[dns-operations] Web Proxy Auto-Discovery (WPAD) Information Disclosure
Rickard Dahlstrand
rickard.dahlstrand at iis.se
Tue Dec 4 06:23:01 UTC 2007
Gadi Evron wrote:
> http://www.microsoft.com/technet/security/advisory/945713.mspx
>
> A malicious user could host a WPAD server, potentially establishing it as
> a proxy server to conduct man-in-the-middle attacks against customers
> whose domains are registered as a subdomain to a second-level domain
> (SLD). For customers with a primary DNS suffix configured, the DNS
> resolver in Windows will attempt to resolve an unqualified .wpad. hostname
> using each sub-domain in the DNS suffix until a second-level domain is
> reached. For example, if the DNS suffix is corp.contoso.co.us and an
> attempt is made to resolve an unqualified hostname of wpad, the DNS
> resolver will try wpad.corp.contoso.co.us. If that is not found, it will
> try, via DNS devolution, to resolve wpad.contoso.co.us. If that is not
> found, it will try to resolve wpad.co.us, which is outside of the
> contoso.co.us domain.
>
Most of the wpad.tld domains are already reserved like this one
http://wpad.com/ It's amazing that when they fixed it for .com etc. a
while back they missed that there where two-level tld-domains.
Rickard.
More information about the dns-operations
mailing list