[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[infowar.de] mi2g-Parodie

To: "Infowar.de" <infowar - de -! - infopeace - de>
Subject: [infowar.de] mi2g-Parodie
From: Ralf Bendrath <ralf - bendrath -! - sfb597 - uni-bremen - de>
Date: Tue, 27 Jul 2004 17:03:37 +0200
Reply-to: infowar - de -! - infopeace - de
Sender: bendrath -! - zedat - fu-berlin - de

Infowar.de, http://userpage.fu-berlin.de/~bendrath/liste.html
-------------------------------------------------------------

Die Firma hat ja hier und anderswo schon mehrfach Schelte bekommen für
ihre "Cyberterroristen werden dieses Jahr zehn Gazillionen Dollar
Schaden anrichten"-Meldungen. Hier nun eine nette Parodie. 
Die Reaktionen darauf werden von Rob Rosenberger von VMyths.com
ausführlich auseinander genommen. Siehe
<http://vmyths.com/rant.cfm?id=661&page=4>.

Enjoy! :-)

RB

-----------------------------
http://seclists.org/lists/fulldisclosure/2004/Jul/0311.html

FullDisclosure: Wendy's Drive-up Order System Information Disclosure

From: mi2g-research_at_hushmail.com
Date: Jul 06 2004

- -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY --

Wendy's Drive-up Order System Information Disclosure

Reporter: mi2g (http://www.mi2g.com/)
Date: July 07, 2004
Severity: Medium to High
Attack Class: Physical, Remote, Race Condition
Vendor: Wendy's (http://www.wendys.com/)

I. BACKGROUND

Wendy's International, Inc. is one of the world's largest
restaurant operating and franchising companies with more than
9,300 total restaurants and quality brands - Wendy's Old
Fashioned Hamburgers®, Tim Hortons® and Baja Fresh® Mexican
Grill. The Company invested in two additional quality brands
during 2002 - Cafe Express? and Pasta Pomodoro®.

II. DESCRIPTION

Remote exploitation of the Wendy's Drive-up ordering system
allows an attacker to gain sensitive information about the
order of arbitrary customers.

During customer/vendor "handshake", the customer vehicle
must come to a stop beside the vendor menu ordering system
which contains a large screen to display the current order.
During this process, adequate protection is not given to the
space between the vehicle and the menu allowing for a number
of remote attackers to obtain sensitive order information.

Once the victim has finished ordering, the information stays
available on the screen for up to several minutes or until
another customer has pulled forward. This creates a great
window for exploitation and increases the chance of winning
the "race condition".

III. ANALYSIS

Successful exploitation allows unauthenticated remote malicious
arbitrary attackers to retrieve the contents of the previous
customer's food order which is a serious breach of confidentiality.

As proof of concept, this attack was carried out against mi2g
CEO DK Matai. It was disclosed that he ordered a grilled chicken
sandwich, large fries and a large Coca-Cola.

IV. DETECTION

mi2g has confirmed that all Wendy's with a Drive-up menu display
are affected. Other vendors may be affected but were not tested.

V. WORKAROUND

Use a hard object such as a rock or baseball bat to disable the
order display screen after the late night drive-thru has closed.

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned
the name CAN-2004-2934 to this issue. This is a candidate for
inclusion in the CVE list (http://cve.mitre.org), which standardizes
names for security problems.

VII. DISCLOSURE TIMELINE

07/07/02 Exploit discovered by mi2g
07/08/02 mi2g clients (the "Inner Sanctum") notified
01/08/03 The Queen notified
03/22/03 bespoke security architecture updated
09/01/03 mi2g clients notified again
07/07/04 Public Disclosure
07/08/04 Vendor notified

VIII. CREDIT

Rear Admiral John Hilton and Geoffrey Hancock are credited with
discovering this vulnerability.

IX. SPECIAL THANKS

Donny Werner for verifying Wendy's drive up systems are
not vulnerable to XSS issues!

X. LEGAL NOTICES

Copyright (c) 2004 mi2g Limited.

Permission is granted for the redistribution of this alert
electronically provided a small royalty is paid. It may not be
edited in any way without the express written consent of mi2g. If
you wish to reprint the whole or any part of this alert in any
other medium other than electronically, please email
mi2g-research_at_hushmail.com for permission.

Disclaimer: The information in the advisory is believed to be
accurate at the time of publishing based on currently available
information. Use of the information constitutes acceptance for
use in an AS IS condition. There are no warranties with regard
to this information. Neither the author nor the publisher accepts
any liability for any direct, indirect, or consequential loss
or damage arising from use of, or reliance on, this information.


---------------------------------------------------------------
Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.

Prev by Date: [infowar.de] TELEPOLIS: Neues vom E-Dschihad
Next by Date: [infowar.de] SpOn: IBM baut Supercomputer für die US-Navy
Previous by thread: [infowar.de] TELEPOLIS: Neues vom E-Dschihad
Next by thread: [infowar.de] SpOn: IBM baut Supercomputer für die US-Navy
Index(es):
- Date
- Thread