-8-
Why are you still using my server for your internet access - Thomas Boejstrup Johansen
Ah, WPAD — now that's a name I haven't heard in a long time.
Short for "Web Proxy Auto-Discovery", WPAD is a protocol for machines on local networks to get their proxy configuration. Invented by Netscape in 1996, this protocol has been deprecated for a LONG time — in 1999, today marking its 25th anniversary.
WPAD is pretty simple — it uses the network name of the user's machine to search for a wpad.dat file, going from more specific to broad. For example, if the network name is pc.team.dep.org.com, a WPAD implementation will try to fetch wpad.team.dep.org.com/wpad.dat, wpad.dep.org.com/wpad.dat and wpad.org.com/wpad.dat in order as long as the last one wasn't found.
wpad.dat is a Proxy Auto-Config (PAC) file - a JavaScript file running in a limited environment. It implements a function that takes a URL and decides on the proxy server for the request (or DIRECT, for no proxy).
So why is this interesting? It happens that many implementations do an additional step, stripping the domain all the way to wpad.com/wpad.dat.
This is on the public internet! Thus this implementation takes a PAC file from a stranger and uses it as the device's proxy configuration.
Luckily, notable WPAD TLDs — com, org, and net — are protected and cannot be registered. However, others are fair game!
In his excellent talk, Thomas reveals that he was able to register wpad.dk (the TLD for Denmark) alongside a few more.
He set up a simple PAC file directing all traffic back to p.wpad.dk, with interesting information like the domain, private and public IP addresses of the client. The proxy always responds with an error message, while Thomas was able to record details about the access.
Here's the stats: 90K requests a day, totaling a whopping 1.1 billion (!!) requests in a year. They span the entire world but mostly from Europe.
The HTTP GET requests were made to many file extensions, like thousands of credentials and over half a million executables. About 200k URLs also included credentials in parameters! Interestingly, the server has received POST requests too, with their entire body!
The clients' User-Agents show how the WPAD issue is not solely a Microsoft problem but spans almost every possible client in existence — Linux, Apple, and many distinct applications are affected.
During his research, Thomas also looked at wpad.dat files on other TLDs, finding some suspiciously malicious — one redirecting unencrypted requests through their proxy, and another one stealing ad requests, possibly for revenue theft!
The talk is great, containing hilarious tidbits about the research and the feedback form on the proxy. These vulnerabilities display both the ingenuity of researchers and the difficulty of fully deprecating a problematic service once it's deeply ingrained in systems.
#DEFCON #wpad #vulnerability #proxy
https://www.youtube.com/watch?v=uwsykPWa5Lc
RightToPrivacy & Tech Tips 
