OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: WAP & HTTP->WTP
From: Vitaly Osipov (vosTELENOR.CZ)
Date: Wed Oct 04 2000 - 10:40:18 CDT

AFAIK this works a bit different way, so I'll make notes below:

----- Original Message -----
From: "Roelof Temmingh" <roelofSENSEPOST.COM>
To: <VULN-DEVSECURITYFOCUS.COM>
Sent: Wednesday, October 04, 2000 1:31 AM
Subject: WAP & HTTP->WTP

> The way I understand how WAP works is as follows:
>
> 1. Phone connects to a normal RAS service (NT RAS,Shiva, whatever) via
PPP.

seems like it should be RADIUS only - at least I was not abole to connect
via NT RAS

> 2. Phone sends request (WTP) to WAP gateway on UDP port 9201

or actually there is a range 9201-9210, but mostly used are 9201 and 9202 -
connectionless service and somewhat connection-oriented one

> 3. WAP GW connects HTTP/HTTPS to a webserver

yes, over good old Internet

> (4). WAP GW possibly changes some HTML into WML

it's the most common mistake - the main task of a gateway is to convert text
representation of WML into some byte-code representation (all the specs are
available at wapforum site - www.wapforum.com) Only some gateways (very few)
can do translation from HTML to WML as an option, mostly such reformatting
is don on the web server itself (sometimes when I browse Yahoo! news on
mobile phone, I get "reformatting engine unavailable" messages :) )

> 5. GW responds (WTP) (either native or converted) to the phone - UDP
again.

in particular it sends that byte-code representation of WML page to the
handset.

>
> The request the user enters on the phone is normal URLs. Let us assume
that
> the user is asking for something like:
>
> http://target/iissamples/issamples/query.asp.
>
> Let us assume that the GW converts the HTML response to WML (is this
> right?). The phone now gets the response in WML and the user can run
searches.

rare thing as I said.. but I guess you can find some reformatting gateways
and use them if you want, so e.g you can browse asp source code in a
previous example (if the victim's host is on unpatched IIS, which displays
asp source when a dot is added to script name)

>
> Let us take it a bit further. Let us assume that the server (the
webserver) has
> many exploitable CGIs etc., and I want to scan these - but the webserver
is
> only accessible via the WAP GW. What I need is a reverse WAP GW so that

almost all wap servers do not have any restrictions on connections from
anywhere, so you can scan as usual. And if it is restricted to talk only to
a gateway (which is strange, because it then can be used only with specific
gateway, that is, with specific operator), you have very small probability
that this gateway is translating HTML to WML, so your scenario is higly
improbable...

> the complete picture looks like this:
>
> [scanner]<--HTTP(TCP)->
> [converter (reverse WAP GW)]<--WTP(UDP)-->
> [WAP GW]<--HTTP(TCP)->
> [webserver]
>
> Am I right in saying that this is possible? Has anyone experience with
this? Is
> there a HTTP->WTP and HTML->WML converter?
>

there are converters HTML<->WML, but WTP is not a parallel of HTTP, but of
TCP - transport level protocol, not application (actually when used on GSM
data connections, it is just UDP, but it can be implemented even over SMS
:) )

> Another question. I downloaded a few WAP emulators. Nice..but the problem
> is that these emulators also acts as a WAP GW. That is - should you
monitor

they do not, they just connect to the server and get text representation of
WML pages, skipping the part of encoding/decodig it to the bytecode
representation

> network traffic going out of the emulator you should see normal HTTP
traffic -
> it does not use a WAPGW (it seems builtin, or it only supports native WML
> sites). Is there a WAP emulator that can make use of an (external) WAPGW
as
> the real phones does?

try Nokia Wap toolkit - at forum.nokia.com - very nice thing, it once helped
me to resolve some terrible problem with nokia gateway, it can do whatever
you want and display all transaction flow plus conpiled bytecode etc...

regards,
Vitaly.