badWPAD

Presented at Black Hat USA 2016, Aug. 4, 2016, 12:10 p.m. (25 minutes).

WPAD (Web Proxy Auto Discovery) is a protocol that allows computers to automatically discover Web proxy configurations. It is primarily used in networks where clients are only allowed to communicate to the outside through a proxy. The WPAD protocol has been around for almost 20 years (RFC draft 1999-07-28), but has well-known risks to it that have been largely ignored by the security community. This session will present the results of several experiments highlighting the flaws inherent to this badly designed protocol (WPAD), and bring attention to the many ways in which they can be easily exploited. Our research expands on these known flaws and proves a surprisingly broad applicability of "badWPAD" for possible malicious use today by testing it in different environments. The speaker will share how his team initially deployed a WPAD experiment to test whether WPAD was still problematic or had been fixed by most software and OS vendors. This experiment included attacks in 1) Intranets and open-access networks (e.g. Free-WIFI spots and corporate networks) and 2) DNS attacks on clients leaking HTTP requests to the internet.

Attendees will hear the rather surprising results that this experiment yielded: The DNS portion of the experiment revealed more than 38 million requests to the WPAD honeypot domain names from oblivious customers - while the intranet Free-WIFI experiment proved that almost every second Wifi spot can be utilized as attack surface. This test included Wifi at airport lounges, conferences, hotel and on board of aircrafts, and were amazed that apparently nobody realized what their laptop was secretly requesting. It seems that this neglected WPAD flaw is growing, while it's commonly assumed to be fixed. The paper will be backed up by statistics and reveal why badWPAD remains to be a major security concern and what should be done to protect against this serious risk.


Presenters:

  • Maxim Goncharov - Trend Micro Inc.
    Maxim Goncharov is a Threat Analyst with 15 years working experience in the field of computer security. He is equipped with knowledge in research and development of threat analytics systems, producing white papers based on research work and presenting these research results at security conferences. Maxim participates as speaker at various security conferences and training seminars regarding the topic of cybercrime and related issues (e.g.cyberterrorism, cybersecurity, underground economy, etc.), like PacSec,Power of Community, DeepSec, VB, APWG. He performs underground research and the development of secure analytics tools are some of the most important parts of his day- to-day work.

Links:

Similar Presentations: