- Oct 23, 2012
- 12,527
US-CERT has issued a public alert after researchers from the University of Michigan, and Verisign Labs have discovered a method of leveraging the WAPD protocol to launch MitM (Man in the Middle) attacks against corporate networks.
WAPD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. The protocol's client is active only when the user connects to a network, searching for a WPAD server via DHCP or DNS, from where it requests a proxy configuration file, if one is available, and applies it to the local computer.
New gTLD domains are the root of the problem
The Michigan and Verisign researchers discovered that the introduction of the new custom top-level domains has created an unwanted name collision bug in how WPAD operates.
The researchers explain that companies have a tendency of using custom domains for their internal network, for which they use internal name servers to resolve the names. For example, instead of an IP, system administrators often rename crucial servers with authentication.network or apiserver.dev URLs.
These servers are only reachable inside the local network because the user needs to be connected to the internal name server to resolve the domain.
Traveling employees can have their computers compromised via WAPD
The research team explains that many of these custom URLs are actually quite common and use many of the new global top-level domains introduced in the past year.
Researchers claim that when the user is outside the company network, on a public network, the DNS requests for these internal name servers get automatically forwarded to public Internet DNS servers.
WAPD stands for Web Proxy Auto-Discovery and is a protocol used to broadcast common proxy configurations across a network. The protocol's client is active only when the user connects to a network, searching for a WPAD server via DHCP or DNS, from where it requests a proxy configuration file, if one is available, and applies it to the local computer.
New gTLD domains are the root of the problem
The Michigan and Verisign researchers discovered that the introduction of the new custom top-level domains has created an unwanted name collision bug in how WPAD operates.
The researchers explain that companies have a tendency of using custom domains for their internal network, for which they use internal name servers to resolve the names. For example, instead of an IP, system administrators often rename crucial servers with authentication.network or apiserver.dev URLs.
These servers are only reachable inside the local network because the user needs to be connected to the internal name server to resolve the domain.
Traveling employees can have their computers compromised via WAPD
The research team explains that many of these custom URLs are actually quite common and use many of the new global top-level domains introduced in the past year.
Researchers claim that when the user is outside the company network, on a public network, the DNS requests for these internal name servers get automatically forwarded to public Internet DNS servers.
