Re: Achiever CSS-50 Personal Paper Shedder Buffer Overflow (!)

["Matthew Leeds" <mleeds () theleeds net>]

Risks in attempting to resolve DoS attack:

http://www.ohio.com/bj/news/2000/October/26/docs/006715.htm
http://www.bloomington.k12.mn.us/distinfo/Safety/pg31-32.html
http://www.cdc.gov/niosh/face/stateface/ne/95ne031.html

---Matthew
*********** REPLY SEPARATOR  ***********

On 9/10/2001 at 3:14 PM Steve wrote:

> Vulnerability confirmed on both the CSS-50 and CSS-60 models.  Also, it
> has
> been noted that by using malformed paper sizes a malicious attacker could
> effectively DoS the device or cause random failures.  I estimate that over
> 75% of paper shredders in the world are effected by this.  Someone should
> inform CERT and NIPC.
>
> :-)
>
>
> At 10:47 AM 10/09/2001 -0700, Xyntrix wrote:
> > On Mon, Sep 10, 2001 at 04:59 PM, w1re p4ir <w1rep4ir () disinfo net> said:
> > > A vulnerability has been found in my companies Paper Shedder. When
> > putting more than the recommened paper into the shedder (but not enough
> > for a DoS) It allows the paper to go in. This could cause abirtary paper
> > to allowed in side the shredder. This vulnerability has been discovered
> > on Sept. 10. Achiever Has not been notified of this particular
> vulnerability.
> > > ________________________________________________________
> > > The Best News Source On The Web - http://www.disinfo.com
> >
> > i tried to replicate this problem and could not get it to work. i am
> > currently using a stable version of a paper shredder. i also tried this
> > on a post-processing paper shredding device where a third-party carries
> > out the shredding process, and that also failed to acvieve a stack
> > overflow. what size of paper are you using? i believe i am using 24lb,
> > legal size.
> >
> > -----
> > _______________________________________
> > Mike Mclane | xyntrix at bitz dot org |
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~