Full Disclosure mailing list archives
Re: Anonymous Web Attacks via Dedicated MobileServices
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Tue, 19 Jul 2005 10:02:15 -0700
google's language translation also does this.. http://ipchicken.com http://translate.google.com/translate?u=http://ipchicken.com m.w ----- Original Message ----- From: "Petko Petkov" <ppetkov () gnucitizen org> To: <bugtraq () securityfocus com> Cc: <full-disclosure () lists grok org uk> Sent: Tuesday, July 19, 2005 4:05 AM Subject: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Notice: Anonymous Web Attacks via Dedicated Mobile Services Security Risk: UNKNOWN Publish Data: 2005 July 16 Security Researcher: Petko Petkov Contact Information: ppetkov () gnucitizen org PGP Key: http://pdp.gnucitizen.org/ppetkov.asc Synopsis - -------- Various Mobile Services provide malicious users with an intermediate point to anonymously browse Web Resources and execute attacks against them. Affected Applications - --------------------- * Google's WMLProxy * IYHY Background - ---------- WAP stands for Wireless Application Protocol, a communication standard primarily designed for Information Exchange on various Wireless Terminals such as mobile telephones. WAP devices work with WML (Wireless Markup
Language),
a markup language similar to HTML but more strict because of its XML
nature. WML
and HTML are totally different in semantics. As such, there are
applications
located on The Internet that are able to transcode from HTML/XHTML to WML. Description - ----------- An attacker can take advantage of the Google's WMLProxy Service by sending
a
HTTP GET request with carefully modified URL of a malicious nature. Such request
hides
the attacker's IP address and may slow down future investigations on a
successful
breakin since Google's Services are often over-trusted. The following URL should reveal the current IP address: http://ipchicken.com However, a similar request proxied through WMLProxy: http://wmlproxy.google.com/wmltrans/u=ipchicken.com results to: 64.233.166.136 which belongs to Google Inc. Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is primarily designed for PDAs and Smart Phones. Still, IYHY can be used as an
intermediate
point for launching anonymous attacks. For example the following URL reveals IYHY IP address: http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com Attackers are able to chain Google's WMLProxy and IYHY in order to obscure
their
IP address further. For example, the following URL goes through WMLProxy and IYHY
before
getting to http://ipchiken.com: http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o Impact - ------ Misuse of Services like Google's WMLProxy and IYHY must be considered as a
hight
risk in situations where they are over-trusted. Google's entries are often
filtered out
from the logs making all possible attacks undetectable. Moreover, attackers can
make use
of mobile devices to request dangerous URLs in order to compromise vulnerable Web Applications. If such requests are not monitored by the particular mobile network, there
is no
way to detect where the attack is launched from. Workaround - ---------- Mobile Services can offer cleaver parameter filtering features to prevent
the
execution of dangerous requests. However, it is important to understand that simple
input
validation technique can be easily circumvented. The tinyurl service can be used to
obscure
the dangerous URLs, bypassing the input validation checks that an application may have. It is also worth to mention that modifying the requests, in order to stop certain XSS and SQL Injection attacks, may completely brake the logic of the proxided Web
Site
leaving the users with unsatisfactory results. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G SDmdYsnJsSRSMlgCEl6cMX4= =J9z1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Anonymous Web Attacks via Dedicated Mobile Services Petko Petkov (Jul 19)
- Re: Anonymous Web Attacks via Dedicated MobileServices Morning Wood (Jul 19)
- RE: Anonymous Web Attacks via DedicatedMobileServices Bojan Zdrnja (Jul 23)
- Re: Anonymous Web Attacks via DedicatedMobileServices Petko Petkov (Jul 25)
- RE: Anonymous Web Attacks via DedicatedMobileServices Bojan Zdrnja (Jul 23)
- Re: Anonymous Web Attacks via Dedicated MobileServices Morning Wood (Jul 19)