[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <BAY19-DAV114E26DA3B920C2273599FD9D40@phx.gbl>
Date: Tue, 19 Jul 2005 10:02:15 -0700
From: "Morning Wood" <se_cur_ity@...mail.com>
To: "Petko Petkov" <ppetkov@...citizen.org>,
<bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Anonymous Web Attacks via Dedicated
MobileServices
google's language translation also does this..
http://ipchicken.com
http://translate.google.com/translate?u=http://ipchicken.com
m.w
----- Original Message -----
From: "Petko Petkov" <ppetkov@...citizen.org>
To: <bugtraq@...urityfocus.com>
Cc: <full-disclosure@...ts.grok.org.uk>
Sent: Tuesday, July 19, 2005 4:05 AM
Subject: [Full-disclosure] Anonymous Web Attacks via Dedicated
MobileServices
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Security Notice: Anonymous Web Attacks via Dedicated Mobile Services
> Security Risk: UNKNOWN
> Publish Data: 2005 July 16
>
> Security Researcher: Petko Petkov
> Contact Information: ppetkov@...citizen.org
> PGP Key: http://pdp.gnucitizen.org/ppetkov.asc
>
> Synopsis
> - --------
>
> Various Mobile Services provide malicious users with an intermediate
> point to anonymously browse Web Resources and execute attacks against
> them.
>
> Affected Applications
> - ---------------------
>
> * Google's WMLProxy
> * IYHY
>
> Background
> - ----------
>
> WAP stands for Wireless Application Protocol, a communication standard
> primarily designed for Information Exchange on various Wireless Terminals
> such as mobile telephones. WAP devices work with WML (Wireless Markup
Language),
> a markup language similar to HTML but more strict because of its XML
nature. WML
> and HTML are totally different in semantics. As such, there are
applications
> located on The Internet that are able to transcode from HTML/XHTML to WML.
>
> Description
> - -----------
>
> An attacker can take advantage of the Google's WMLProxy Service by sending
a
> HTTP GET
> request with carefully modified URL of a malicious nature. Such request
hides
> the
> attacker's IP address and may slow down future investigations on a
successful
> breakin
> since Google's Services are often over-trusted.
>
> The following URL should reveal the current IP address:
> http://ipchicken.com
>
> However, a similar request proxied through WMLProxy:
> http://wmlproxy.google.com/wmltrans/u=ipchicken.com
> results to:
> 64.233.166.136 which belongs to Google Inc.
>
> Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is
> primarily
> designed for PDAs and Smart Phones. Still, IYHY can be used as an
intermediate
> point for
> launching anonymous attacks. For example the following URL reveals IYHY IP
> address:
> http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com
>
> Attackers are able to chain Google's WMLProxy and IYHY in order to obscure
their
> IP address
> further. For example, the following URL goes through WMLProxy and IYHY
before
> getting to
> http://ipchiken.com:
> http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o
>
> Impact
> - ------
>
> Misuse of Services like Google's WMLProxy and IYHY must be considered as a
hight
> risk in
> situations where they are over-trusted. Google's entries are often
filtered out
> from the
> logs making all possible attacks undetectable. Moreover, attackers can
make use
> of mobile
> devices to request dangerous URLs in order to compromise vulnerable Web
> Applications.
> If such requests are not monitored by the particular mobile network, there
is no
> way to
> detect where the attack is launched from.
>
> Workaround
> - ----------
>
> Mobile Services can offer cleaver parameter filtering features to prevent
the
> execution of
> dangerous requests. However, it is important to understand that simple
input
> validation
> technique can be easily circumvented. The tinyurl service can be used to
obscure
> the dangerous
> URLs, bypassing the input validation checks that an application may have.
>
> It is also worth to mention that modifying the requests, in order to stop
> certain XSS and
> SQL Injection attacks, may completely brake the logic of the proxided Web
Site
> leaving the users
> with unsatisfactory results.
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.0 (MingW32)
>
> iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G
> SDmdYsnJsSRSMlgCEl6cMX4=
> =J9z1
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists