How does a WPAD attack work and how can it be prevented?

Google's Project Zero detailed a proof-of-concept attack against Windows 10 that is a variation of a Web Proxy Auto-Discovery protocol attack. How does this WPAD attack work, and what can be done to bolster WPAD security?

The Web Proxy Auto-Discovery Protocol (WPAD) was developed in 1999 to simplify the configuration of an organization's web browsers and applications. It enables computers to discover which web proxy they should use for different URLs without administrators having to manually configure them.

WPAD enables a computer to query the local network via the Dynamic Host Configuration Protocol, domain name system or Windows Internet Naming Service to determine the server from which to load a JavaScript file called a proxy auto-config (PAC) file. This file contains a JavaScript function called FindProxyForURL that determines whether HTTP, HTTPS and FTP requests can go directly to the destination or should be forwarded to a specific proxy server and port.

WPAD is enabled by default on all Microsoft Windows operating systems and Internet Explorer browsers. While it is supported on macOS and Linux-based operating systems, as well as the Safari, Chrome and Firefox browsers, it is not enabled by default.

As the PAC file controls where a browser or client is directed, its security is of the upmost importance. If an attacker installs or points browsers to a malicious PAC file -- for example, via a rogue access point or WPAD injection -- they could instruct every browser on that network to use a proxy server under their control, enabling them to redirect, sniff or inject traffic as it passes through the proxy.

Concerns about the security of WPAD have existed for a while, and attacks like the unholy PAC attack described by SafeBreach and the man-in-the-middle attack identified by Context Information Security show that vulnerabilities in how WPAD and PAC work can be used to capture the entire URL of every site a user visits, even when the traffic is protected with HTTPS encryption.

However, Google's Project Zero researchers have produced a proof-of-concept WPAD attack that results in the complete compromise of the targeted machine.

The team identified seven new vulnerabilities in the Windows JScript engine, jscript.dll, which interprets the JavaScript PAC file. By chaining these vulnerabilities together and using other techniques, such as return-oriented programming to bypass various Windows security mitigations, the Project Zero team managed to execute untrusted JavaScript outside a sandboxed environment against a fully patched Windows 10 PC. By using a built-in feature to escalate from the Local Service to the SYSTEM account, they gained administrator rights, and from there, they could completely compromise the system.

Although all the vulnerabilities used in the WPAD attack have been patched, the research team still recommends that Microsoft users disable WPAD by default to prevent attacks that would take exploit the identified vulnerabilities. Hopefully, Microsoft will sandbox the JScript interpreter inside the WPAD service as another prevention technique, but, until then, the registry setting to disable WPAD can be changed in Group Policy via the Services setting under ComputerConfiguration > Policies > Windows Settings > Security Settings > System Services and by disabling the WinHTTP WebProxy Auto-Discover Service.

Administrators also need to ensure their users' devices are up to date.

Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)