lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <BAY19-DAV114E26DA3B920C2273599FD9D40@phx.gbl> Date: Tue Jul 19 18:01:57 2005 From: se_cur_ity at hotmail.com (Morning Wood) Subject: Anonymous Web Attacks via Dedicated MobileServices google's language translation also does this.. http://ipchicken.com http://translate.google.com/translate?u=http://ipchicken.com m.w ----- Original Message ----- From: "Petko Petkov" <ppetkov@...citizen.org> To: <bugtraq@...urityfocus.com> Cc: <full-disclosure@...ts.grok.org.uk> Sent: Tuesday, July 19, 2005 4:05 AM Subject: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Security Notice: Anonymous Web Attacks via Dedicated Mobile Services > Security Risk: UNKNOWN > Publish Data: 2005 July 16 > > Security Researcher: Petko Petkov > Contact Information: ppetkov@...citizen.org > PGP Key: http://pdp.gnucitizen.org/ppetkov.asc > > Synopsis > - -------- > > Various Mobile Services provide malicious users with an intermediate > point to anonymously browse Web Resources and execute attacks against > them. > > Affected Applications > - --------------------- > > * Google's WMLProxy > * IYHY > > Background > - ---------- > > WAP stands for Wireless Application Protocol, a communication standard > primarily designed for Information Exchange on various Wireless Terminals > such as mobile telephones. WAP devices work with WML (Wireless Markup Language), > a markup language similar to HTML but more strict because of its XML nature. WML > and HTML are totally different in semantics. As such, there are applications > located on The Internet that are able to transcode from HTML/XHTML to WML. > > Description > - ----------- > > An attacker can take advantage of the Google's WMLProxy Service by sending a > HTTP GET > request with carefully modified URL of a malicious nature. Such request hides > the > attacker's IP address and may slow down future investigations on a successful > breakin > since Google's Services are often over-trusted. > > The following URL should reveal the current IP address: > http://ipchicken.com > > However, a similar request proxied through WMLProxy: > http://wmlproxy.google.com/wmltrans/u=ipchicken.com > results to: > 64.233.166.136 which belongs to Google Inc. > > Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is > primarily > designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate > point for > launching anonymous attacks. For example the following URL reveals IYHY IP > address: > http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com > > Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their > IP address > further. For example, the following URL goes through WMLProxy and IYHY before > getting to > http://ipchiken.com: > http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o > > Impact > - ------ > > Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight > risk in > situations where they are over-trusted. Google's entries are often filtered out > from the > logs making all possible attacks undetectable. Moreover, attackers can make use > of mobile > devices to request dangerous URLs in order to compromise vulnerable Web > Applications. > If such requests are not monitored by the particular mobile network, there is no > way to > detect where the attack is launched from. > > Workaround > - ---------- > > Mobile Services can offer cleaver parameter filtering features to prevent the > execution of > dangerous requests. However, it is important to understand that simple input > validation > technique can be easily circumvented. The tinyurl service can be used to obscure > the dangerous > URLs, bypassing the input validation checks that an application may have. > > It is also worth to mention that modifying the requests, in order to stop > certain XSS and > SQL Injection attacks, may completely brake the logic of the proxided Web Site > leaving the users > with unsatisfactory results. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.0 (MingW32) > > iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G > SDmdYsnJsSRSMlgCEl6cMX4= > =J9z1 > -----END PGP SIGNATURE----- > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
Powered by blists - more mailing lists