Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks
Date: 20 Jul 2005 14:28:23 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Dedicated Mobile Services Carry Out Anonymous Web Attacks
------------------------------------------------------------------------


SUMMARY

WAP stands for Wireless Application Protocol, a communication standard 
primarily designed for Information Exchange on various Wireless Terminals 
such as mobile telephones. WAP devices work with WML (Wireless Markup 
Language), a markup language similar to HTML but more strict because of 
its XML nature. WML and HTML are totally different in semantics. As such, 
there are applications located on the Internet that are able to transcode 
from HTML/XHTML to WML.

Various Mobile Services provide malicious users with an intermediate point 
to anonymously browse web resources and execute attacks against them.

DETAILS

Vulnerable Systems:
 * Google's WMLProxy
 * IYHY

An attacker can take advantage of the Google's WMLProxy Service by sending 
a HTTP GET request with carefully modified URL of a malicious nature. Such 
request hides the attacker's IP address and may slow down future 
investigations on a successful break-in since Google's Services are often 
over-trusted.

The following URL should reveal the current IP address:
http://ipchicken.com

However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is 
primarily designed for PDAs and Smart Phones. Still, IYHY can be used as 
an intermediate point for launching anonymous attacks. For example the 
following URL reveals IYHY IP address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com

Attackers are able to chain Google's WMLProxy and IYHY in order to obscure 
their IP address further. For example, the following URL goes through 
WMLProxy and IYHY before getting to
http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o

Misuse of Services like Google's WMLProxy and IYHY must be considered as a 
hight risk in situations where they are over-trusted. Google's entries are 
often filtered out from the logs making all possible attacks undetectable. 
Moreover, attackers can make use of mobile devices to request dangerous 
URLs in order to compromise vulnerable Web Applications. If such requests 
are not monitored by the particular mobile network, there is no way to 
detect where the attack is launched from.

Workaround:
Mobile Services can offer cleaver parameter filtering features to prevent 
the execution of dangerous requests. However, it is important to 
understand that simple input validation technique can be easily 
circumvented. The tinyurl service can be used to obscure the dangerous 
URLs, bypassing the input validation checks that an application may have.

It is also worth to mention that modifying the requests, in order to stop 
certain XSS and SQL Injection attacks, may completely brake the logic of 
the proxided Web Site leaving the users with unsatisfactory results.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ppetkov@gnucitizen.org> 
Petko Petkov.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks, SecuriTeam <=
Previous by Date:  [EXPL] phpSlash Account Hijacking (Exploit), SecuriTeam
Next by Date:  [NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow), SecuriTeam
Previous by Thread:  [EXPL] phpSlash Account Hijacking (Exploit), SecuriTeam
Next by Thread:  [NT] Race Driver Multiple Vulnerabilities (Broadcast Format String, Buffer-Overflow), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]