[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] New Rules: WPAD / Web Proxy Autodiscovery Protocol
From: CunningPike <cunningpike () gmail ! com>
Date: 2007-12-13 5:55:23
Message-ID: 4760C94B.1050800 () gmail ! com
[Download RAW message or body]
Awesome - many Canadian domains are second level, e.g. bc.ca, on.ca and
so on.
CP
Blake Hartstein wrote:
> This is an interesting contribution. The wpad vulnerability only affects
> second level domains, such as .com.au, .com.sg .co.in .co.uk. Many US
> Clients are not affected, but there are workaround available for those
> that are vulnerable.
> Adam also sent us this description:
>
> As the microsoft advisory notes (this isn't patched yet), Internet
> Explorer (and other applications that use Internet Explorer settings,
> such as Winamp and system updating utilities) use WPAD (Web Proxy
> AutoDiscovery Protocol) to search out automatically to find a suitable
> proxy server to use.
>
> The risk is that client systems will automatically search out (if you
> dont have a DNS entry on your local domain for wpad.company.com.au)
> wpad.co.in and get its proxy server definition from that remote server,
> which is not not controlled by your organization.
>
> Therefore, an owner of wpad.com.au etc, can define a proxy to use, which
> can therefore mean a MITM scenario is built.
> More information:
> http://en.wikipedia.org/wiki/Web_Proxy_Autodiscovery_Protocol
> http://www.microsoft.com/technet/security/advisory/945713.mspx
>
> #by Adam Pointon at sentinelsecurity.com.au
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.com"; content:"|04|wpad|03|com|02|";
> nocase; reference:url,support.microsoft.com/kb/247333;
> classtype:attempted-user; sid:2007707; rev:1;)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.co"; content:"|04|wpad|02|co|02|"; nocase;
> reference:url,support.microsoft.com/kb/247333; classtype:attempted-user;
> sid:2007708; rev:1;)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.net"; content:"|04|wpad|03|net|02|";
> nocase; reference:url,support.microsoft.com/kb/247333;
> classtype:attempted-user; sid:2007709; rev:1;)
> alert udp $HOME_NET any -> $DNS_SERVERS 53 (msg:"BLEEDING-EDGE DNS
> Possible MITM lookup for WPAD.org"; content:"|04|wpad|03|org|02|";
> nocase; reference:url,support.microsoft.com/kb/247333;
> classtype:attempted-user; sid:2007710; rev:1;)
>
> Enjoy, comments welcome.
> -Blake
> _______________________________________________
> Bleeding-sigs mailing list
> Bleeding-sigs@bleedingthreats.net
> http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingthreats.net
http://lists.bleedingthreats.net/cgi-bin/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic