Security group going to the dogs after hoax alert & Phony CERT Advisory

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1003-200-2249491.html?tag=st.ne.1430735..ni

By Stephen Shankland
Staff Writer, CNET News.com
July 12, 2000, 5:15 p.m. PT

Ordinarily it's hard to find people more serious than the technicians,
academics and bug experts who vigilantly comb the world for potential
attacks on computer networks. But not this week.

In a parody of the warnings issued by the Computer Emergency Response
Team (CERT), an anonymous correspondent posted a joke warning on
Bugtraq, an electronic mailing list frequented by computer security
professionals.

The hoax alert, disguised as an official CERT announcement, warns that
hackers have devised a way to remotely take over Sony's Aibo robot dog
and command it to attack, among other unpleasant actions.

"The buffer used to hold the variable MyOwner in the
functionprocess_face() can be overflowed, reverting Aibo into
experimental AiboPitBull code," the mock warning said. Other malicious
programs circulating on the Internet to exploit the compromised Aibo
include "PeeOnRug(), ShoeChew() and KillTheCat()."

In addition, "owners who accidentally have left their television on
late at night have reported incidents of AIBO attacking their small
children and pets within minutes of the airing of 'Tom Vu's Real
Estate Seminar,'" the parody said.

CERT, a serious organization not given to such levity, took the
posting in stride. "This is, of course, a forgery, but nonetheless
pretty amusing," replied Shawn Hernan, who noted that real CERT
advisories are electronically signed.

While unsigned, the anonymous author had the terminology down. In
reality, buffer overflows are a genuine way to take over computers. In
a buffer overflow, an attacker types in too much text in an input area
such as a password field.

Under some circumstances, a computer will execute the extra text as a
program, a method that a clever programmer can use to run programs
without authorization. Explosive reactions to Tom Vu, however, have
been known to be generated by other methods.

But the Aibo joke didn't top a similar forgery in 1996, Hernan added.
"The state of the art in forged CERT advisories remains the
Independence Day Advisory from a few years ago," Hernan said.

The warning referred to the movie "Independence Day," in which actors
Will Smith and Jeff Goldblum destroy a flock of alien spacecraft by
infecting the fleet's main computer with a virus that disabled defense
shields.

"The CERT Coordination Center has received reports of weaknesses in
Alien/OS that can allow species with primitive information sciences
technology to initiate denial-of-service attacks against
MotherShip(tm) hosts. One report of exploitation of this bug has been
received," the joke said.

"The vulnerability allows the insertion of executable code with root
access to key security features of the operating system. In
particular, such code can disable the NiftyGreenShield(tm) subsystem,
allowing child processes to be terminated by unauthorized users."


*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions             http://www.c4i.org
*-------------------------------------------------*



http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Flist%3D1%26date%3D2000-07-08%26msg%3D20000710160016.A24976%40next.hway.net

    To: BugTraq
    Subject: CERT Advisory CA-2000-69
    Date: Mon Jul 10 2000 04:00:16
    Author: Jamie Rishaw
    Message-ID: <20000710160016.A24976 () next hway net>

CERT Advisory CA-2000-69 AIBO Authentication Algorithm Corruption Vulnerability

    Original Release Date: July 10, 2000
    Last Revised: --
    Source: CERT/CC

    A complete revision history is at the end of this file.

Systems affected

    * AIBO ERS-110 Aperios OS
    * AIBO ERS-111 Aperios OS

Overview

    A vulnerability involving the Visual authentication algorithm has recently
been identified in the Sony, Inc. "AIBO" Entertainment Robot.  Owners of AIBO
Robots are encouraged to upgrade their Aperios DogOS soon as possible.

    The AttackBite() control has a serious vulnerability that allows remote
intruders within earshot of AIBO to execute arbitrary code.  Scripts are
proliferating the Internet with new routines such as PeeOnRug(), ShoeChew(),
KillTheCat() and AttackOwnersGenitals().  The latter, classified by CERT as
a "Denial of Service" attack, is most vicious, and for this reason CERT
encourages immediate patch implementation.  Some common cicrumstances under
which this vulnerability can be exploited are addressed by the Sony patch;
others are not.

