Google Project Zero Releases Details on WPAD/PAC Variation Attack on Windows 10

Last week, Google’s Project Zero wrote a post releasing information on a WPAD/PAC variation attack on Windows 10 PC. The local proof-of-concept attack allows a threat actor to execute untrusted JavaScript outside of a sandboxed environment on its targeted systems.

In order to be able to carry out remote command execution on a targeted machine, the WPAD/PAC attack chains several vulnerabilities together, that relate to the Microsoft JScript.dll file and the PAC.

Project Zero researchers uncovered 7 vulnerabilities in total, which have all since been patched.

The authors of the post noted that WPAD (“Web Proxy Auto Discovery Protocol”), in particular PAC (“Proxy-Auto-Config”) are “oddities”… “engineering decisions… made with imperfect information and under time pressure”.

Back in 1986, engineers at Netscape decided to write config. files in JavaScript, which led to PAC that works in the following way. The browser connects to a pre-configured server, downloads the PAC files, and executes a Javascript function to determine proper proxy configuration and connect to a specific URL. If a malicious PAC is brought into the browser, then that attacker can see the URL of every request the browser makes.

PAC was coupled with WPAD – a protocol that means the browser does not need to connect to a pre-configured server. Security researchers have warned about the dangers of WPAD in relation to potential threats before, particularly with regards to Windows (as it enables WPAD by default).

Holes of various sizes have been found in WPAD from an “UNHOLY PAC” (which was used by a hacker to intercept private and one-time-use URLs that contain security tokens used for shared access to services) to a man-in-the-middle style attack (that allowed attackers to monitor the full HTTPS URLs of every web request a browser makes).

However, Google’s Project Zero researchers say this latest variant has gone step further, commenting, “as far as we know, this is the first time that an attack against WPAD is demonstrated that results in the complete compromise of the WPAD user’s machine”. They uncovered a new attack vector that attacks the Windows Jscript engine that interprets the JavaScript PAC files directly. Paul Stone, security consultant at Context Information Security said, “This is a much more powerful and technically complex attack”.

Researchers recommend that Microsoft users disable the default for WPAD and sandbox the Jscript interpreter inside the WPAD service.

Scroll Up