-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Security Notice: Anonymous Web Attacks via Dedicated Mobile Services
Security Risk: UNKNOWN
Publish Data: 2005 July 16

Security Researcher: Petko Petkov
Contact Information: ppetkov@gnucitizen.org
PGP Key: http://pdp.gnucitizen.org/ppetkov.asc

Synopsis
- ---------

Various Mobile Services provide malicious users with an intermediate
point to anonymously browse Web Resources and execute attacks against
them.

Affected Applications
- ----------------------

 * Google's WMLProxy
 * IYHY

Background
- ------------

WAP stands for Wireless Application Protocol, a communication standard
primarily designed for Information Exchange on various Wireless
Terminals such as mobile telephones. WAP devices work with WML
(Wireless Markup Language), a markup language similar to HTML but more
strict because of its XML nature. WML and HTML are totally different
in semantics. As such, there are applications located on The Internet
that are able to transcode from HTML/XHTML to WML.

Description
- ------------

An attacker can take advantage of the Google's WMLProxy Service by
sending a HTTP GET request with carefully modified URL of a malicious
nature. Such request hides the attacker's IP address and may slow down
future investigations on a successful breakin since Google's Services
are often over-trusted.

The following URL should reveal the current IP address:
http://ipchicken.com

However, a similar request proxied through WMLProxy:
http://wmlproxy.google.com/wmltrans/u=ipchicken.com
results to:
64.233.166.136 which belongs to Google Inc.

Like Google's WMLProxy, IYHY.com is HTML/XHTML transcoder, although it
is primarily designed for PDAs and Smart Phones. Still, IYHY can be
used as an intermediate point for launching anonymous attacks. For
example the following URL reveals IYHY IP address:
http://www.iyhy.com/?a=http%3A%2F%2Fipchicken.com

Attackers are able to chain Google's WMLProxy and IYHY in order to
obscure their IP address further. For example, the following URL goes
through WMLProxy and IYHY before getting to http://ipchiken.com:
http://wmlproxy.google.com/wmltrans/u=tinyurl.com@2f9g65o

Impact
- -------

Misuse of Services like Google's WMLProxy and IYHY must be considered
as a hight risk in situations where they are over-trusted. Google's
entries are often filtered out from the logs making all possible
attacks undetectable. Moreover, attackers can make use of mobile
devices to request dangerous URLs in order to compromise vulnerable
Web Applications. If such requests are not monitored by the particular
mobile network, there is no way to detect where the attack is launched
from.

Workaround
- -------------

Mobile Services can offer cleaver parameter filtering features to
prevent the execution of dangerous requests. However, it is important
to understand that simple input validation technique can be easily
circumvented. The tinyurl service can be used to obscure the dangerous
URLs, bypassing the input validation checks that an application may have.
It is also worth to mention that modifying the requests, in order to
stop certain XSS and SQL Injection attacks, may completely brake the
logic of the proxided Web Site leaving the users with unsatisfactory
results.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
 
iD8DBQFC3heXFf/6vxAyUpgRAj7FAKCHCZZPFdd/UdL018MOwPRC5ShROACcDuSR
/1zd7B7ax6+Zf5hVjSwR0Pk=
=TeEv
-----END PGP SIGNATURE-----