[dns-operations] Web Proxy Auto-Discovery (WPAD) Information Disclosure
Gadi Evron
ge at linuxbox.org
Mon Dec 3 23:43:07 UTC 2007
http://www.microsoft.com/technet/security/advisory/945713.mspx
A malicious user could host a WPAD server, potentially establishing it as
a proxy server to conduct man-in-the-middle attacks against customers
whose domains are registered as a subdomain to a second-level domain
(SLD). For customers with a primary DNS suffix configured, the DNS
resolver in Windows will attempt to resolve an unqualified .wpad. hostname
using each sub-domain in the DNS suffix until a second-level domain is
reached. For example, if the DNS suffix is corp.contoso.co.us and an
attempt is made to resolve an unqualified hostname of wpad, the DNS
resolver will try wpad.corp.contoso.co.us. If that is not found, it will
try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not
found, it will try to resolve wpad.co.us, which is outside of the
contoso.co.us domain.
More information about the dns-operations
mailing list