-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Security Notice: Anonymous Web Attacks via Dedicated Mobile Services Security Risk: UNKNOWN Publish Data: 2005 July 16 Security Researcher: Petko Petkov Contact Information: ppetkov@gnucitizen.org PGP Key: http://pdp.gnucitizen.org/ppetkov.asc Synopsis - -------- Various Mobile Services provide malicious users with an intermediate point to anonymously browse Web Resources and execute attacks against them. Affected Applications - --------------------- * Google's WMLProxy * IYHY Background - ---------- WAP stands for Wireless Application Protocol, a communication standard primarily designed for Information Exchange on various Wireless Terminals such as mobile telephones. WAP devices work with WML (Wireless Markup Language), a markup language similar to HTML but more strict because of its XML nature. WML and HTML are totally different in semantics. As such, there are applications located on The Internet that are able to transcode from HTML/XHTML to WML. Description - ----------- An attacker can take advantage of the Google's WMLProxy Service by sending a HTTP GET request with carefully modified URL of a malicious nature. Such request hides the attacker's IP address and may slow down future investigations on a successful breakin since Google's Services are often over-trusted. The following URL should reveal the current IP address: http://ipchicken.com However, a similar request proxied through WMLProxy: http://wmlproxy.google.com/wmltrans/u=ipchicken.com results to: 64.233.166.136 which belongs to Google Inc. Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is primarily designed for PDAs and Smart Phones. Still, IYHY can be used as an intermediate point for launching anonymous attacks. For example the following URL reveals IYHY IP address: http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com Attackers are able to chain Google's WMLProxy and IYHY in order to obscure their IP address further. For example, the following URL goes through WMLProxy and IYHY before getting to http://ipchiken.com: http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o Impact - ------ Misuse of Services like Google's WMLProxy and IYHY must be considered as a hight risk in situations where they are over-trusted. Google's entries are often filtered out from the logs making all possible attacks undetectable. Moreover, attackers can make use of mobile devices to request dangerous URLs in order to compromise vulnerable Web Applications. If such requests are not monitored by the particular mobile network, there is no way to detect where the attack is launched from. Workaround - ---------- Mobile Services can offer cleaver parameter filtering features to prevent the execution of dangerous requests. However, it is important to understand that simple input validation technique can be easily circumvented. The tinyurl service can be used to obscure the dangerous URLs, bypassing the input validation checks that an application may have. It is also worth to mention that modifying the requests, in order to stop certain XSS and SQL Injection attacks, may completely brake the logic of the proxided Web Site leaving the users with unsatisfactory results. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G SDmdYsnJsSRSMlgCEl6cMX4= =J9z1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/