Proxy PAC hack allows for intercept of HTTPS URLS

Israeli security firm, Safebreach, have discovered a vulnerability within the JavaScript that proxy PAC files uses for auto-configuration, which could allow URLs to be extrapolated and manipulated.

Proxy Auto Config or PAC files work by specifying how web browsers and other agents handle HTTP, HTTPS and FTP requests. PAC files use the JavaScript function FindProxyForURL to determine whether the page is to be accessed directly or via a pre-configured proxy address.

PAC files are generally distributed automatically at logon with the location dictated via DHCP or DNS using the Web Proxy Auto-Discovery or WPAD Protocol.

WPAD is auto-enabled by default on Microsoft Windows systems and within Internet Explorer. It’s also supported on Linux, OSX, Mozilla’s Firefox, Google Chrome and Apple’s Safari. The technology is commonly used by many organisations in order to manage users web browsing traffic and access.

The research revealed that by manipulating the logic inside the FindProxyForURL function a threat actor could access the users URLs and extract them for their own purposes.

Amit Klein, VP of security research at Safebreach, and Itzik Kotler, the CEO, will share more details of the vulnerability at next week’s Black Hat conference in Las Vegas, Nevada. It’s also understood that the company will also release a proof-of concept piece of malware to accompany the discovery.

In an interview with SecurityWeek, Kotler claims that there are 2 attack methods for this particular vulnerability. The first involves using malware to attack the affected system and drop the proxy.pac file, the second employs a man-in-the-middle (MitM) attack to hijack WPAD communications, allowing the attacker to direct the victims traffic to their own proxy, stealing data such as HTTP URLs which could then be used for stealing access into the users sessions, bypassing authentication mechanisms.

Klein stated, “The fact that a (low trust) piece of code (i.e. JavaScript) can be downloaded and executed in such context (HTTPS traffic - high trust), without any certification, digital signature, or protection of any kind – is the root cause of this problem,”

The researchers also reported that although data exfiltration may be the primary motive for attackers using this hack, the vulnerability could also be used to launch denial of service (DoS) attacks.

If a number of devices were infected with such malware their Internet settings could be reconfigured to target addresses and ports in order to overwhelm a particular server’s resources. This method could also be employed on a local level in order to manipulate URLs of the infected machine, possibly redirecting the users web surfing to avoid update by antivirus or to another compromised or malicious resource which could be used to drive by download additional malicious content or malware.

The danger with this manner of exploit is that it has the potential to affect a wide range of operating systems and browsers, as well as any other application that uses a proxy configuration file.