The attack is a variation of a WPAD/PAC attack. In Project Zero’s case, the WPAD/PAC attack focuses on chaining several vulnerabilities together relating to the PAC and a Microsoft JScript.dll file in order to gain remote command execution on a victim’s machine.
“We identified 7 security vulnerabilities in (JScript.dll) and successfully demonstrated reliable code execution from local network (and beyond) against a fully patched (at the time of writing) Windows 10 64-bit with Fall Creators Update installed,” wrote Project Zero researchers on the teams’ website Monday.
The vulnerabilities have since been patched.
Previous researchers have found holes in WPAD ranging from an “UNHOLY PAC” attack identified by SafeBreach to a man-in-the-middle attack technique identified by Context Information Security. The technique allowed an attacker to see the entire URL of every site visited even if the traffic is protected with HTTPS encryption.
Google’s Project Zero team took WPAD/PAC attacks a step further.
“As far as we know, this is the first time that an attack against WPAD is demonstrated that results in the complete compromise of the WPAD user’s machine,” researchers said.