MMS Spoofing

Information about MMS Spoofing

Published on August 30, 2007

Author: Clown

Source: authorstream.com

Content

A case study of a Web Application vulnerability:  A case study of a Web Application vulnerability Matteo Meucci OWASP-Italy Chair ICT Security Consultant – CISSP Business-e [email protected] http://www.owasp.org/local/italy.html A case-study of a Web Application vulnerability:  A case-study of a Web Application vulnerability Web application’s analisys Autentication and Billing of the MMS service Application Vulnerability Attacks’s Analisys Slide3:  MMS spoofing andamp; billing We describe a case-study of a public MMS service provided by a TELCO. This vulnerability would allow an attacker to send a spoofed MMS charging the credit of an unaware user. This paradigmatic scenario shows how a poor session management of a web application can be used to break the authentication scheme. We want to show how a two factor authentication can be broken if developers make bad code (a trivial error of session management) Scenario:  Scenario Receiver: MMS from spoofed sender Attacker Spoofed sender (victim) MMS Platform Web application TELCO Network The company has developed a web application allowing a mobile subscriber to compose and send an MMS to another user. The sender is authenticated using an OTP received via SMS. In this presentation we describe how it is possible to send an MMS spoofed to a user by charging another unaware user. -0.7 euro credit !!! How Authentication & Billing work:  How Authentication andamp; Billing work [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form asking for [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send a form asking [OTP] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS Sender Receiver Web App [8] Sent MMS ok! TELCO Network How to charge another subscriber:  How to charge another subscriber [7] Call the servlet to bill the user with cookie received Billing spoofed MSISDN! Send MMS to Receiver If the attacker change the HTTP GET, altering MSISDN Sender with the spoofed MSISDN (victim)… Attacker Receiver Web App TELCO Network Spoofed user Slide7:  Let’s show the vulnerabilty in the Authentication scheme Slide8:  Target: Send an MMS to a user (MSISDN = 3xxxxxxx20) by charging another spoofed user (MSISDN = 3xxxxxxx99) ---Network Message-- Your credit is: 38.7000 Euro; initial credit of spoofed user of 3xxxxxx99 Preparing the lesson Tools for the attacker (MSISDN = 3xxxxxxx59): Mobile phone Web browser Internet connection Proxy to intercept HTTP request/response (e.g. WebScarab) [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process :  [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [1] Sender compose a MMS – insert MSISDN Receiver– begin authentication process Attacker (59) Rec.(20) Web Server Spoof.(99) [2-3] OTP Request:  [2-3] OTP Request [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] Attacker (59) Rec.(20) Web Server [3] POST MSISDN Sender Spoof.(99) Slide11:  [4] OTP arrives on sender’s mobile phone [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] Attacker (59) Rec.(20) Web Server Spoof.(99) Slide12:  [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [5] POST OTP via web Attacker (59) Rec.(20) Web Server Spoof.(99) Slide13:  [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [6] Authentication and Set Cookie Attacker (59) Rec.(20) Web Server Authentication with OTP ok! Set-Cookie: codeOneShot=51566 Set-Cookie: msisdnOneShot=3xxxxxxx59 Set-Cookie: sessionID=B46G0HyPA1u2YQZW8en5TfcllGH1o3d44q4Y48…. Spoof.(99) Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Hacking the billing:  [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process Sender Rec. Web Server Spoof. [7] Hacking the billing [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to bill the user Charge Sender 3xxxxxxx99 !! [8] Sent MMS ok:  [8] Sent MMS ok [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS [8] Sent MMS ok! Sender Rec. Web Server Spoof. -0.7 euro Slide16:  It was possible to send an MMS to a mobile destination modifying the sender Mobile Subscriber: It was possible to send an MMS and bill another mobile user without his approval. It was possible to decrease the credit of a mobile subscriber MMS spoofing andamp; billing! How secure was session management??? The vulnerability is now fixed.

