Re: Achiever CSS-50 Personal Paper Shedder Buffer Overflow (!)

[mrcdz <mrcdz () datavibe net>]

PAPER SHREDDER REMOTE EXPLOIT VERSION 8.5x11p
EFFECTED MODELS: CSS-50/60 and many like it. ;)
 
Exploitation of stack based overflow in multiple vendor paper shredders.

1. Print this message on eight and a half by eleven photocopier paper.
2. Make 2,147,483,648 copies with photocopier.
   - Photocopier must be trusted host by Paper Shredder!
3. Load into paper shredder 1,024 pages at a time.
   - WARNING: This causes VERY high load on some shredders. Expect some delay.

Once 2,147,483,648 exploit documents have been shredded, the shredder's
internal count of shredded documents will become unsigned.

My department manager has informed me that this unsignedness can cause
damage to nearby hosts, and personal injury to administrators and users.
"It just started spitting out deadly shreds of paper giving me 100 paper cuts".

Research on this vulnerability as well as forensic analysis performed against
my department manager's forehead has shown this unsignedness causes the motor
inside the shredder to spin in the opposite direction. 

Administrators please update their JetDirect firmware immediately, as exploits
for this vulnerability have already been seen circulating in the underground.
It is very possible an attacker could use this vulnerability and gain access
to the shredder remotely via jetdirect-x10-shreddertunnel.c.

Vendors have not yet been informed of this vulnerability and may also be
affected. Please do not forward this message to the vendors as it is a live
exploit and may get passed to shredders inside corporate networks.

During recent testing, it has also come to my attention that inserting this
exploit document into the shredder after dunking it in water for 5 minutes;
The shredder will catch on fire. Please test in an open room with proper
protective materials.

----- if this line gets shredded, the exploit was successful! -----

On Mon, Sep 10, 2001 at 03:14:01PM -0400, Steve wrote:
> Vulnerability confirmed on both the CSS-50 and CSS-60 models.  Also, it has 
> been noted that by using malformed paper sizes a malicious attacker could 
> effectively DoS the device or cause random failures.  I estimate that over 
> 75% of paper shredders in the world are effected by this.  Someone should 
> inform CERT and NIPC.
>
> :-)
>
>
> At 10:47 AM 10/09/2001 -0700, Xyntrix wrote:
> > On Mon, Sep 10, 2001 at 04:59 PM, w1re p4ir <w1rep4ir () disinfo net> said:
> > > A vulnerability has been found in my companies Paper Shedder. When 
> > putting more than the recommened paper into the shedder (but not enough 
> > for a DoS) It allows the paper to go in. This could cause abirtary paper 
> > to allowed in side the shredder. This vulnerability has been discovered 
> > on Sept. 10. Achiever Has not been notified of this particular vulnerability.
> > > ________________________________________________________
> > > The Best News Source On The Web - http://www.disinfo.com
> >
> > i tried to replicate this problem and could not get it to work. i am
> > currently using a stable version of a paper shredder. i also tried this
> > on a post-processing paper shredding device where a third-party carries
> > out the shredding process, and that also failed to acvieve a stack
> > overflow. what size of paper are you using? i believe i am using 24lb,
> > legal size.
> >
> > -----
> > _______________________________________
> > Mike Mclane | xyntrix at bitz dot org |
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~