Hello x-wap-profile I Didn't Notice You There
@ Aug. 31, 2010, 11:41 p.m.
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
Filed under: Code Tech Security Python
After reading about some of the stupid that some mobile companies do when proxying their mobile traffic I decided to look at what my phone gave up. Luckily I didn't find anything way out there in the headers but I did find out about a header I didn't know about: x-wap-profile.
Before I continue let me say that I didn't find anything new :-). This is simply my own 'oh wait, what is this?' moment when playing with my phone.
The contents of the header had a URL. In my case it was http://device.sprintpcs.com/HTC/APA9292KT/latest. To my sadness it is an XML document. XML is the overly chatty great grandmother of modern markups. It doesn't understand why why you don't understand it half the time. It also smells funny. Anyway, after a bit of python I could read the XML in a more human friendly form: YAML. Note, this is some ugly and inefficient code but it was written to nicely see the data ....
#!/usr/bin/env python
"""
Terrible but works way to find out info about mobile clients.
"""
import re
import sys
import urllib
import yaml
from lxml import etree
rx = re.compile('\{.*\}')
no_tabs = re.compile("[\t\n]*")
no_li = re.compile('li ')
xml = etree.XML(urllib.urlopen(sys.argv[1]).read())
results = {}
prev_key = None
for ele in xml.iter():
if type(ele.tag) is type(""):
tag = rx.sub('', ele.tag)
text = no_tabs.sub('', str(ele.text))
if tag == "Bag":
continue
if tag == "li":
try:
results[prev_key].append(text)
except:
results[prev_key] = []
results[prev_key].append(text)
else:
prev_key = tag
results[tag] = text
print yaml.dump(results, default_flow_style=False)
The code simply snags the XML from the URL and then uses some ugly parsing/hacks to transform it. Here is the output from my phones header:
$ python wtf.py http://device.sprintpcs.com/HTC/APA9292KT/latest AcceptDownloadableSoftware: 'Yes' AdvertisingCapable: N/A AntiSpam: 'No' AntiSpamVendor: N/A AntiVirus: 'No' AntiVirusVendor: N/A AudioCodecsForDecoding: - mp3 - aac - aac+ - eaac+ - amr-nb - amr-wb - qcelp - wma - evrc - midi AudioCodecsForEncoding: - AMR-NB - QCELP AudioInputEncoder: - gzip - deflate AudioJack: 3.5mm BitsPerPixel: '16' BrowserName: Android Browser BrowserPortalVersion: '' BrowserVersion: Eclair 2.0 CPU: ARM11 CamcorderResolution: 1280x720 CamcorderZoomCapable: 'Yes' CameraBuiltInFlash: 2x power LED CameraHighestImageResolution: 3624x2488 CameraMegaPixels: 8M CameraZoomCapable: 'Yes' CcppAccept: - application/vnd.oma.drm.rights+xml - application/ogg - application/smil - application/vnd.oma.drm.message - application/vnd.wap.mms-message - application/vnd.wap.multipart.alternative - application/vnd.wap.multipart.mixed - application/vnd.wap.multipart.related - application/vnd.wap.sic - application/vnd.wap.xhtml+xml - application/vnd.oma.dd+xml - application/java-archive - audio/aac - audio/amr - audio/imelody - audio/mid - audio/midi - audio/mp3 - audio/mpeg3 - audio/mpeg - audio/mpg - audio/x-mpeg3 - audio/x-mpeg - audio/x-mpg - audio/x-mid - audio/x-midi - audio/x-mp3 - image/gif - image/jpeg - image/jpg - image/png - image/vnd.wap.wbmp - video/mpeg4 - video/mp4 - text/plain - text/html CcppAccept-Charset: - ISO-10646-UCS-2 - ISO-8859-1 - US-ASCII - UTF-8 CcppAccept-Language: '' ColorCapable: 'Yes' CommerceCapable: N/A ConnectionManagerVendor: N/A ConnectionManagerVersion: N/A DataNetworkTypes: - IS2000 - EVDO - WiMax - WiFi Description: '' DeviceIdentifierType: - MEID DeviceType: Android Touch DiagnosticsClientVendor: CIQ DiagnosticsClientVersion: 3.2.18 DiagnosticsProtocolVersion: 3.2.18 DownStreamBufferSize: None DownloadableBrowserApps: - 'No' DownloadableSoftwareSupport: - application/java-archive EmailCapable: 'Yes' EmbeddedApplicationsCapable: 'Yes' ExternalMemoryMaxSize: 32GB SDHC ExternalMemorySlot: 'Yes' FirmwareVersionWiMAXRadioModule: 4.6.2.1 build22766 FixedVoIPCapable: 'No' FotaClientVendor: SmithMicro FotaClientVersion: '' FotaProtocolVersion: 1.5.1 FramesCapable: 'Yes' GLMSClientVendor: '' GLMSClientVersion: '' GLMSProtocolVersion: '' GPSChipsetModel: '8650' GPSChipsetVendor: Qualcomm GamingCapable: 'Yes' HardwareVersion: '1.0' IMVideoCallingCapable: 'No' IOTAProtocolVersion: N/A ImageCapable: 