Skip to main content

WPAD Exploits

A recent set of vulnerabilities related to Web Proxy Auto Discovery Protocol (WPAD) and Proxy Auto-Config (PAC) have been discovered. WPAD and PAC are tied to how web browsers handle HTTPS and HTTP requests.
Threat ID:
CC-1880
Category:
Exploit
Threat Severity:
Medium
Threat Vector:
Published:
22 December 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A recent set of vulnerabilities related to Web Proxy Auto Discovery Protocol (WPAD) and Proxy Auto-Config (PAC) have been discovered. WPAD and PAC are tied to how web browsers handle HTTPS and HTTP requests.

Affected platforms

The following platforms are known to be affected:

Internet Explorer

Internet Explorer – all versions

Threat details

PAC files specifically contain JavaScript instructions that tell a browser what proxy to use in order to get to a certain website. If an attacker were to successfully inject their own malicious PAC file, they would be able to monitor the victim’s traffic whenever a browser request is made. The vulnerabilities allow an attacker to execute untrusted JavaScript files on a system. This in turn, allows an attacker to gain remote command execution.
It links together several vulnerabilities and can affect a fully patched Windows 10 system. It focuses on attacking the engine that interprets the JavaScript PAC files used by the WPAD service. Seven vulnerabilities that allowed malicious code execution were found and are as follows: PAC files specifically contain JavaScript instructions that tell a browser what proxy to use in order to get to a certain website. If an attacker were to successfully inject their own malicious PAC file, they would be able to monitor the victim’s traffic whenever a browser request is made. The vulnerabilities allow an attacker to execute untrusted JavaScript files on a system. This in turn, allows an attacker to gain remote command execution.
It links together several vulnerabilities and can affect a fully patched Windows 10 system. It focuses on attacking the engine that interprets the JavaScript PAC files used by the WPAD service. Seven vulnerabilities that allowed malicious code execution were found and are as follows:

A PAC file is a configuration file. In order to determine the correct proxy configuration, the browser connects to a pre-configured server in order to download the PAC file and executes Javascript functions. The WPAD protocol however, makes a pre-configured server unnecessary and allows a system to determine the server the PAC file is downloaded from. It should be noted that other programs outside of Internet Explorer use WPAD, but in most cases, support for WPAD isn’t enabled by default.

Remediation steps

Type Step
  • Disable the WPAD service in Internet Explorer or use an alternative browser.
  • Disable the WinHttpAutoProxySvc service (not recommended unless an alternative is in place).

Last edited: 17 February 2020 11:41 am