421490 - wpad may be dangerous, and it is on by default

Status: RESOLVED FIXED

(Core :: Security, defect, P2)

Description

[georgi - hopefully not receiving bugspam]

a sniffer on localhost observed that seamonkey tries to resolve |wpad.localdomain| on each page access.

so i put wpad.localdomain in /etc/hosts (emulating malicious dns server) to resolve to A.

on A port 80 i put a web server serving wpad.dat containing:

function FindProxyForURL(url, host) { return "PROXY 127.0.0.1:81"; }

all network activity goes to the specified proxy 127.0.0.1:81

malicious dns server or a *single* dns spoof leads to overriding proxy and injecting some javascript.

so i suggest turning wpad off by default.

or at least *easy* option to disable wpad.

this is exactly the opposite of Bug 310331

Comment 1

[Daniel Veditz [:dveditz]]

Looks like a very recent linux-only change:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/modules/libpref/src/init/all.js&rev=3.733#766

The new value of "5" is supposed to pick up your system proxy settings and use those, back-end added in bug 66057 and UI (and pref flip) added in bug 416274. Do distros ship with WPAD as the default even if admins haven't explicitly opted in to that? That's totally not safe each time someone takes their laptop to the local wifi cafe.

Comment 2

[Reed Loden [:reed]]

Just because I land a patch for somebody doesn't put me in charge of fixing regressions from that patch. I'll back a patch out if need-be, but I have nothing to do with the fixing of the actual problem.

Comment 3

[Reed Loden [:reed]]

Ventron, the all.js change should probably be reverted if a fix for this can't be found in a reasonable period of time.

Comment 4

[georgi - hopefully not receiving bugspam]

(In reply to comment #1)

> Do distros ship with WPAD as the default even if admins haven't explicitly
> opted in to that? That's totally not safe each time someone takes their laptop
> to the local wifi cafe.
> 

hm, i haven't turned on any proxies at all, including system wide.
i doubt there is global proxy autodiscovery on most linux distros.
will try to investigate.

Comment 5

[georgi - hopefully not receiving bugspam]

i see this on both mandriva and kubuntu without any proxies that i am aware of

Comment 6

[Johnny Stenback (:jst)]

Can someone please add regression dependencies here, to keep track of what caused this? Blocking, P2, to either get what caused this backed out, or a fix for this issue.

Comment 7

[Michael Ventnor]

Attachment: Possible patch

Can you test to see if this works? This will only use WPAD if explicitly set in the prefs.

Comment 8

[Michael Ventnor]

You're using KDE distros, which means you don't have GConf, and since you don't have a proxy configured, there shouldn't be any proxy settings in the environment variables either.

What SHOULD happen is that we fall back to DIRECT. Not sure why that isn't happening. Can anyone else running a KDE distro confirm this?

Comment 9

[Robert O'Callahan (:roc) (email my personal email if necessary)]

Comment on attachment 308048 [details] [diff] [review]
Possible patch

I think this is how it should work. This fixes a real regression.

Comment 10

[georgi - hopefully not receiving bugspam]

i tested this on icewm having gconf, the kde was just auxiliary test

Comment 11

[Reed Loden [:reed]]

Checking in netwerk/base/src/nsProtocolProxyService.cpp;
/cvsroot/mozilla/netwerk/base/src/nsProtocolProxyService.cpp,v  <--  nsProtocolProxyService.cpp
new revision: 1.75; previous revision: 1.74
done

Comment 12

[georgi - hopefully not receiving bugspam]

(In reply to comment #1)
> That's totally not safe each time someone takes their laptop
> to the local wifi cafe.
> 

on second thought, if you have enabled wpad on purpose and go to a cafe with laptop your exploit scenario works by design?