fire up Firefox again, and go to http://www.ipv6.org -- it should proudly tell you that you're visiting from "121.22.29.185," which is exactly the proxy that I just set for you. (I knew IPv6 was good for something!) If you don't believe me, you can go to http://wpad.example.classself.com/wpad.dat and see for yourself. It's text/plain javascript, so it shouldn't run in your browser.

Now, go log in to your PayPal account and ignore the warning about the invalid certificate... oh, I kid. That's the end of the demo. Please now, right away, uncheck your auto-proxy option, and forget that example.classself.com domain that you've pretended to join. This is a remarkably unwise networking state to be in.

Come to think of it, that last bit is good advice even if you were using WPAD legitimately before the demo. Seriously. You have no business asking strangers to proxy your web traffic for you, unless a) it's absolutely required by your local network, and b) you have a promise from your network administrator that you'll get the WPAD goods only by DHCP, or c) that he'll at least be very careful about how he implements DNS recursive queries, and he'll mind the wpad server like a hawk.