WPAD trouble - CVE-2007-1692
Hacker conferences are more often than not a source of work for security people. When Microsoft issued MS99-054 (fixing CVE-1999-0858) one would have assumed they had looked into the auto-configuration of MSIE's proxy settings deep enough to not have to fix it again. Unfortunately no such luck was with us.
wpad names in DNS or WINS that are inserted by malicious locals are enough to divert browsers to an unauthorized proxy. Apparently the issue is bad enough for Microsoft to release KB 934864 about it.
To summarize to use WPAD yourself in your DHCP:
- dhcpd:
add this to your config:
option option-252 "http://example.com/path/to/proxyconfig.pac";
or
option wpad code 252 = text
option wpad "http://example.com/path/to/proxyconfig.pac";
See more in the recently expired IETF draft.
- Microsoft's DHCP:
http://www.microsoft.com/technet/isa/2004/help/SRSP1_H_Create252.mspx
If you can't do that, create a DNS TXT record with the name WPAD in every domainname you run to avoid MSIE finding a host with that name and do the same in WINS. (see the above mentioned KB for how to do it in Microsoft's implementations)
We've added this vulnerability in our overview table, Mitre assigned it CVE-2007-1692 as name.
--
Swa Frantzen -- NET2S
Comments