I. Description

    There are at least three distinct vulnerabilities in the ERS-110 and
ERS-111 implementation of the Aperios software.  All of these vulnerabilities
may be exploited to effect Quicker-Picker-Upper and Owner Discomfort attacks
with varying degrees of severity.  Owners are advised, until patch completion,
to guard themselves, and to have extra paper towels on hand.

    - The AIBO Sound Controller, when configured to play Britney Spears'
"Oops, I Did It Again," will cause AIBO to lift a hind leg and spontaneously
leak battery juice on the floor, simulating a urination (female ERS-110
models "squat" during this exploit).

    - The buffer used to hold the variable MyOwner in the function
process_face() can be overflowed, reverting AIBO into experimental
AiboPitBull code.  When combined with the Sound Controller's Performance
Mode signal, unpatched AIBO units can receive arbitrary code, and multiple
reports of owner emasculation have been reported.

    - (Unverified) Owners who accidentally have left their television on late
at night have reported incidents of AIBO attacking their small children
and pets within minutes of the airing of "Tom Vu's Real Estate Seminar,"
The Story of A Vietnamese Immigrant's rags-to-riches Infomercial.

    - Two reports have been submitted where a race condition involving
Tom Vu's Real Estate Seminar and presence of Richard Simmons' "Farewell
to Fat" have caused AIBO units to "die".  We are still investigating this.


II. Impact

    Depending on the version of AIBO, the environment in which it is running,
and the particular vulnerability that is exploited, a remote attacker can
cause one or more of the following:

    - The AIBO to attack its owner,
    - The AIBO to wake, walk off its base station and attack children/pets,
    - The AIBO to generate Cyber-Body-Fluid and/or Excretion, and/or
    - The AIBO to die.


III. Solution

    Upgrade your version of AIBO Aperios DogOS

   If you are running vulnerable Aperios and cannot upgrade, you are
strongly advised to remove the battery from AIBO's behind and contact
Sony for more assistance.



Appendix A. Vendor Information

Sony, Inc.

   Please see

   http://www.world.sony.com/robot/aperios_vuln.htm


Richard Simmons

   Please see

   http://www.richardsimmons.com/shop/info.idc?id=08-00164



    _________________________________________________________________

    The CERT Coordination Center thanks your Mom and Eva Peron for their
    help in developing this advisory.
    _________________________________________________________________

    Author: Jamie Rishaw <jamie () arpa com>
    _________________________________________________________________

    This document is available from:
         http://arpa.com/advisories/CERT-2000-69.html
    _________________________________________________________________

    (This is a spoof, if you haven't gotten it by now)
    _________________________________________________________________

CERT/CC Contact Information

    Email: cert () cert org
           Phone: +1 412-268-7090 (24-hour hotline)
           Fax: +1 412-268-6989
           Postal address:
           CERT Coordination Center
           Software Engineering Institute
           Carnegie Mellon University
           Pittsburgh PA 15213-3890
           U.S.A.

    CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
    Monday through Friday; they are on call for emergencies during other
    hours, on U.S. holidays, and on weekends.

Using encryption

    We strongly urge you to encrypt sensitive information sent by email.
    Our public PGP key is available from

    http://www.cert.org/CERT_PGP.key

    If you prefer to use DES, please call the CERT hotline for more
    information.

Getting security information

    CERT publications and other security information are available from
    our web site

    http://www.cert.org/

    To be added to our mailing list for advisories and bulletins, send
    email to cert-advisory-request () cert org and include SUBSCRIBE
    your-email-address in the subject of your message.

    * "CERT" and "CERT Coordination Center" are registered in the U.S.
    Patent and Trademark Office.

    * "CERT" and "CERT Coordination Center" had absolutely nothing to
    do with this advisory, and do not support it.  It's a parody.

    NO WARRANTY
    Any material furnished by Carnegie Mellon University and the Software
    Engineering Institute is furnished on an "as is" basis. Carnegie
    Mellon University makes no warranties of any kind, either expressed or
    implied as to any matter including, but not limited to, warranty of
    fitness for a particular purpose or merchantability, exclusivity or
    results obtained from use of the material. Carnegie Mellon University
    does not make any warranty of any kind with respect to freedom from
    patent, trademark, or copyright infringement.
    _________________________________________________________________

    Conditions for use, disclaimers, and sponsorship information

Revision History
July 10, 2000: Initial Release

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".