Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security Bug Encryption Privacy The Internet Windows

Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn (csoonline.com) 75

It's enabled by default on Windows (and supported by other operating systems) -- but now security researchers are warning that "Man-in-the-middle attackers can abuse the WPAD protocol to hijack people's online accounts and steal their sensitive information even when they access websites over encrypted HTTPS or VPN connections," according to CSO. Slashdot reader itwbennett writes: Their advice: disable WPAD now. "No seriously, turn off WPAD!" one of their presentation slides said. "If you still need to use PAC files, turn off WPAD and configure an explicit URL for your PAC script; and serve it over HTTPS or from a local file"... A few days before their presentation, two other researchers named Itzik Kotler and Amit Klein independently showed the same HTTPS URL leak via malicious PACs in a presentation at the Black Hat security conference. A third researcher, Maxim Goncharov, held a separate Black Hat talk about WPAD security risks, entitled BadWPAD.
This discussion has been archived. No new comments can be posted.

Disable WPAD Now or Have Your Accounts Compromised, Researchers Warn

Comments Filter:
  • No How To?? (Score:5, Informative)

    by zenlessyank ( 748553 ) on Saturday August 13, 2016 @09:42AM (#52696059)

    To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

            Click the Start button, and in the search field, type in "regedit", then select "regedit.exe" from the list of results
            Navigate through the tree to "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad"
            Once you have the "Wpad" folder selected, right click in the right pane, and click on "New -> DWORD (32-Bit Value)"
            Name this new value "WpadOverride"
            Double click the new "WpadOverride" value to edit it
            In the "Value data" field, replace the "0" with a "1", then click "OK"
            Reboot the computer

    • Re:No How To?? (Score:5, Informative)

      by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Saturday August 13, 2016 @09:45AM (#52696075) Homepage Journal

      Windows Registry Editor Version 5.00

      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
      "WpadOverride"=dword:00000001

      • Re: No How To?? (Score:4, Informative)

        by Anonymous Coward on Saturday August 13, 2016 @10:33AM (#52696207)

        You don't need to mess around in the registry and reboot.

        All you have to do is go into Internet Options (control panel) > Connections > LAN Settings

        Uncheck the top box labeled Automatically detect settings.

        There are GPOs for this as well. And this is not anything close to news. Most companies already disable this in Group Policy because it barely works and is obviously horrifically insecure to anyone that even starts to look into how it works.

    • by wwphx ( 225607 )
      Thank you. I was a little stunned that there was no info in the TFA to disable it.
      • Yeah, seriously. Telling people that you are at risk of account compromise unless you do "X" and then giving zero instructions on how to do "X" is pretty terrible.

        I did Google for instructions on how to disable Wpad and found the registry setting mentioned above, but it didn't seem clear whether that was sufficient. The instructions below saying "This should work for most users" just add to the confusion.

      • Umm, when I went to the article there was a little box that showed the screen where you can disable it without going into the registry. Seriously, if you don't know how to disable it, I really hope you don't do ANYTHING to the registry.
        • by hparker ( 41819 )

          When I tried to go to the illustrated panel, it looked totally different on my Windows 7 PC. Does it look the same on your PC? What version of Windows does that illustration apply to?

    • by Anonymous Coward

      Also from what I can tell this is a local network attack.

      So if you never take your computer of your home network dont panic too much.

      If you plug your computer into remote networks (your local bistro, etc) this could be an issue.

      This sort of attack has been known for awhile with pac files. I was considering setting up this very thing on my home network. But I quickly figured out it was an easy way for someone to inject javascript into every web page I am on. Pac files have pretty much full control of ever

    • To prevent Windows from tracking which network support WPAD, you need to make a simple registry change:

      That's the method that Grandma uses.

    • If you want to do this in a single command, or batch file, I believe this will do the same:
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad" /f /v "WpadOverride" /t REG_DWORD /d 1

      Caveat: I'm more of a Linux guy, but with stack overflow and some trial and error, this worked on my Win10 system.

  • Unless I have Windows Server 2008 RC2. Any clues as to how to turn it off on Windows 10? I do not use proxy so I should turn it off regardless.
  • WPAD? (Score:5, Informative)

    by TechyImmigrant ( 175943 ) on Saturday August 13, 2016 @09:43AM (#52696067) Homepage Journal

    If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

    • by Anonymous Coward

      If you were finding the summary to be less than clear on WTF it was referring to.. WPAD = Web Proxy Autodiscovery Protocol.

