Michigan and Verisign researchers demonstrate new man-in-the-middle WPAD query attack

Security researchers including Prof. Z. Morley Mao and CSE graduate student Qi Alfred Chen from the University of Michigan, together with Principal Scientist Eric Osterweil and Senior Data Architect Matthew Thomas of Verisign Labs, have demonstrated that new security ramifications exist when laptops and smartphones configured for enterprise systems are used outside the enterprise in the realm of the wider web.

Many enterprises have begun configuring their internal networks to use generic top-level domains (gTLDs), such as .school or .network, as a way of making it easier for employees to access and manage internal systems. At the same time, the Internet Corporation for Assigned Names and Numbers (ICANN) has approved over 900 gTLDs for public use as part of an expansion effort, potentially allowing for the use of the same domain names and setting the stage for what is known as “name collision.”

In particular, many systems now use the Web Proxy Auto-Discovery (WPAD) protocol to automatically discover the web proxy settings they should use. Instead of discovering intended enterprise settings, the users’ WPAD DNS queries reach a public DNS server where attackers can register domain names used by companies and then host rogue proxy configuration files, routing the user’s web traffic through a server controlled by the attackers a Man in the Middle (MitM) attack and placing the system at risk.

The researchers have studied name collision in the new gTLD era and WPAD query leakage from internal networks. Their findings have been published in the paper, “MitM Attack by Name Collision: Cause Analysis and Vulnerability Assessment in the New gTLD Era,” which was presented at the 2016 IEEE Symposium on Security and Privacy.

Their study shows that millions of WPAD queries are leaking to the public DNS namespace every day. These leaks were not easily exploitable before, but due to the name collision problem in the new gTLD era, attackers now have the opportunity to exploit them and set up MitM proxies with only a domain name registration.

To show the severity of the problem, the researchers characterized the leaked WPAD query traffic and confirmed that a likely cause of the leakage problem is that end user devices mistakenly generate internal queries when used outside an internal network (e.g., used at home). They also identified “highly-vulnerable domains,” which are domains routinely exposing many potential victims. As of September 2015, they found that 10% of these highly-vulnerable domains had already been registered publicly, making the corresponding users immediately vulnerable to the exploit at any time. This shows a real threat to Internet users in the wild, which provides a strong and urgent message to deploy proactive protection. Finally, the researchers discuss promising directions for remediation and use empirical data analysis to estimate and compare their effectiveness and deployment difficulties.

A US-CERT alert based on this work was issued on May 23, 2016 (TA16-144A). It applies to all computers that are using WPAD including Windows, OS X, and Linux systems, and web browsers with WPAD enabled. Verisign has published suggested remediations for enterprises in their white paper Enterprise Remediation for WPAD Name Collision Vulnerability.