
Exploiting Windows 10 in a Local Network with WPAD/PAC and JScript - runesoerensen
https://googleprojectzero.blogspot.com/2017/12/apacolypse-now-exploiting-windows-10-in_18.html
======
finchisko
Just checked wpad.sk. According to who.is domain has been updated recently.
One of listed organizations is ptstrustee.com, which is specializing in hiding
real identity of real domain owners.

As expected they're serving
[http://wpad.sk/wpad.dat](http://wpad.sk/wpad.dat). In that file there is
reference to WPADblock.com project. But not sure if it's legit. Also in
wpad.dat there are some regexps. If conditions are met it sets proxy-server to
their server.

For me it's strange. Does anybody have experience from other tlds?

~~~
wpadownerlol
I just purchased a wpad.$TLD to see how much traffic it will get, i'll post
back when dns updates.

~~~
wpadownerlol
6092 requests in 3 hours. 73 unique ip addresses. Unique UserAgents: "WinHttp-
Autoproxy-Service/5.1".

------
patcheudor
We've known for quite awhile that WPAD/PAC is a problem and supporting it by
default is even worse. Exploiting browsers via JavaScript:

[https://www.youtube.com/watch?v=3vegxj5a1Rw](https://www.youtube.com/watch?v=3vegxj5a1Rw)

Rendering JavaScript and other bad things that are apparently still embargoed
in the context of an HTTP 407 with WPAD/PAC being one vector to get in the
middle:

[http://www.falseconnect.com/](http://www.falseconnect.com/)

------
Arnavion
Heh, WPAD from a local network webserver was how I used to ad-block ~10 years
ago. It was easy to make and set up, helped with ad-blocking in both browsers
and hosted web views like game launchers, and allowed always proxying some
sites through a SOCKS5 proxy.

IE never sent the full URL to FindProxyForURL, and around 2017-02 Chrome
followed suit, so I had to migrate it to a Chrome extension. I still have the
wpad.dat configured on the network in case something still reads it.

~~~
Shoothe
Yep, WPAD is extremely useful and it's just JavaScript with some extra
functions [0]!

I've also used it to send *.company.com requests via local proxy to their
servers and the rest via direct connections basically emulating split DNS
without sending all traffic through their VPN.

[0]: [http://findproxyforurl.com/example-pac-
file/](http://findproxyforurl.com/example-pac-file/)

------
youdontknowtho
My reaction when the same thing keeps being a security problem...seriously,
wasn't there a major WPAD/PAC issue earlier this year?

~~~
Spooky23
WPAD is a shitshow and has been for years.

It’s impossible to troubleshoot and doesn’t work well, but at the same time,
it’s the “best worst” solution for many LANs.

I think the right answer to this type of issue is autoconf, but that isn’t
widely adopted.

~~~
snuxoll
I'd love for there to be a better solution, because as you say it's the "best
worst" solution in many cases.

~~~
Spooky23
There are better solutions, but they won’t work everywhere. Transparent
proxies come to mind.

~~~
snuxoll
Transparent proxies break horribly when you need to deal with HTTPS, and I’m
not talking about “oh, you need to install the CA” because that’s necessary
for a configured proxy as well.

Chrome in particular breaks on any Google domain because they pin keys as a
security measure, when using WPAD or manual system proxy settings it will
happily connect.

And before someone says “don’t intercept SSL”, I’ve got Sophos XG deployed on
my home network to do content filtering to keep my five year old from
accidentally pulling up things she shouldn’t online - she’s not at an age
where she gets unsupervised access to the computer, she can’t type (or spell
sometimes) properly, etc. but it lets me pull open Leapfrog Academy for her
and know if she somehow managed to go to elsewhere by accident the chance of
her running into age-inappropriate content is minimal.

------
chx
This begs the question:
[https://superuser.com/q/1278277/41259](https://superuser.com/q/1278277/41259)
how the heck do we disable this in the network stack?

~~~
anonymfus
Ctrl+F "In case you want to take action on your own" in the article.

~~~
chx
I missed that! I didn't read the whole thing, it was too long and the article
ends with things that do not work and somehow I presumed there's nothing that
works, then.