      I've done well over the past 20 years by just looking for marketingspeak and deactivating pre-emptively.

      Insert a CD or device and then manually run SETUP.EXE? Fine. Insert a CD and let Autorun do it? Presume insecure. Disable.

      DHCP is "Dynamic Host Configuration Protocol." No marketing name, but it works just fine and automagically gets me an IP. Something like Web Proxy Auto Disco

  • Is there any such setting to disable on OS X/macOS?

  • How to turn off WPAD (Score:4, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Saturday August 13, 2016 @10:23AM (#52696191) Journal

    This should work for most users:

    1. Uncheck “Automatically detect settings” of Local Area Network (LAN) Settings in Internet Options.

    2. Disable the service “WinHTTP Web Proxy Auto-Discovery Service” in Services.

    3. Disable devolution by setting UseDomainNameDevolution value under the following registry entry to 0 (FALSE):

                  HKLM\System\CurrentControlSet\Services\Tcpip\Parameters

    • by EvilSS ( 557649 )
      Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled (which should be all of them if you like your sanity).
      • Disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled.

        Thank you for pointing that out. (I'm not using a domain-joined PC myself but I'm sure lots of other people here are.)

    • How is this better or different from the single-step option of setting the WpadOverride registry key to "1"? And since you say this "should work for most users", what users will it not work for?

      It is unfortunate that the original article didn't explain this carefully (or at all, actually).

      • How is this better or different from the single-step option of setting the WpadOverride registry key to "1"?

        I don't know. Perhaps someone more savvy with WPAD than I can comment.

        -

        And since you say this "should work for most users", what users will it not work for?

        As EvilSS mentioned, "disabling domain devolution is not necessary and will break short-name resolution on domain joined machines where NetBIOS and WINS are disabled". So I would guess it won't work for users with that environment.

  • If anyone made a program to disable this, you'd probably make some money. I don't want to try remotely editing the Registry on my mother's computer :-)
  • by Anonymous Coward

    Article links to 2 PDF's hosted by Blackhat. Can't wait to read em!

  • Sounds a bit overhyped to me, "You won't believe what happened when they connected to an untrusted network!"
    • by Anonymous Coward

      Because you might at first read this as an attack on HTTPS, I can understand why you're skeptical.
      This is however not an attack on HTTPS. Instead, what happens is that if WPAD is enabled, your browser tries (when it connects to a new network) to locate a computer named WPAD, through various ways ultimately falling back on the NetBIOS name, which users are on most networks free to specify themselves.
      From this WPAD computer it downloads a bit of JavaScript, which must provide the browser with a function calle

  • by random_ID ( 1822712 ) on Saturday August 13, 2016 @01:59PM (#52696853)
    I found an 8 year-old article (http://perimetergrid.com/wp/2008/01/11/wpad-internet-explorers-worst-feature/) about this and how to disable it with a simple Google search. I'm still glad Slashdot posted about it today because I would never have realized it was a problem. How has this vulnerability existed for almost a decade without being rectified?
    • by allo ( 1728082 )

      I think the guy is mixing up two different invulnerabilities. The one is about intercepting connections by sending a lot of ack packets, the other one is about faulty resolution of the dns-name for the wpad server.

  • by QuietLagoon ( 813062 ) on Saturday August 13, 2016 @04:24PM (#52697275)
    ... "Stop using Windows NOW. No, seriously, stop using it NOW!" ?
  • Can someone in the know make a definitive statement about whether this affects OS X users and if it does what to do?
    • It does not affect Mac OS X.

      WPAD is used to lookup the server that then supplies the proxy auto config file (proxy.pac).

      On Mac OS X, under System Preferences, Network, Advanced, Auto Proxy Configuration.
      You would have to type in the location manually, rather than the system using WPAD to attempt to locate it by itself.

      So, Mac OS X is not vulnerable to this.

  • PAC Javascript isn't evaluated every time. IE uses APRC to cache results per host (not URL), so this significantly diminishes the capabilities of this exploit. To make this exploit work to the degree claimed, requires APRC to be disabled, which I suspect might have been done here.

    You can disable this via the registry DWORD (0) at HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\EnableAutoproxyResultCache.

    https://support.microsoft.com/... [microsoft.com]

Trap full -- please empty.

Working...