cbcvebase.
CVE-2016-3236
published 2016-06-16

CVE-2016-3236: The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1…

PriorityP275critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
77.66%
99.5th percentile
The Web Proxy Auto Discovery (WPAD) protocol implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 mishandles proxy discovery, which allows remote attackers to redirect network traffic via unspecified vectors, aka "Windows WPAD Proxy Discovery Elevation of Privilege Vulnerability."

Affected

14 ranges
VendorProductVersion rangeFixed in
microsoftwindows_10
microsoftwindows_server_2008
microsoftwindows_server_2012
msrcwindows_10
msrcwindows_10_version_1511
msrcwindows_7
msrcwindows_8.1
msrcwindows_rt_8.1
msrcwindows_server_2008
msrcwindows_server_2008_r2
msrcwindows_server_2012
msrcwindows_server_2012_r2
msrcwindows_vista_service_pack_2
msrcwindows_vista_x64_edition_service_pack_2

Detection & IOCsextracted from sources · hover to see the quote

command255.255.255.255 wpad
path%systemdrive%\Windows\System32\Drivers\etc\hosts
  • Monitor for NetBIOS name response flooding (brute-force spoof) targeting the 'WPAD' hostname, particularly high-rate UDP NetBIOS traffic (~30,000 PPS) which is characteristic of the BadTunnel exploitation technique.
  • Detect exploitation attempts by monitoring for unsolicited or repeated NetBIOS responses to a target host for the WPAD hostname, especially when originating from an external/NAT-traversing source — a hallmark of the BadTunnel NAT-piercing attack.
  • Investigate UNC link delivery vectors (HTML pages, Office attachments) pointing to attacker-controlled IPs as the initial trigger mechanism to elicit a NetBIOS WPAD request from the victim.
  • Alert on anomalous WPAD proxy auto-detection traffic or unexpected changes to NetBIOS name cache entries for 'WPAD', which may indicate successful cache poisoning via BadTunnel.
  • ·The Microsoft patches MS16-063/MS16-077 change how the WPAD proxy host is identified and affect the predictability of NetBIOS requests, but do not fully eliminate the underlying NetBIOS spoofing primitive.
  • ·The workaround of adding '255.255.255.255 wpad' to the hosts file will break autoproxy discovery and may prevent applications such as Internet Explorer from loading websites properly.
  • ·The attack is effective even when the target is behind a NAT gateway, as the continuous stream of NetBIOS responses keeps the NAT mapping alive after initial setup.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_msrc9.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.