Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts


#1

Originally published at: https://pi-hole.net/2018/09/10/mitigate-a-new-cert-vulnerability-598349-with-an-entry-in-etc-hosts/

There is a new CERT vulnerability that can leave you vulnerable to a Man-in-the-Middle attack. You can mitigate this vulnerability today by adding these two lines to your /etc/hosts file:

0.0.0.0 wpad wpad.example.com 
:: wpad wpad.example.com

example.com is a stand in for your local domain. So replace example.com with whatever your local domain is.

The essence of this vulnerability is that an attacker can add a device to the network named wpad and get a DHCP lease, thus inserting the name wpad.example.com in the local DNS pointing to the attacker’s machine. The presence of that A record allows control of the proxy settings of any browser in the network.

You can learn more about the technology behind this attack at Google’s Project Zero page–it’s an older article, but gives some insight into the inner workings of the attack.

The next release of dnsmasq includes an option (dhcp-ignore-names) that can be used to mitigate the attack at the source, but we haven’t heard how Simon will act on this new vulnerability.

Since FTLDNS is just our fork of dnsmasq, we can easily merge in any upstream changes from him, but we wanted to let you know of the /etc/hosts fix that you can immediately implement.


#2

What would be the correct settings for a domain with no name?

domainname
(none)


#3

My pihdole is not inside my lan.

must I set this on my local pc on the pihole server?


#4

I don’t have pihole serve my DHCP… my router does it but I am unsure what my domain is…

  1. How can one tell what the local domain is?
  2. Should I add those lines to my router’s /etc/hosts?

#5

Run this command on the terminal on your Pi: domainname

Put on the /etc/hosts file for the device which is providing DNS resolution - in this case your Pi-Hole.


#6

Thank you for the reply @jfb. I don’t have domainname it seems. The distro is Arch ARM. I am not sure any package supplies that program :confused:


#7

Probably wpad would be sufficient.


#8

Someone on Reddit mentioned that when domainname displays (none) and you check the webinterface the domain name is “lan”. Does this mean we should use

0.0.0.0 wpad wpad.lan
:: wpad wpad.lan

Or should we just use

0.0.0.0 wpad wpad
:: wpad wpad

Or

0.0.0.0 wpad
:: wpad

Sorry if this is a basic question, but I’m new to this. :slight_smile:


#9

It’s already included, The first wpad takes care of that in each line


#10

You’re defining the redirect/no need to double it. Likely, your router is appending .lan to your hostname. Try to ping it, ie

ping foo.lan

If it that returns bytes, you can use both 0.0.0.0 wpad wpad.lan


#11

@jacob.salmela
A long time ago, I responded to a topic, regarding excessive wpad queries and provided a solution to have lighttpd respond.
Does this imply that the solution is no longer a good solution?

I’m aware the solution doesn’t have an entry for IPv6, but this can be easily fixed, NOT sure if lighttpd will also provide the response…

edit
The solution was further discussed in this topic, section Q/A (Q: Why so many local requests?)
/edit

edit2
checked to see if IPv6 requests are responded to by lighttpd -> YES

IPv4 request (http://192.168.xxx.xxx/wpad.dat), entry in the lighttpd log

1536659104|192.168.xxx.xxx|GET /wpad.dat HTTP/1.1|200|56

IPv6 request (http://[2a02:1810:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/wpad.dat), entry in the lighttpd log

1536659116|[2a02:1810:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]|GET /wpad.dat HTTP/1.1|200|56

/edit2


#12

What about using the Pi-Hole blacklist instead editing the hosts file?

Seems to work fine for me, by just adding

^wpad*

as a Regex to the blacklist.


#13

^wpad would be better.


#14

You’re right, thanks msatter. Thought it needs to have a * to match wpad.custom_tld (ie wpad.box) but it will Interpret ^wpad as the beginning of a domain string anyway matching wpad and wpad.box .

Using ^wpad* would also match wpadddd which is overkill.

Anyway is there any drawback in using the blacklist instead of the hosts?


#15

My version will match also wpadabcdefg and if you want to limit it to the subdomain, then you need to use:

^wpad\.


#16

This is a good question…


#17

Not stop learning :slight_smile:

When using

^wpad($|\.)

it will block wpad and wpad.box but not wpadabcd or wpadabcd.box
Think this is even better.


#18

You don’t need to add “$” because Pihole wont accept any local names…that is why you have to use pi.hole and not pi or hole to reach the admin panel. You need that dot and a tld.

Oops the default config from pi-hole/DNSmasq allow this by having:

It loads the contents of /etc/hosts so that local hostnames which do not appear in the global DNS can be resolved and also answers DNS queries for DHCP configured hosts. It can also act as the authoritative DNS server for one or more domains, allowing local names to appear in the global DNS.

My /etc/host file looks like this:

127.0.0.1	raspberrypi localhost raspberrypi
::1		localhost ip6-localhost ip6-loopback raspberrypi
ff02::1		ip6-allnodes
ff02::2		ip6-allrouters

# Cert vulnerability 598349
0.0.0.0 wpad
:: wpad

And I could use the no-hosts setup line but that would break pi-hole so they have to work around this default setup of pi-hole.


#19

This is weird, I demonstrated this exploit back in the early naughties .
You also want to aim for registering wpad.[tld], if a Windows machine can’t find wpad in it’s local domain name, it will go up till it does, example:
wpad.yourdomain.co.uk
when wpad does not exist, windows tries:
wpad.co.uk
if that exists, bingo machine hyjacked.


#20

I am using

^wpad\.

in the blacklist of pihole now for some days with a good experience. It will block every request, that is of the character wpad.* (where * is any domain like yourdomain.co.uk or co.uk). I prefer this variant over the hosts file because it is part of the pihole mechanism and I get statistics as usual.