Mitigate A New CERT Vulnerability (#598349) With An Entry In /etc/hosts

jfb · September 10, 2018, 7:57pm

Run this command on the terminal on your Pi: domainname

Put on the /etc/hosts file for the device which is providing DNS resolution - in this case your Pi-Hole.

ontherails · September 10, 2018, 8:25pm

Thank you for the reply @jfb. I don't have domainname it seems. The distro is Arch ARM. I am not sure any package supplies that program

Mcat12 · September 10, 2018, 9:31pm

Probably wpad would be sufficient.

tiffany · September 10, 2018, 10:49pm

Someone on Reddit mentioned that when domainname displays (none) and you check the webinterface the domain name is "lan". Does this mean we should use

0.0.0.0 wpad wpad.lan
:: wpad wpad.lan

Or should we just use

0.0.0.0 wpad wpad
:: wpad wpad

Or

0.0.0.0 wpad
:: wpad

Sorry if this is a basic question, but I'm new to this.

graysky2 · September 10, 2018, 11:52pm

You're defining the redirect/no need to double it. Likely, your router is appending .lan to your hostname. Try to ping it, ie

ping foo.lan

If it that returns bytes, you can use both 0.0.0.0 wpad wpad.lan

jpgpi250 · September 11, 2018, 7:16am

@jacob.salmela
A long time ago, I responded to a topic, regarding excessive wpad queries and provided a solution to have lighttpd respond.
Does this imply that the solution is no longer a good solution?

I'm aware the solution doesn't have an entry for IPv6, but this can be easily fixed, NOT sure if lighttpd will also provide the response...

edit
The solution was further discussed in this topic, section Q/A (Q: Why so many local requests?)
/edit

edit2
checked to see if IPv6 requests are responded to by lighttpd -> YES

IPv4 request (http://192.168.xxx.xxx/wpad.dat), entry in the lighttpd log

1536659104|192.168.xxx.xxx|GET /wpad.dat HTTP/1.1|200|56

IPv6 request (http://[2a02:1810:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]/wpad.dat), entry in the lighttpd log

1536659116|[2a02:1810:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]|GET /wpad.dat HTTP/1.1|200|56

/edit2

Tho · September 12, 2018, 12:35pm

What about using the Pi-Hole blacklist instead editing the hosts file?

Seems to work fine for me, by just adding

^wpad*

as a Regex to the blacklist.

Tho · September 13, 2018, 6:45am

You're right, thanks msatter. Thought it needs to have a * to match wpad.custom_tld (ie wpad.box) but it will Interpret ^wpad as the beginning of a domain string anyway matching wpad and wpad.box .

Using ^wpad* would also match wpadddd which is overkill.

Anyway is there any drawback in using the blacklist instead of the hosts?

Thanos_L · September 13, 2018, 9:25am

This is a good question....

Tho · September 13, 2018, 12:43pm

Not stop learning

When using

^wpad($|\.)

it will block wpad and wpad.box but not wpadabcd or wpadabcd.box
Think this is even better.

groups_john · September 14, 2018, 7:30pm

This is weird, I demonstrated this exploit back in the early naughties .
You also want to aim for registering wpad.[tld], if a Windows machine can't find wpad in it's local domain name, it will go up till it does, example:
wpad.yourdomain.co.uk
when wpad does not exist, windows tries:
wpad.co.uk
if that exists, bingo machine hyjacked.

Tho · September 17, 2018, 11:59am

I am using

^wpad\.

in the blacklist of pihole now for some days with a good experience. It will block every request, that is of the character wpad.* (where * is any domain like yourdomain.co.uk or co.uk). I prefer this variant over the hosts file because it is part of the pihole mechanism and I get statistics as usual.

nero355 · September 18, 2018, 4:03pm

I guess this is the reason why I always disable any Proxy related settings in all my browsers and also check if any unneeded Services are running via services.msc

Thnx @ Pi-Hole team for this notification tho!

Valiceemo · September 26, 2018, 10:42am

Bit late to the party here, but is this still valid?
Is it advised to modify /etc/hosts or use regex?
domainname returns (none) for me.

Tho · September 27, 2018, 10:35am

Both is possible and it doesn't really matter regarding security.

But I still prefer the blacklist method. Using this one can see which device is quering wpad in the statistics of Pi-hole. Having this information you can reach out to the vulnerable device and deactivate the "auto proxy" setting directly.

Jeroen1 · September 28, 2018, 1:50pm

Hi team,

If you are tempted to create a "fix" for this wpad thingy...
Please make sure it is configuarable as I use wpad.
If pihole starts blocking this as security feature, there will be issues with users like me.

Many use the wpad dns entry to let clients know where to find wpad.dat or proxy.pac.
DNS wpad entry is picked up by clients, as clients send wpad question to dchp when getting ip stuff.
wpad entry in DNS is based on IP or hostname. And the wpad must be served from a webserver on port 80.

A solution could be adding a wpad thingly in the gui. For users without wpad, just enter 0.0.0.0
For me: I would use 192.168.1.4 or fqdn name.

DNSmasq can also be used to NOT serve a DHCP IP to a hostname:
Perhaps this works? Have not tested it:
dhcp-host=id:wpad,ignore

Thanks in advance,

jfb · September 28, 2018, 2:21pm

I don't believe there is any intent to do so. The post was for awareness of the issue.

jpgpi250 · October 7, 2018, 8:25am

Pointless for now, you might want to bookmark this for later...

dnsmasq2.80 will have protection for the wpad vulnerability

from the changelog:

Include in the example config file a formulation which
stops DHCP clients from claiming the DNS name "wpad".
This is a fix for the CERT Vulnerability VU#598349.

from the sample config file:

# Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
#dhcp-option=252,"\n"

and

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
#dhcp-name-match=set:wpad-ignore,wpad
#dhcp-ignore-names=tag:wpad-ignore

Unfortunately, this will require pihole-FTL to adopt the changes from dnsmasq2.80, witch hasn't been released yet (test releases available).

AndrewZ · October 8, 2018, 9:34am

That works with Dnsmasq version 2.80test3, thanks for the hint!
Just added that string to /etc/dnsmasq.conf (that was OpenWRT, not Pi-hole).

nn_m · March 5, 2019, 5:47pm

After noticing wpad turn up near the top of my in my 'Permitted Domains" yesterday I followed the suggestion :

You can mitigate this vulnerability today by adding these two lines to your /etc/hosts file:

0.0.0.0 wpad wpad.example.com
:: wpad wpad.example.com

Now I have wpad.myLocal.isp.... at the top of my 'Blocked Domains' list, but it has gone from reporting something like 130 queries Permitted, to 3200 Blocked. AND the summary at the top now shows near 50% of my requests are blocked.

This seems like a loop got introduced into the system.

I nave commented out the additions to the /etc/hosts .file AND following advice below I have added a regex for ^wpad(\.|$) in the blacklist. I also noticed there was an explicit block for wpad.myLocal.IsP... in that list (I guess I clicked on the BlackList button in the query Log).
'
So my current config is now, standard /etc/hosts file and 2 entries in the blacklist. Shoud I remove the explicit link, and rely only on the regex?

This is Pi-hole Version v4.2.1 Web Interface Version v4.2 FTL Version v4.2.2

Thanks for any ideas/comments/help ; -)