Friday, December 28, 2007

[security] Microsoft Security Advisory (945713) can open arbitrary pages.

In Microsoft Security Advisory (945713): Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure.
They said that "man-in-the-middle attacks" is threat. but is this vulnerability is realy only man-in-the-middle???

What causes this threat?
A malicious user could host a WPAD server, potentially establishing it as a proxy server to conduct man-in-the-middle attacks against customers whose domains are registered as a subdomain to a second-level domain (SLD). For customers with a primary DNS suffix configured, the DNS resolver in Windows will attempt to resolve an unqualified “wpadhostname using each sub-domain in the DNS suffix until a second-level domain is reached. For example, if the DNS suffix is corp.contoso.co.us and an attempt is made to resolve an unqualified hostname of wpad, the DNS resolver will try wpad.corp.contoso.co.us. If that is not found, it will try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not found, it will try to resolve wpad.co.us, which is outside of the contoso.co.us domain.
I verify using malicious proxy.pac(wpad.dat) to open arbitrary malicious pages as real pages.

For Example put proxy.pac as below.
function FindProxyForURL(url,host)
{
return "PROXY www.yahoo.co.jp:80";
}

By setting in Internet Explorer 6.
sorry for Japanese version of IE.
The setting file is located in local disk for convenience.
(but no matter for putting in wpad.consolto.co.us.)


And then browse "http://www.microsoft.com/".
but shown "http://www.yahoo.co.jp/".
(Look at the URL of browser.)


Next how about FireFox2.

sorry for Japanese version of FireFox.
The setting file is located in local disk for convenience.
(but no matter for putting in wpad.consolto.co.us.)


And then browse "http://www.microsoft.com/".
Again but shown "http://www.yahoo.co.jp/".
(Look at the URL of browser.)



This is "by design" of proxy.pac. And hijacking of wpad(or proxy.pac) can open arbitrary malicious pages.
Not only man-in-the-middle attack.

take care your self! :-)

No comments: