lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20050719120512.w3qucmvyflogcwos@www.gnucitizen.org>
Date: Tue Jul 19 12:05:25 2005
From: ppetkov at gnucitizen.org (Petko Petkov)
Subject: Anonymous Web Attacks via Dedicated Mobile
	Services

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Notice: Anonymous Web Attacks via Dedicated Mobile Services
Security Risk: UNKNOWN
Publish Data: 2005 July 16

Security Researcher: Petko Petkov
Contact Information: ppetkov@...citizen.org
PGP Key: http://pdp.gnucitizen.org/ppetkov.asc

Synopsis
- --------

Various Mobile Services provide malicious users with an intermediate
point to anonymously browse Web Resources and execute attacks against
them.

Affected Applications
- ---------------------

 * Google's WMLProxy
 * IYHY

Background
- ----------

WAP stands for Wireless Application Protocol, a communication standard
primarily designed for Information Exchange on various Wireless Terminals
such as mobile telephones. WAP devices work with WML (Wireless Markup Language),
a markup language similar to HTML but more strict because of its XML nature. WML
and HTML are totally different in semantics. As such, there are applications
located on The Internet that are able to transcode from HTML/XHTML to WML.

Description
- -----------

An attacker can take advantage of the Google's WMLProxy Service by sending a
HTTP GET
request with carefully modified URL of a malicious nature. Such request hides
the
attacker's IP address and may slow down future investigations on a successful
breakin
since Google's Services are often over-trusted.

The following URL should reveal the current IP address:
http://ipchicken.com

However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is
primarily
designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate
point for
launching anonymous attacks. For example the following URL reveals IYHY IP
address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com

Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their
IP address
further. For example, the following URL goes through WMLProxy and IYHY before
getting to
http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o

Impact
- ------

Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight
risk in
situations where they are over-trusted. Google's entries are often filtered out
from the
logs making all possible attacks undetectable. Moreover, attackers can make use
of mobile
devices to request dangerous URLs in order to compromise vulnerable Web
Applications.
If such requests are not monitored by the particular mobile network, there is no
way to
detect where the attack is launched from.

Workaround
- ----------

Mobile Services can offer cleaver parameter filtering features to prevent the
execution of
dangerous requests. However, it is important to understand that simple input
validation
technique can be easily circumvented. The tinyurl service can be used to obscure
the dangerous
URLs, bypassing the input validation checks that an application may have.

It is also worth to mention that modifying the requests, in order to stop
certain XSS and
SQL Injection attacks, may completely brake the logic of the proxided Web Site
leaving the users
with unsatisfactory results.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G
SDmdYsnJsSRSMlgCEl6cMX4=
=J9z1
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists