Rapid7 Vulnerability & Exploit Database

FreeBSD: VID-F714D8AB-028E-11E7-8042-50E549EBAB6C: kio: Information Leak when accessing https when using a malicious PAC file

Free InsightVM Trial No Credit Card Necessary
2024 Attack Intel Report Latest research by Rapid7 Labs
Back to Search

FreeBSD: VID-F714D8AB-028E-11E7-8042-50E549EBAB6C: kio: Information Leak when accessing https when using a malicious PAC file

Severity
4
CVSS
(AV:L/AC:M/Au:N/C:P/I:P/A:P)
Published
02/28/2017
Created
07/25/2018
Added
03/12/2017
Modified
09/19/2017

Description

Albert Astals Cid reports:

Using a malicious PAC file, and then using exfiltration methods in the PAC

function FindProxyForURL() enables the attacker to expose full https URLs.

This is a security issue since https URLs may contain sensitive

information in the URL authentication part (user:password@host), and in the

path and the query (e.g. access tokens).

This attack can be carried out remotely (over the LAN) since proxy settings

allow "Detect Proxy Configuration Automatically".

This setting uses WPAD to retrieve the PAC file, and an attacker who has access

to the victim's LAN can interfere with the WPAD protocols (DHCP/DNS+HTTP)

and inject his/her own malicious PAC instead of the legitimate one.

Solution(s)

  • freebsd-upgrade-package-kdelibs
  • freebsd-upgrade-package-kf5-kio

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;