lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <47E465D5.8070709@simplistix.co.uk>
Date: Sat, 22 Mar 2008 01:50:13 +0000
From: Chris Withers <chris@...plistix.co.uk>
To: bugtraq@...urityfocus.com
Subject: hacking the mitsubishi GB-50A

Hi All,

Well, it's been over 4 months since my plea for a security contact at 
Mitsubishi Electric to come forward. Since no one has, I thought I'd 
release a POC for hacking one.

It's not exactly hard, the web controller uses a nasty set of Java 
applets to interact with itself. The shocking thing is that these 
communicate using a series of xml packets and absolutely zero 
authentication or encryption :-(

Oh, and just in case you thought about maybe putting something secure 
like an ssl webserver proxying the thing, these java applets are hard 
coded to connect back to port 80 on the originating host using HTTP :-(

Still, you should get an idea of how the box is *supposed* to be used by 
the fact that its ip address is set with dip switches where the 
192.168.1 bit is hard coded!

*sigh*

Well, please find attached a little python script that will let you turn 
on or off every aircon unit attached to a GB-50 that you know the ip 
address of. Minor modifications will let you change the set point and 
mode too, so you might be able to turn off a data centres aircon *or* 
turn an office's aircon up to 28'C and then turn it all on ;-)

The plus side is that because it's so rediculously insecure, it's not 
that hard to build a secure web app that can interact with it and then 
just firewall it off from anywhere harmful...

If you have a GB-50 or a GB-50A, please make very sure you keep it on 
its own private network until Mitsubishi Electric find a clue stick to 
hit themselves with!

cheers,

Chris

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk

View attachment "pwnz.py" of type "text/plain" (1061 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