- Jul 22, 2014
- 2,525
Google’s Project Zero released details of a local proof-of-concept attack against a fully patched Windows 10 PC that allows an adversary to execute untrusted JavaScript outside a sandboxed environment on targeted systems.
The attack is a variation of a WPAD/PAC attack. In Project Zero’s case, the WPAD/PAC attack focuses on chaining several vulnerabilities together relating to the PAC and a Microsoft JScript.dll file in order to gain remote command execution on a victim’s machine.
“We identified 7 security vulnerabilities in (JScript.dll) and successfully demonstrated reliable code execution from local network (and beyond) against a fully patched (at the time of writing) Windows 10 64-bit with Fall Creators Update installed,” wrote Project Zero researchers on the teams’ website Monday.
The vulnerabilities have since been patched.
Web Proxy AutoDiscovery (WPAD) protocol attacks are tied to how browsers use PAC (Proxy Auto-Configuration) to navigate HTTP and HTTPS requests. PAC files contain JavaScript that instruct what proxy a browser needs to use to get to a specific URL. If a malicious PAC is introduced to the browser, that allows an attacker to monitor the URL of every request the browser makes.
....
...
Despite the fact Microsoft has patched against this type of attack, Project Zero researchers agree with Klein’s assessment.
“Since the bugs are now fixed, does this mean we are done and can go home? Unlikely.
...
Researchers recommend Microsoft users disable WPAD by default and sandbox the JScript interpreter inside the WPAD service.
The attack is a variation of a WPAD/PAC attack. In Project Zero’s case, the WPAD/PAC attack focuses on chaining several vulnerabilities together relating to the PAC and a Microsoft JScript.dll file in order to gain remote command execution on a victim’s machine.
“We identified 7 security vulnerabilities in (JScript.dll) and successfully demonstrated reliable code execution from local network (and beyond) against a fully patched (at the time of writing) Windows 10 64-bit with Fall Creators Update installed,” wrote Project Zero researchers on the teams’ website Monday.
The vulnerabilities have since been patched.
Web Proxy AutoDiscovery (WPAD) protocol attacks are tied to how browsers use PAC (Proxy Auto-Configuration) to navigate HTTP and HTTPS requests. PAC files contain JavaScript that instruct what proxy a browser needs to use to get to a specific URL. If a malicious PAC is introduced to the browser, that allows an attacker to monitor the URL of every request the browser makes.
....
...
Despite the fact Microsoft has patched against this type of attack, Project Zero researchers agree with Klein’s assessment.
“Since the bugs are now fixed, does this mean we are done and can go home? Unlikely.
...
Researchers recommend Microsoft users disable WPAD by default and sandbox the JScript interpreter inside the WPAD service.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
