jueves, 13 de octubre de 2011

Browser Security: Man in the Middle with WPAD

(For a demonstration of the issue discussed in this article, please go here: http://auditcasts.com/screencasts/17-man-in-the-middle-web-attacks-using-wpad )

In today's networked world, the vast majority of "work" that we do is done in a web browser. As it turns out, there's a very common configuration setting that creates enormous potential for serious information leakage or compromise in those very web browsers that we trust.
Using thin clients and leveraging web applications isn't any more dangerous than any other networked activity that we engage in, but there is a very serious vulnerability that you should be aware of if you're an IT auditor or are in a security function within your business. What is it? WPAD!

WPAD, Web Proxy Auto-Discovery, is handy service to allow you to let your browser discover local network proxy settings without having to call the help desk. Unfortunately, it can be used to compromise our information. The real root of the problem comes back to the typical "On by Default" problem that so many products suffer from. Of course, we can understand why it's enabled by default; it allows a user to discover proxy requirements and automatically reconfigure to use them without the user having to know what's going on.

While the attack that is described in the demonstrationis viable in most environments, Windows systems are particularly susceptible. The reason is that when the system tries to see if there's a system offering proxy configuration, it will begin by trying to perform a NetBIOS resolution for a host named WPAD. In an Apple or Linux environment the system will default to a DNS lookup rather than NetBIOS, making an attacker's job slightly more difficult. Please take note that I said slightly more difficult, not impossible. In a future episode we'll examine how to perform this same attack in an Apple or UNIX environment.


Fuente: Blog it-audit.sans.org - David Hoelzer

No hay comentarios: