HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-16
Configuration Error in Microsoft Web Proxy Automatic Discovery (WPAD) Protocol

Original issue date: March 28, 2007

Severity Rating: High

Systems Affected

  • Microsoft Windows Server 2003 R2 Standard, Enterprise & Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003 R2 Standard, Enterprise & Datacenter x64 Edition
  • Microsoft Windows Server 2003, Standard, Enterprise & Datacenter x64 Edition
  • Microsoft Windows Server 2003 Service Pack 1, when used with:
    - Microsoft Windows Server 2003, Standard Edition (32-bit x86)
    - Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
    - Microsoft Windows Server 2003, Web Edition
    - Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
    - Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems
  • Microsoft Windows Server 2003, Standard, Enterprise & Datacenter Edition (32-bit x86)
  • Microsoft Windows Server 2003, Web Edition
  • Microsoft Windows Server 2003, Datacenter & Enterprise Edition for Itanium-Based Systems
  • Microsoft Windows Small Business Server 2003 Standard Edition
  • Microsoft Windows 2000 Datacenter Server, Advanced Server & Server with Service pack 4
  • Microsoft Windows 2000 Professional Edition
  • Microsoft Small Business Server 2000 Standard Edition

Overview

Microsoft Windows, by default, uses the Web Proxy Autodiscovery Protocol (WPAD) without static WPAD entries, which might allow remote attackers to intercept web traffic by registering a proxy server using WINS or DNS, then responding to WPAD requests.

Description

Web Proxy Automatic Discovery (WPAD) protocol allows automatic discovery of Web Proxy servers. ISA Server uses WPAD to provide a mechanism for clients to locate a WPAD entry containing a URL that points to a server on which the Wpad.dat and Wspad.dat files are generated. The Wpad.dat file is a Java script file containing a default URL template, constructed by Internet Explorer. The Wpad.dat file is used by Web Proxy clients for automatic discovery information.

A WPAD-configured client can use several methods to locate a host that contains a Wpad.dat file. Two of these methods require a WPAD entry to be registered in Domain Name System (DNS) or in Windows Internet Naming Service (WINS). Registering a WPAD entry in DNS or in WINS enables clients to resolve names of hosts that contain proxy automatic configuration files.

If an entity can furtively register a WPAD entry in DNS or in WINS, and this entry resolves to a host with a malicious Wpad.dat file, the internet traffic of WPAD clients will be routed through a malicious proxy server.

Solution

Reserve static WPAD DNS host names and WPAD WINS name records as suggested in Microsoft Security Advisory KB934864


Vendor Information:
http://support.microsoft.com/kb/934864

References

http://archives.neohapsis.com/archives/isn/2007-q1/0418.html
http://news.com.com/Windows+weakness+can+lead+to+network+
traffic+hijacks/2100-1002_3-6170229.html?tag=cd.top

CVE Name
CVE-2007-1692

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003