RE: Achiever CSS-50 Personal Paper Shedder Buffer Overflow (!)

["Robert Hagen" <robert_hagen () globalcrossing com>]

<soapbox>
I don't mean to spark off another "full disclosure" debate here, but I
really feel that posting this exploit to the list before the vendor has even
been notified constitutes an act of professional negligence.  We're kidding
ourselves if we don't think that hordes of script kiddies subscribe to this
list looking for 'sploits to add to their arsenals.  That's the last thing
we need is a CodeShred worm wreaking havoc on paper shredders around the
world and taking the DoD's entire shredder network offline.  Next time,
please ensure the vendor has been notified and given adequate time to
produce a fix prior to releasing exploit code.  It's our responsibility as
security professionals.
</soapbox>

-rdh-

> -----Original Message-----
> From: mrcdz [mailto:mrcdz () datavibe net]
> Sent: Monday, September 10, 2001 3:46 PM
> To: vuln-dev () securityfocus com
> Subject: Re: Achiever CSS-50 Personal Paper Shedder Buffer Overflow (!)
>
>
>
>
> PAPER SHREDDER REMOTE EXPLOIT VERSION 8.5x11p
> EFFECTED MODELS: CSS-50/60 and many like it. ;)
>
> Exploitation of stack based overflow in multiple vendor paper shredders.
>
> 1. Print this message on eight and a half by eleven photocopier paper.
> 2. Make 2,147,483,648 copies with photocopier.
>    - Photocopier must be trusted host by Paper Shredder!
> 3. Load into paper shredder 1,024 pages at a time.
>    - WARNING: This causes VERY high load on some shredders.
> Expect some delay.
>
> Once 2,147,483,648 exploit documents have been shredded, the shredder's
> internal count of shredded documents will become unsigned.
>
> My department manager has informed me that this unsignedness can cause
> damage to nearby hosts, and personal injury to administrators and users.
> "It just started spitting out deadly shreds of paper giving me
> 100 paper cuts".
>
> Research on this vulnerability as well as forensic analysis
> performed against
> my department manager's forehead has shown this unsignedness
> causes the motor
> inside the shredder to spin in the opposite direction.
>
> Administrators please update their JetDirect firmware
> immediately, as exploits
> for this vulnerability have already been seen circulating in the
> underground.
> It is very possible an attacker could use this vulnerability and
> gain access
> to the shredder remotely via jetdirect-x10-shreddertunnel.c.
>
> Vendors have not yet been informed of this vulnerability and may also be
> affected. Please do not forward this message to the vendors as it
> is a live
> exploit and may get passed to shredders inside corporate networks.
>
> During recent testing, it has also come to my attention that
> inserting this
> exploit document into the shredder after dunking it in water for
> 5 minutes;
> The shredder will catch on fire. Please test in an open room with proper
> protective materials.
>
> ----- if this line gets shredded, the exploit was successful! -----
>
> On Mon, Sep 10, 2001 at 03:14:01PM -0400, Steve wrote:
> > Vulnerability confirmed on both the CSS-50 and CSS-60 models.
> Also, it has
> > been noted that by using malformed paper sizes a malicious
> attacker could
> > effectively DoS the device or cause random failures.  I
> estimate that over
> > 75% of paper shredders in the world are effected by this.
> Someone should
> > inform CERT and NIPC.
> >
> > :-)
> >
> >
> > At 10:47 AM 10/09/2001 -0700, Xyntrix wrote:
> > > On Mon, Sep 10, 2001 at 04:59 PM, w1re p4ir
> <w1rep4ir () disinfo net> said:
> > > > A vulnerability has been found in my companies Paper Shedder. When
> > > putting more than the recommened paper into the shedder (but
> not enough
> > > for a DoS) It allows the paper to go in. This could cause
> abirtary paper
> > > to allowed in side the shredder. This vulnerability has been
> discovered
> > > on Sept. 10. Achiever Has not been notified of this
> particular vulnerability.
> > > > ________________________________________________________
> > > > The Best News Source On The Web - http://www.disinfo.com
> > >
> > > i tried to replicate this problem and could not get it to work. i am
> > > currently using a stable version of a paper shredder. i also tried this
> > > on a post-processing paper shredding device where a third-party carries
> > > out the shredding process, and that also failed to acvieve a stack
> > > overflow. what size of paper are you using? i believe i am using 24lb,
> > > legal size.
> > >
> > > -----
> > > _______________________________________
> > > Mike Mclane | xyntrix at bitz dot org |
> > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~