Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices

from [Morning Wood] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Anonymous Web Attacks via Dedicated MobileServices
Date: Tue, 19 Jul 2005 10:02:15 -0700 
google's language translation also does this..
http://ipchicken.com
http://translate.google.com/translate?u=http://ipchicken.com

m.w

----- Original Message ----- 
From: "Petko Petkov" <ppetkov@gnucitizen.org>
To: <bugtraq@securityfocus.com>
Cc: <full-disclosure@lists.grok.org.uk>
Sent: Tuesday, July 19, 2005 4:05 AM
Subject: [Full-disclosure] Anonymous Web Attacks via Dedicated
MobileServices



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Security Notice: Anonymous Web Attacks via Dedicated Mobile Services
Security Risk: UNKNOWN
Publish Data: 2005 July 16

Security Researcher: Petko Petkov
Contact Information: ppetkov@gnucitizen.org
PGP Key: http://pdp.gnucitizen.org/ppetkov.asc

Synopsis
- --------

Various Mobile Services provide malicious users with an intermediate
point to anonymously browse Web Resources and execute attacks against
them.

Affected Applications
- ---------------------

 * Google's WMLProxy
 * IYHY

Background
- ----------

WAP stands for Wireless Application Protocol, a communication standard
primarily designed for Information Exchange on various Wireless Terminals
such as mobile telephones. WAP devices work with WML (Wireless Markup

Language),

a markup language similar to HTML but more strict because of its XML

nature. WML

and HTML are totally different in semantics. As such, there are

applications

located on The Internet that are able to transcode from HTML/XHTML to WML.

Description
- -----------

An attacker can take advantage of the Google's WMLProxy Service by sending

a

HTTP GET
request with carefully modified URL of a malicious nature. Such request

hides

the
attacker's IP address and may slow down future investigations on a

successful

breakin
since Google's Services are often over-trusted.

The following URL should reveal the current IP address:
http://ipchicken.com

However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is
primarily
designed for PDAs and Smart Phones. Still, IYHY can be used as an

intermediate

point for
launching anonymous attacks. For example the following URL reveals IYHY IP
address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com

Attackers are able to chain Google's WMLProxy and IYHY in order to obscure

their

IP address
further. For example, the following URL goes through WMLProxy and IYHY

before

getting to
http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o

Impact
- ------

Misuse of Services like Google's WMLProxy and IYHY must be considered as a

hight

risk in
situations where they are over-trusted. Google's entries are often

filtered out

from the
logs making all possible attacks undetectable. Moreover, attackers can

make use

of mobile
devices to request dangerous URLs in order to compromise vulnerable Web
Applications.
If such requests are not monitored by the particular mobile network, there

is no

way to
detect where the attack is launched from.

Workaround
- ----------

Mobile Services can offer cleaver parameter filtering features to prevent

the

execution of
dangerous requests. However, it is important to understand that simple

input

validation
technique can be easily circumvented. The tinyurl service can be used to

obscure

the dangerous
URLs, bypassing the input validation checks that an application may have.

It is also worth to mention that modifying the requests, in order to stop
certain XSS and
SQL Injection attacks, may completely brake the logic of the proxided Web

Site

leaving the users
with unsatisfactory results.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC3NPjFf/6vxAyUpgRAjIdAKC2YLXNSlWPLOTF9rMAS+hERte8IQCfR18G
SDmdYsnJsSRSMlgCEl6cMX4=
=J9z1
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Anonymous Anonymity - Request For Comments, Craig Skelton
Next by Date:  Re: Internet Explorer / MSN ICC Profiles Crash PoC Exploit, mark . handy
Previous by Thread:  [Full-disclosure] Anonymous Web Attacks via Dedicated Mobile Services, Petko Petkov
Next by Thread:  RE: [Full-disclosure] Anonymous Web Attacks via DedicatedMobileServices, Bojan Zdrnja
Indexes:  [Date] [Thread] [Top] [All Lists]