'Yes' InputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 IntelligentSearchCapable: 'Yes' JVMVersion: - N/A JavaAppletEnabled: 'Yes' JavaEnabled: 'No' JavaPlatform: - N/A JavaScriptEnabled: 'Yes' Keyboard: TouchKeypad LBSCapable: 'Yes' MI-UICapable: '' MI-UIVersion: '' ManufacturerWiMAXRadioModule: SEQUANS MobileOriginatedSmsSupport: 'Yes' MobileTVORVODCapable: 'Yes' Model: '9292' ModelWiMAXRadioModule: SQN1210 MultimediaEncoder: Qualcomm Qcamcorder MultimediaEncoderDisplaySize: - '800x480 ' - '640x480 ' - '320x240 ' - '176x144 ' - 128x96 MultimediaEncodingSupport: '' MultimediaFileFormatForDecoder: - MPEG4 - 3GP - 3G2 - AAC - AMR - MID - MP3 - WMA - WMV MultimediaFileFormatForEncoder: - MPEG4 - 3GP - 3G2 MultimediaMaximumBitRateForEncoding: 5000 kbps MultimediaMaximumBitRateForPlayback: 5000 kps MultimediaMaximumBitRateForStreaming: 1200 kbps MultimediaMaximumFrameRateForEncoding: 24 fps MultimediaMaximumFrameRateForPlayback: 30 fps MultimediaMaximumFrameRateForStreaming: '30 fps ' MultimediaPlaybackSupport: '' MultimediaPlayer: 'Yes' MultimediaStreamingSupport: '' MultimediaVideoDisplaySize: - '800x480 ' NavigationSupport: - Touch Screen NumberOfSoftKeys: '0' OMADMCapable: 'Yes' OMADMVendor: SmithMicro OMADMVersion: '2.0' OSName: Android OSVendor: QUALCOMM OSVersion: QSD8650/Eclair OnDemandCapable: '' OnDemandVersion: '' OutputCharSet: - US-ASCII - UTF-8 - ISO-8859-1 - ISO-10646-UCS-2 PictureMailSupport: 'Yes' PixelAspectRatio: 1x1 PreferenceForFrames: 'Yes' PssVersion: 3GPP-R6 Push-Accept: - text/plain Push-Accept-AppID: - None - None Push-Accept-Encoding: - base64 Push-MsgSize: '4096' RDF: '' RadioCapable: 'yes' ScreenSize: 480x800 ScreenSizeChar: 25x21 SecuritySupport: - SSL-3.0 - TLS-1.0 Seq: - en-us - es-us SoftwareNumber: 3.26.651.6 SoundOutputCapable: 'Yes' SprintMcdVersion: 3.5.4 StandardFontProportional: 'Yes' SupportedApplications: - Album - Browser - Calculator - Calendar - Camcorder - Camera - Dialer - FlashLite Plug-in for Browser - Footprints - HTC Sync - Lock Screen - Mail - Messages - Microsoft Exchange ActiveSync - Music (integrate with Ringto Trimmer) - OOBE - PDF Viewer - People - Quickoffice - Settings - Social Network - Stocks - Windows Media Streaming Player - Teeter - Voice Recorder - Weather - World Clock - Amazon MP3 - Sprint Navigation - Remote Diagnostic - Sprint TV - NFL - NASCAR - Voice Dialer - Visual Voicemail SupportedBearers: - IS2000/rel0 TablesCapable: 'Yes' TextInputCapable: 'Yes' TotalDeviceFlash: 1GB ROM TotalDeviceMemory: 512MB RAM UpStreamBufferSize: None VOIPAnalogJacks: ZERO Vendor: HTC VideoCodecsForDecoding: - MPEG4 simple profile - H.263 Profile 0 - H.264 Baseline - Motion-JPEG VideoCodecsForEncoding: - MPEG4 - H263 VideoMailSupport: 'Yes' VoiceChatCapable: 'Yes' VoiceInputCapable: 'Yes' WapDeviceClass: C WapVersion: '2.0' WmlDeckSize: '' WmlVersion: - None XhtmlModules: - Mobule-based XHTML W3C Recommendation XhtmlVersion: XHTML-Basic/1.0 component: '' type: None
After seeing all this information a few things came to mind. The first was not all the data was correct. For instance the OS version is wrong, The second was that it seems like a lot more information than should be shared by simply browsing a site. When browsing with a desktop/laptop/netbook you give up some information. For instance, the machine I'm using right now reports up that I'm using Linux on an x86_64 machine with the Chromium browser. Obviously, the phone gives up a lot more information. It states that (by default) the device has no antispam or antivirus. It also states the kinds of networks which can be used, versions of hardware components, hardware specs and even default installed applications (many which can not be removed). I don't know about you but this is more info than I like to give to sites I'm simply browsing. What if a vulnerability is found in one of those default apps which can be triggered via the browser or through downloads? What if the browser itself is vulnerable if it can decode certain formats? What if someone hard codes debug credentials in a certain software/firmware version? etc... It seems like this is a near perfect source of information for tailoring smart drive by exploits with.
If you want to look at other profiles see google search.
digg it
seed it
del.icio.us
ma.gnolia
Log in to post comments.
