What's going on with Proxy Autodiscovery and "aPAColypse now"?
Proxy Autodiscovery has been a feature of Windows for nearly 20 years. First drafted in 1999, the idea was that a web browser client could automatically discover the proxy that it should use to connect to the internet. Autodiscovery has always included security challenges: if you discover a service without any form of authentication, then it can advertise a malicious service. For example, if you use an HTTP proxy advertised by a bad guy, that bad guy can inject any content they wish into your browsing session.
This is obviously a problem, and some administrators disable Proxy Autodiscovery right away, but many either don't know about the feature or don't consider the risk severe. It's been this way for quite a long time—so what changed?
This blog post from a few days ago outlined "aPAColypse now," a clever exploit of the Windows 10 implementation of WPAD. The post shows exactly how to remotely compromise a system that fetches a proxy configuration file.
What should I do?
The safest thing to do is to disable WPAD on Windows machines and autoupdate everything. If you can't do that, you want extra assurance, or you want to do some threat hunting, ExtraHop can help you to detect WPAD problems.
Our Threat ID bundle, released earlier this year, has a WPAD detector built into the DNS section. If you want greater visibility, our own Sam Richman just wrote up a nifty WPAD detector that detects all three of the DHCP, DNS and HTTP forms of the attack. This bundle is easy to install and gives you immediate eyes on all relevant transactions.
The bundle addresses the three primary WPAD attack methods: DHCP, DNS, and HTTP. It surfaces requests and responses to/from unauthorized servers and also validates that the Proxy Auto-configuration (PAC) file URI matches a whitelisted domain:
- A DNS request for a PAC file located on server 10.1.1.1 at www.haxx0r.bad/proxy.pac will be detected if the IP address range and haxx0r.bad domains are not whitelisted
- Similarly, a DHCP response from a DHCP server with IP 188.8.131.52 containing a PAC file URI of www.haxx0r.bad/proxy.pac will be detected.
This permits visibility into which clients are making unauthorized requests for WPAD information via any of the three attack methods, and also reveals which unauthorized servers are actually responding with potentially malicious data.
Grab the bundle here, and let us know in the comments if you have any questions!
This is a companion discussion topic for the original entry at https://www.extrahop.com/company/blog/2017/detect-wpad-exploit/