Microsoft DNS Server WPAD Registration Spoofing Vulnerability

A Web Proxy Auto-Discovery (WPAD) registration spoofing vulnerability has been reported in Microsoft DNS servers. This vulnerability could allow a remote attacker to spoof a web proxy, thereby redirecting Internet traffic from legitimate locations.

The WPAD feature enables web clients to automatically detect proxy settings without user intervention. This is accomplished by the browser obtaining a link to a configuration file from the DNS server. The vulnerability allows an attacker to create a DNS WPAD entry that points to a malicious website.

The vulnerability is due to an error in the windows DNS server that fails to correctly validate who can register WPAD entries on the DNS server. By default, a DNS server will allow any user to create a registration in the DNS database for WPAD if a registration with that name does not already exist. A remote attacker may exploit this by registering "WPAD" as a name in the DNS database and pointing it to a malicious website. This allows the attacker to conduct a man-in-the-middle attack against any browser configured to use WPAD to discover proxy server settings.

Check Point IPS products provide a protection that will detect and block the registration of vulnerable names in the DNS database. For more information, see CPAI-2009-032.