advertisement

MMS Spoofing

60 %
40 %
advertisement
Information about MMS Spoofing
Product-Training-Manuals

Published on August 30, 2007

Author: Clown

Source: authorstream.com

advertisement

A case study of a Web Application vulnerability:  A case study of a Web Application vulnerability Matteo Meucci OWASP-Italy Chair ICT Security Consultant – CISSP Business-e matteo.meucci@business-e.it http://www.owasp.org/local/italy.html A case-study of a Web Application vulnerability:  A case-study of a Web Application vulnerability Web application’s analisys Autentication and Billing of the MMS service Application Vulnerability Attacks’s Analisys Slide3:  MMS spoofing andamp; billing We describe a case-study of a public MMS service provided by a TELCO. This vulnerability would allow an attacker to send a spoofed MMS charging the credit of an unaware user. This paradigmatic scenario shows how a poor session management of a web application can be used to break the authentication scheme. We want to show how a two factor authentication can be broken if developers make bad code (a trivial error of session management) Scenario:  Scenario Receiver: MMS from spoofed sender Attacker Spoofed sender (victim) MMS Platform Web application TELCO Network The company has developed a web application allowing a mobile subscriber to compose and send an MMS to another user. The sender is authenticated using an OTP received via SMS. In this presentation we describe how it is possible to send an MMS spoofed to a user by charging another unaware user. -0.7 euro credit !!! How Authentication & Billing work:  How Authentication andamp; Billing work [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form asking for [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send a form asking [OTP] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS Sender Receiver Web App [8] Sent MMS ok! TELCO Network How to charge another subscriber:  How to charge another subscriber [7] Call the servlet to bill the user with cookie received Billing spoofed MSISDN! Send MMS to Receiver If the attacker change the HTTP GET, altering MSISDN Sender with the spoofed MSISDN (victim)… Attacker Receiver Web App TELCO Network Spoofed user Slide7:  Let’s show the vulnerabilty in the Authentication scheme Slide8:  Target: Send an MMS to a user (MSISDN = 3xxxxxxx20) by charging another spoofed user (MSISDN = 3xxxxxxx99) ---Network Message-- Your credit is: 38.7000 Euro; initial credit of spoofed user of 3xxxxxx99 Preparing the lesson Tools for the attacker (MSISDN = 3xxxxxxx59): Mobile phone Web browser Internet connection Proxy to intercept HTTP request/response (e.g. WebScarab) [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process :  [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [1] Sender compose a MMS – insert MSISDN Receiver– begin authentication process Attacker (59) Rec.(20) Web Server Spoof.(99) [2-3] OTP Request:  [2-3] OTP Request [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] Attacker (59) Rec.(20) Web Server [3] POST MSISDN Sender Spoof.(99) Slide11:  [4] OTP arrives on sender’s mobile phone [1] Sender compose an MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] Attacker (59) Rec.(20) Web Server Spoof.(99) Slide12:  [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [5] POST OTP via web Attacker (59) Rec.(20) Web Server Spoof.(99) Slide13:  [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone [6] Authentication and Set Cookie Attacker (59) Rec.(20) Web Server Authentication with OTP ok! Set-Cookie: codeOneShot=51566 Set-Cookie: msisdnOneShot=3xxxxxxx59 Set-Cookie: sessionID=B46G0HyPA1u2YQZW8en5TfcllGH1o3d44q4Y48…. Spoof.(99) Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Hacking the billing:  [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process Sender Rec. Web Server Spoof. [7] Hacking the billing [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to bill the user Charge Sender 3xxxxxxx99 !! [8] Sent MMS ok:  [8] Sent MMS ok [1] Sender compose a MMS – insert MSISDN Receiver– begin authc. process [2] Server send a form [MSISDN Sender] [3] POST MSISDN Sender [4] Network send Short Message Service (SMS) with OTP via GSM [4] Server send form [OTP received on mobile phone] [5] POST OTP received on mobile phone Two factor authentication (OTP) OK [6] Server set cookie OTP, MSISDN on browser [7] Call the servlet to charge the user Charge Sender Send MMS to Receiver [8] Send MMS to Receiver via GPRS [8] Sent MMS ok! Sender Rec. Web Server Spoof. -0.7 euro Slide16:  It was possible to send an MMS to a mobile destination modifying the sender Mobile Subscriber: It was possible to send an MMS and bill another mobile user without his approval. It was possible to decrease the credit of a mobile subscriber MMS spoofing andamp; billing! How secure was session management??? The vulnerability is now fixed.

Add a comment

Related presentations

Related pages

SMS Spoofing - Everything You Ever Wanted To Know About ...

SMS spoofing and everything you ever wanted to know about it. The history of SMSspoofing.com, how SMS spoofing is done, where it works, ...
Read more

MMS Spoofing (T.A.F.T. aka There's an Attack For That ...

The following video demonstrates performing a MMS spoofing attack on two live iPhones which are being recoreded via VNC. This is an ...
Read more

Spoof SMS - The Secret Weapon You Should Have Been Using

What we’re spoofing is our own secret identity as the author of that content. The SMS is sent discreetly without the Target user’s awareness, ...
Read more

Fake SMS. SMS Spoofing. Send Anonymous SMS | SMSGang.com

If you've ever wanted to send a fake SMS to one of your friends, then this is the site for you! SMS Gang provide you with the ultimate SMS spoofing service ...
Read more

WWW.SPOOFTEL.COM - Caller ID Spoofing - SMS made easy ...

SpoofTel.com provides caller ID spoofing and SMS. Call Spoofing has never been easier using SpoofTel.com
Read more

Spoof My Text | Send Fake SMS Spoofing Messages.

SMS Spoofing works on ANY phone! Connect with: Signup/Login with Facebook! Login. Register; User. Pass @ Goss Inc. 2016. Main menu. Skip to content. Home ...
Read more

Send spoof SMS|Cell phone tracking|FlexiSPY

Read MMS messages; Send fake SMS messages; ... Spoofing Tools; You will need physical access to the device. iPhone requires Jailbreak. Android may require ...
Read more

mobile - How can SMS spoofing be detected? - Information ...

How can SMS spoofing be detected? up vote 10 down vote favorite. SMS spoofing involves faking the source ID, by replacing it with alphanumeric text.
Read more

FakeMSG - Customised Sender ID for your SMS

Fake it, Spoof it, Stay Anonymous - Customised Sender ID for your SMS - FakeMSG.com
Read more

MMS vs SMS - Difference and Comparison | Diffen

MMS versus SMS comparison chart; MMS SMS; Stands for: Multimedia Messaging Service: Short Message Service: Transmission mechanism: Messages are sent to the ...
Read more