Related presentations


Other presentations created by Clown

nano technology presentation
30. 08. 2007
0 views

nano technology presentation

TC2000 Presentation AAII
22. 04. 2008
0 views

TC2000 Presentation AAII

chapter 28 notes
17. 04. 2008
0 views

chapter 28 notes

dacorogna
13. 04. 2008
0 views

dacorogna

CH6Slides
09. 04. 2008
0 views

CH6Slides

WHERE DOES WEATHER COME FROM
07. 04. 2008
0 views

WHERE DOES WEATHER COME FROM

ISSJS
30. 03. 2008
0 views

ISSJS

PeakOil
27. 03. 2008
0 views

PeakOil

Scales and Questionnaire Tips
05. 11. 2007
0 views

Scales and Questionnaire Tips

sasaki
17. 06. 2007
0 views

sasaki

Political Cartoons
17. 06. 2007
0 views

Political Cartoons

principles of restoration
17. 06. 2007
0 views

principles of restoration

Revolutionary War Powerpoint
28. 02. 2008
0 views

Revolutionary War Powerpoint

4 How to never get sick again
13. 12. 2007
0 views

4 How to never get sick again

03 RFID
29. 02. 2008
0 views

03 RFID

ch 08 international issues
27. 09. 2007
0 views

ch 08 international issues

MHP in Germany sto v1
12. 10. 2007
0 views

MHP in Germany sto v1

Wireless Broadband Korea Kim
11. 09. 2007
0 views

Wireless Broadband Korea Kim

JimBasney
11. 09. 2007
0 views

JimBasney

Grade 105 Presentation
02. 10. 2007
0 views

Grade 105 Presentation

Dongxian He APAN 2004
11. 10. 2007
0 views

Dongxian He APAN 2004

OWASP Denver Nov 06 presentation
30. 08. 2007
0 views

OWASP Denver Nov 06 presentation

2004 religion Killen Shibley
30. 08. 2007
0 views

2004 religion Killen Shibley

allied partnerships 170505051319
30. 08. 2007
0 views

allied partnerships 170505051319

Satellite Broadcast
30. 08. 2007
0 views

Satellite Broadcast

vslive2005 keynote
28. 11. 2007
0 views

vslive2005 keynote

ADSL QoS
29. 11. 2007
0 views

ADSL QoS

RestaurantsKitchens
07. 12. 2007
0 views

RestaurantsKitchens

Othello 1
01. 11. 2007
0 views

Othello 1

LITERACY CENTERS FOR COACHES
05. 11. 2007
0 views

LITERACY CENTERS FOR COACHES

TKaM jeopardy
05. 11. 2007
0 views

TKaM jeopardy

HR XML Seminaire 16 11 2005
30. 08. 2007
0 views

HR XML Seminaire 16 11 2005

Mangenot1 2
02. 11. 2007
0 views

Mangenot1 2

PDC Review Jay 041118
26. 11. 2007
0 views

PDC Review Jay 041118

ks4 where energy
18. 12. 2007
0 views

ks4 where energy

aula voip
28. 12. 2007
0 views

aula voip

Chapter 7
28. 11. 2007
0 views

Chapter 7

Web CT Student Orient
10. 12. 2007
0 views

Web CT Student Orient

ch7S07govt2302
01. 01. 2008
0 views

ch7S07govt2302

Philadelphia FryODiesel
07. 01. 2008
0 views

Philadelphia FryODiesel

Hafner Eco Eng pres1
03. 01. 2008
0 views

Hafner Eco Eng pres1

psy203s authoritarian
30. 08. 2007
0 views

psy203s authoritarian

WTFD New
01. 10. 2007
0 views

WTFD New

Presentación Cilca 2005
14. 11. 2007
0 views

Presentación Cilca 2005

rtbbntalk
15. 11. 2007
0 views

rtbbntalk

Chapter32
24. 12. 2007
0 views

Chapter32

Homeland Security Congressional
05. 01. 2008
0 views

Homeland Security Congressional

Recursion
07. 01. 2008
0 views

Recursion

CNOMMeetingICC2006
21. 11. 2007
0 views

CNOMMeetingICC2006

