RE: A more detailed description of the Jura F90 vulnerability.
Have you shared all of this with the manufacturer first?
t
> -----Original Message-----
> From: Craig Wright [mailto:Craig.Wright@xxxxxxxxxx]
> Sent: Tuesday, June 17, 2008 11:10 PM
> To: security-basics@xxxxxxxxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
> Subject: A more detailed description of the Jura F90 vulnerability.
>
>
> The issue is a lack of input validation. OWASP would be a great
> learning exercise for the coders on this product. It seems to be
> assumed that only trust-worthy users will connect only to trust-worthy
> sites. I could not find any evidence of input validation.
>
> Through the magic of Web Scarab and Paros proxy, one can capture the
> Internet communications used by the F90 Internet Connection Kit
> software. What you soon see is that the software does not account for
> either bypassing the local application and changing the input or in
> spoofed and re-directed sites.
>
> The software does not validate the site it gets the information from
> nor does it sufficiently validate the input to the software.
>
> At the moment as I think there are so few people as crazy as I am who
> actually have to have a gadget just as it is Internet connected; this
> is not likely to become a widespread attack vector.
>
> The software is an oversized web proxy with other stuff to connect to
> the coffee machine thrown in. Jura did not make the assumption that an
> evil attacker could purposefully modify and publish "evil" coffee
> "recipes.
>
> I have been taking the updated SANS@Home 610 course. I have a GREM,
but
> Lenny and the other guys have added an additional component to the
> Reverse Engineering Malware Course. So I had to take it.
>
> The course focuses on analysing and reversing malware, but IDA and
Olly
> work on binaries of all types and the bad combination of a bottle of
> good resiling and 9 coffees after midnight is not a good combination.
> Hence I decided to attack my coffee maker and the control software.
>
> There are certain aspects of code (like the ever faithful GETS()
> function) that should be beaten from existence. Others need to be
> securely configured such that all the required variable fields are
> entered correctly (see SPRINTF()). Unfortunately the coders at Jura
did
> not consider that "bad people" would ever attack a coffee maker ;).
>
> There are 2 main attacks that I have noted,
> 1 Loading a malicious setting or recipe into the device causing
a
> "coffee overflow" etc.
> 2 More seriously, not validating the input correctly coupled
with
> a lack of authorisation of the source and nothing to stop invalid data
> at the host means that malformed strings can be fed to the software
> that can either crash the system or if crafted correctly run a binary
> on the host.
>
> So, as most people who check this list I no doubt know, not validating
> input is bad. Trusting the web as you have a piece of custom software
> that is closed source and a belief that users are all nice is bad.
>
> Regards,
> Craig Wright GSE-Compliance
>
> PS for DMCA compliance reasons I would state that I was not reversing
> the software, but rather inputting unusual coffee recipes that had a
> strange binary flavour ;)
>
> Craig Wright
> Manager, Risk Advisory Services
>
> Direct : +61 2 9286 5497
> Craig.Wright@xxxxxxxxxx
> +61 417 683 914
>
> BDO Kendalls (NSW-VIC) Pty. Ltd.
> Level 19, 2 Market Street Sydney NSW 2000
> GPO BOX 2551 Sydney NSW 2001
> Fax +61 2 9993 9497
> http://www.bdo.com.au/
>
> The information in this email and any attachments is confidential. If
> you are not the named addressee you must not read, print, copy,
> distribute, or use in any way this transmission or any information it
> contains. If you have received this message in error, please notify
the
> sender by return email, destroy all copies and delete it from your
> system.
>
> Any views expressed in this message are those of the individual sender
> and not necessarily endorsed by BDO Kendalls. You may not rely on this
> message as advice unless subsequently confirmed by fax or letter
signed
> by a Partner or Director of BDO Kendalls. It is your responsibility to
> scan this communication and any files attached for computer viruses
and
> other defects. BDO Kendalls does not accept liability for any loss or
> damage however caused which may result from this communication or any
> files attached. A full version of the BDO Kendalls disclaimer, and our
> Privacy statement, can be found on the BDO Kendalls website at
> http://www.bdo.com.au/ or by emailing mailto:administrator@xxxxxxxxxxx
>
> BDO Kendalls is a national association of separate partnerships and
> entities. Liability limited by a scheme approved under Professional
> Standards Legislation.
>