lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <F9C0B32C4FFE7147BD0FF6A40BE806E7038CA4@Hammer_Exchange.hammerofgod.com>
Date: Wed, 18 Jun 2008 10:11:12 -0700
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: <security-basics@...ts.securityfocus.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: A more detailed description of the Jura F90 vulnerability.

Have you shared all of this with the manufacturer first?

t

> -----Original Message-----
> From: Craig Wright [mailto:Craig.Wright@....com.au]
> Sent: Tuesday, June 17, 2008 11:10 PM
> To: security-basics@...ts.securityfocus.com; bugtraq@...urityfocus.com
> Subject: A more detailed description of the Jura F90 vulnerability.
> 
> 
> The issue is a lack of input validation. OWASP would be a great
> learning exercise for the coders on this product. It seems to be
> assumed that only trust-worthy users will connect only to trust-worthy
> sites. I could not find any evidence of input validation.
> 
> Through the magic of Web Scarab and Paros proxy, one can capture the
> Internet communications used by the F90 Internet Connection Kit
> software. What you soon see is that the software does not account for
> either bypassing the local application and changing the input or in
> spoofed and re-directed sites.
> 
> The software does not validate the site it gets the information from
> nor does it sufficiently validate the input to the software.
> 
> At the moment as I think there are so few people as crazy as I am who
> actually have to have a gadget just as it is Internet connected; this
> is not likely to become a widespread attack vector.
> 
> The software is an oversized web proxy with other stuff to connect to
> the coffee machine thrown in. Jura did not make the assumption that an
> evil attacker could purposefully modify and publish "evil" coffee
> "recipes.
> 
> I have been taking the updated SANS@...e 610 course. I have a GREM,
but
> Lenny and the other guys have added an additional component to the
> Reverse Engineering Malware Course. So I had to take it.
> 
> The course focuses on analysing and reversing malware, but IDA and
Olly
> work on binaries of all types and the bad combination of a bottle of
> good resiling and 9 coffees after midnight is not a good combination.
> Hence I decided to attack my coffee maker and the control software.
> 
> There are certain aspects of code (like the ever faithful GETS()
> function) that should be beaten from existence. Others need to be
> securely configured such that all the required variable fields are
> entered correctly (see SPRINTF()). Unfortunately the coders at Jura
did
> not consider that "bad people" would ever attack a coffee maker ;).
> 
> There are 2 main attacks that I have noted,
> 1       Loading a malicious setting or recipe into the device causing
a
> "coffee overflow" etc.
> 2       More seriously, not validating the input correctly coupled
with
> a lack of authorisation of the source and nothing to stop invalid data
> at the host means that malformed strings can be fed to the software
> that can either crash the system or if crafted correctly run a binary
> on the host.
> 
> So, as most people who check this list I no doubt know, not validating
> input is bad. Trusting the web as you have a piece of custom software
> that is closed source and a belief that users are all nice is bad.
> 
> Regards,
> Craig Wright GSE-Compliance
> 
> PS for DMCA compliance reasons I would state that I was not reversing
> the software, but rather inputting unusual coffee recipes that had a
> strange binary flavour ;)
> 
> Craig Wright
> Manager, Risk Advisory Services
> 
> Direct : +61 2 9286 5497
> Craig.Wright@....com.au
> +61 417 683 914
> 
> BDO Kendalls (NSW-VIC) Pty. Ltd.
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> http://www.bdo.com.au/
> 
> The information in this email and any attachments is confidential. If
> you are not the named addressee you must not read, print, copy,
> distribute, or use in any way this transmission or any information it
> contains. If you have received this message in error, please notify
the
> sender by return email, destroy all copies and delete it from your
> system.
> 
> Any views expressed in this message are those of the individual sender
> and not necessarily endorsed by BDO Kendalls. You may not rely on this
> message as advice unless subsequently confirmed by fax or letter
signed
> by a Partner or Director of BDO Kendalls. It is your responsibility to
> scan this communication and any files attached for computer viruses
and
> other defects. BDO Kendalls does not accept liability for any loss or
> damage however caused which may result from this communication or any
> files attached. A full version of the BDO Kendalls disclaimer, and our
> Privacy statement, can be found on the BDO Kendalls website at
> http://www.bdo.com.au/ or by emailing mailto:administrator@....com.au.
> 
> BDO Kendalls is a national association of separate partnerships and
> entities. Liability limited by a scheme approved under Professional
> Standards Legislation.
> 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