airforce camp brief 1
23. 12. 2007
0 views

airforce camp brief 1

favourites
26. 06. 2007
0 views

favourites

Presentation Atelier Bangkok2
31. 12. 2007
0 views

Presentation Atelier Bangkok2

kerala piravi06
26. 06. 2007
0 views

kerala piravi06

jim quinn
26. 06. 2007
0 views

jim quinn

ioc report
26. 06. 2007
0 views

ioc report

Good Movies
26. 06. 2007
0 views

Good Movies

Generation Gap Trivia
26. 06. 2007
0 views

Generation Gap Trivia

gates
26. 06. 2007
0 views

gates

Fulbright Movies
26. 06. 2007
0 views

Fulbright Movies

food and menus
26. 06. 2007
0 views

food and menus

lecture32
07. 10. 2007
0 views

lecture32

Astra Sales Kit 3 1 06
03. 01. 2008
0 views

Astra Sales Kit 3 1 06

KALEB
26. 06. 2007
0 views

KALEB

milestone6 action
27. 11. 2007
0 views

milestone6 action

game consoles edit
26. 06. 2007
0 views

game consoles edit

303lec13
30. 08. 2007
0 views

303lec13

Fabric Spade Amalgam Chief
26. 06. 2007
0 views

Fabric Spade Amalgam Chief

FY2006 Tourism Media Plan
26. 06. 2007
0 views

FY2006 Tourism Media Plan

F303 Class 18
30. 08. 2007
0 views

F303 Class 18

political humor
17. 06. 2007
0 views

political humor

regional dialects
17. 06. 2007
0 views

regional dialects

Quantifying Quality MASTER
17. 06. 2007
0 views

Quantifying Quality MASTER

PS270Lect14
17. 06. 2007
0 views

PS270Lect14

prosestyles
17. 06. 2007
0 views

prosestyles

2091ppt
14. 12. 2007
0 views

2091ppt

rosary
17. 06. 2007
0 views

rosary

rhetorical devices
17. 06. 2007
0 views

rhetorical devices

Research Paper
17. 06. 2007
0 views

Research Paper

Relationships Presentation
17. 06. 2007
0 views

Relationships Presentation

relationships
17. 06. 2007
0 views

relationships

Polyamory 101class
17. 06. 2007
0 views

Polyamory 101class

Hobbes and Locke
30. 08. 2007
0 views

Hobbes and Locke

fastook no movies
26. 06. 2007
0 views

fastook no movies

En Jean Delion Stigma
02. 01. 2008
0 views

En Jean Delion Stigma

Forbrugeren 2008 1
26. 06. 2007
0 views

Forbrugeren 2008 1

FairTrade
16. 11. 2007
0 views

FairTrade

dyna202 5509
05. 11. 2007
0 views

dyna202 5509

recipes
05. 12. 2007
0 views

recipes

NatureAreaTrees
30. 08. 2007
0 views

NatureAreaTrees

CRAY
11. 09. 2007
0 views

CRAY

enum 6
11. 09. 2007
0 views

enum 6

05 ncs courses
12. 03. 2008
0 views

05 ncs courses

20020913 Moon Soo Kang
11. 09. 2007
0 views

20020913 Moon Soo Kang

epomodule
08. 11. 2007
0 views

epomodule

goetz vortragenergie2302
22. 11. 2007
0 views

goetz vortragenergie2302

The Black Power 000
30. 08. 2007
0 views

The Black Power 000

Security Engineering In Vista
30. 08. 2007
0 views

Security Engineering In Vista

FA05 cs294 5 lecture 6 final
20. 11. 2007
0 views

FA05 cs294 5 lecture 6 final

etherb
01. 01. 2008
0 views

etherb

SDE Presentation
30. 08. 2007
0 views

SDE Presentation

AFuelsCall1 032305
26. 02. 2008
0 views

AFuelsCall1 032305

11th meeting Shuji Shimizu
09. 10. 2007
0 views

11th meeting Shuji Shimizu

2 Fleet Manegement
23. 11. 2007
0 views

2 Fleet Manegement

Biophysics GYoon
04. 01. 2008
0 views

Biophysics GYoon