Have you shared all of this with the manufacturer first? t > -----Original Message----- > From: Craig Wright [mailto:Craig.Wright@xxxxxxxxxx] > Sent: Tuesday, June 17, 2008 11:10 PM > To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx > Subject: A more detailed description of the Jura F90 vulnerability. > > > The issue is a lack of input validation. OWASP would be a great > learning exercise for the coders on this product. It seems to be > assumed that only trust-worthy users will connect only to trust-worthy > sites. I could not find any evidence of input validation. > > Through the magic of Web Scarab and Paros proxy, one can capture the > Internet communications used by the F90 Internet Connection Kit > software. What you soon see is that the software does not account for > either bypassing the local application and changing the input or in > spoofed and re-directed sites. > > The software does not validate the site it gets the information from > nor does it sufficiently validate the input to the software. > > At the moment as I think there are so few people as crazy as I am who > actually have to have a gadget just as it is Internet connected; this > is not likely to become a widespread attack vector. > > The software is an oversized web proxy with other stuff to connect to > the coffee machine thrown in. Jura did not make the assumption that an > evil attacker could purposefully modify and publish "evil" coffee > "recipes. > > I have been taking the updated SANS@Home 610 course. I have a GREM, but > Lenny and the other guys have added an additional component to the > Reverse Engineering Malware Course. So I had to take it. > > The course focuses on analysing and reversing malware, but IDA and Olly > work on binaries of all types and the bad combination of a bottle of > good resiling and 9 coffees after midnight is not a good combination. > Hence I decided to attack my coffee maker and the control software. > > There are certain aspects of code (like the ever faithful GETS() > function) that should be beaten from existence. Others need to be > securely configured such that all the required variable fields are > entered correctly (see SPRINTF()). Unfortunately the coders at Jura did > not consider that "bad people" would ever attack a coffee maker ;). > > There are 2 main attacks that I have noted, > 1 Loading a malicious setting or recipe into the device causing a > "coffee overflow" etc. > 2 More seriously, not validating the input correctly coupled with > a lack of authorisation of the source and nothing to stop invalid data > at the host means that malformed strings can be fed to the software > that can either crash the system or if crafted correctly run a binary > on the host. > > So, as most people who check this list I no doubt know, not validating > input is bad. Trusting the web as you have a piece of custom software > that is closed source and a belief that users are all nice is bad. > > Regards, > Craig Wright GSE-Compliance > > PS for DMCA compliance reasons I would state that I was not reversing > the software, but rather inputting unusual coffee recipes that had a > strange binary flavour ;) > > Craig Wright > Manager, Risk Advisory Services > > Direct : +61 2 9286 5497 > Craig.Wright@xxxxxxxxxx > +61 417 683 914 > > BDO Kendalls (NSW-VIC) Pty. Ltd. > Level 19, 2 Market Street Sydney NSW 2000 > GPO BOX 2551 Sydney NSW 2001 > Fax +61 2 9993 9497 > http://www.bdo.com.au/ > > The information in this email and any attachments is confidential. If > you are not the named addressee you must not read, print, copy, > distribute, or use in any way this transmission or any information it > contains. If you have received this message in error, please notify the > sender by return email, destroy all copies and delete it from your > system. > > Any views expressed in this message are those of the individual sender > and not necessarily endorsed by BDO Kendalls. You may not rely on this > message as advice unless subsequently confirmed by fax or letter signed > by a Partner or Director of BDO Kendalls. It is your responsibility to > scan this communication and any files attached for computer viruses and > other defects. BDO Kendalls does not accept liability for any loss or > damage however caused which may result from this communication or any > files attached. A full version of the BDO Kendalls disclaimer, and our > Privacy statement, can be found on the BDO Kendalls website at > http://www.bdo.com.au/ or by emailing mailto:administrator@xxxxxxxxxxx > > BDO Kendalls is a national association of separate partnerships and > entities. Liability limited by a scheme approved under Professional > Standards Legislation. >
