[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050719120512.w3qucmvyflogcwos@www.gnucitizen.org>
Date: Tue, 19 Jul 2005 12:05:12 +0100
From: Petko Petkov <ppetkov@...citizen.org>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Anonymous Web Attacks via Dedicated Mobile
Services
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Security Notice: Anonymous Web Attacks via Dedicated Mobile Services
Security Risk: UNKNOWN
Publish Data: 2005 July 16
Security Researcher: Petko Petkov
Contact Information: ppetkov@...citizen.org
PGP Key: http://pdp.gnucitizen.org/ppetkov.asc
Synopsis
- --------
Various Mobile Services provide malicious users with an intermediate
point to anonymously browse Web Resources and execute attacks against
them.
Affected Applications
- ---------------------
* Google's WMLProxy
* IYHY
Background
- ----------
WAP stands for Wireless Application Protocol, a communication standard
primarily designed for Information Exchange on various Wireless Terminals
such as mobile telephones. WAP devices work with WML (Wireless Markup Language),
a markup language similar to HTML but more strict because of its XML nature. WML
and HTML are totally different in semantics. As such, there are applications
located on The Internet that are able to transcode from HTML/XHTML to WML.
Description
- -----------
An attacker can take advantage of the Google's WMLProxy Service by sending a
HTTP GET
request with carefully modified URL of a malicious nature. Such request hides
the
attacker's IP address and may slow down future investigations on a successful
breakin
since Google's Services are often over-trusted.
The following URL should reveal the current IP address:
http://ipchicken.com
However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.
Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is
primarily
designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate
point for
launching anonymous attacks. For example the following URL reveals IYHY IP
address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com
Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their
IP address
further. For example, the following URL goes through WMLProxy and IYHY before
getting to
http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o
Impact
- ------
Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight
risk in
situations where they are over-trusted. Google's entries are often filtered out
from the
logs making all possible attacks undetectable. Moreover, attackers can make use
of mobile
devices to request dangerous URLs in order to compromise vulnerable Web
Applications.
If such requests are not monitored by the particular mobile network, there is no
way to
detect where the attack is launched from.
Workaround
- ----------
Mobile Services can offer cleaver parameter filtering features to prevent the
execution of
dangerous requests. However, it is important to understand that simple input
validation
technique can be easily circumvented. The tinyurl service can be used to obscure
the dangerous
URLs, bypassing the input validation checks that an application may have.
It is also worth to mention that modifying the requests, in order to stop
certain XSS and
SQL Injection attacks, may completely brake the logic of the proxided Web Site
leaving the users
with unsatisfactory results.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G
SDmdYsnJsSRSMlgCEl6cMX4=
=J9z1
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists