[NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks

• Previous message: SecuriTeam: "[EXPL] phpSlash Account Hijacking (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 20 Jul 2005 14:28:23 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Dedicated Mobile Services Carry Out Anonymous Web Attacks
------------------------------------------------------------------------

SUMMARY

WAP stands for Wireless Application Protocol, a communication standard
primarily designed for Information Exchange on various Wireless Terminals
such as mobile telephones. WAP devices work with WML (Wireless Markup
Language), a markup language similar to HTML but more strict because of
its XML nature. WML and HTML are totally different in semantics. As such,
there are applications located on the Internet that are able to transcode
from HTML/XHTML to WML.

Various Mobile Services provide malicious users with an intermediate point
to anonymously browse web resources and execute attacks against them.

DETAILS

Vulnerable Systems:
 * Google's WMLProxy
 * IYHY

An attacker can take advantage of the Google's WMLProxy Service by sending
a HTTP GET request with carefully modified URL of a malicious nature. Such
request hides the attacker's IP address and may slow down future
investigations on a successful break-in since Google's Services are often
over-trusted.

The following URL should reveal the current IP address:
http://ipchicken.com

However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is
primarily designed for PDAs and Smart Phones. Still, IYHY can be used as
an intermediate point for launching anonymous attacks. For example the
following URL reveals IYHY IP address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com

Attackers are able to chain Google's WMLProxy and IYHY in order to obscure
their IP address further. For example, the following URL goes through
WMLProxy and IYHY before getting to
http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o

Misuse of Services like Google's WMLProxy and IYHY must be considered as a
hight risk in situations where they are over-trusted. Google's entries are
often filtered out from the logs making all possible attacks undetectable.
Moreover, attackers can make use of mobile devices to request dangerous
URLs in order to compromise vulnerable Web Applications. If such requests
are not monitored by the particular mobile network, there is no way to
detect where the attack is launched from.

Workaround:
Mobile Services can offer cleaver parameter filtering features to prevent
the execution of dangerous requests. However, it is important to
understand that simple input validation technique can be easily
circumvented. The tinyurl service can be used to obscure the dangerous
URLs, bypassing the input validation checks that an application may have.

It is also worth to mention that modifying the requests, in order to stop
certain XSS and SQL Injection attacks, may completely brake the logic of
the proxided Web Site leaving the users with unsatisfactory results.

ADDITIONAL INFORMATION

The information has been provided by <mailto:ppetkov@gnucitizen.org>
Petko Petkov.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[EXPL] phpSlash Account Hijacking (Exploit)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]