[NEWS] Dedicated Mobile Services Carry Out Anonymous Web Attacks

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Dedicated Mobile Services Carry Out Anonymous Web Attacks
------------------------------------------------------------------------


SUMMARY

WAP stands for Wireless Application Protocol, a communication standard 
primarily designed for Information Exchange on various Wireless Terminals 
such as mobile telephones. WAP devices work with WML (Wireless Markup 
Language), a markup language similar to HTML but more strict because of 
its XML nature. WML and HTML are totally different in semantics. As such, 
there are applications located on the Internet that are able to transcode 
from HTML/XHTML to WML.

Various Mobile Services provide malicious users with an intermediate point 
to anonymously browse web resources and execute attacks against them.

DETAILS

Vulnerable Systems:
 * Google's WMLProxy
 * IYHY

An attacker can take advantage of the Google's WMLProxy Service by sending 
a HTTP GET request with carefully modified URL of a malicious nature. Such 
request hides the attacker's IP address and may slow down future 
investigations on a successful break-in since Google's Services are often 
over-trusted.

The following URL should reveal the current IP address:
http://ipchicken.com

However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it is 
primarily designed for PDAs and Smart Phones. Still, IYHY can be used as 
an intermediate point for launching anonymous attacks. For example the 
following URL reveals IYHY IP address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com

Attackers are able to chain Google's WMLProxy and IYHY in order to obscure 
their IP address further. For example, the following URL goes through 
WMLProxy and IYHY before getting to
http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o

Misuse of Services like Google's WMLProxy and IYHY must be considered as a 
hight risk in situations where they are over-trusted. Google's entries are 
often filtered out from the logs making all possible attacks undetectable. 
Moreover, attackers can make use of mobile devices to request dangerous 
URLs in order to compromise vulnerable Web Applications. If such requests 
are not monitored by the particular mobile network, there is no way to 
detect where the attack is launched from.

Workaround:
Mobile Services can offer cleaver parameter filtering features to prevent 
the execution of dangerous requests. However, it is important to 
understand that simple input validation technique can be easily 
circumvented. The tinyurl service can be used to obscure the dangerous 
URLs, bypassing the input validation checks that an application may have.

It is also worth to mention that modifying the requests, in order to stop 
certain XSS and SQL Injection attacks, may completely brake the logic of 
the proxided Web Site leaving the users with unsatisfactory results.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:ppetkov@xxxxxxxxxxxxxx> 
Petko Petkov.



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.