Here’s my result after a few minutes:

The movie is that long because I always had to check if my string is already long enough. The indicator for it was the mouse over effect (highlighting) of the button.

Hi All,
I have a Jura F90 Coffee maker with the Jura Internet Connection Kit. The idea is to:

“Enable the Jura Impressa F90 to communicate with the Internet, via a PC.
Download parameters to configure your espresso machine to your own personal taste.
If there’s a problem, the engineers can run diagnostic tests and advise on the solution without your machine ever leaving the kitchen.”

Guess what – it can not be patched as far as I can tell It also has a few software vulnerabilities.

Fun things you can do with a Jura coffee maker:
1. Change the preset coffee settings (make weak or strong coffee)
2. Change the amount of water per cup (say 300ml for a short black) and make a puddle
3. Break it by engineering settings that are not compatible (and making it require a service)

The connectivity kit uses the connectivity of the PC it is running on to connect the coffee machine to the internet. This allows a remote coffee machine “engineer” to diagnose any problems and to remotely do a preliminary service.

Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.

Compromise by Coffee.

Regards,
Craig Wright GSE-Compliance

PS: I’m really looking forward to a coffee maker with a web interface

It says:

Sorry, something went wrong.
A team of highly trained monkeys has been dispatched to deal with this situation. Please report this incident to customer service.

You guys made my day

PS: For some reason you sometimes have to click on the link twice until you get the message.

(click to enlarge)

Hope you enjoy solving this “advanced” exercise and no, it’s not the only advanced exercise we’ve done

loadText('. .drucken {display: none;}.senden {display: none;}.quelle {display: none;}.artboxbottom2sp {height: 15px;width: 465;background: url(/_images_/hg_spitzmarke_2sp_bottom.gif);} Webwww.espace.ch',2,3,2);

Who knows, perhaps JavaScript will become the first natively spoken programming language. At least it would be really easy to speak for me because it seems that in “JavaScriptish”, the spelling is the same as in German

Meet the native Javascript Speaker

Last weekend, I went snowboarding in the Swiss mountains and the weather including the snow was just perfect. Because the winter sport season hasn’t started yet, there wasn’t much going on in the evening and so I was using one of the public Hotspots of the hotel. As you can think, I had to make some security related stuff and so I surfed to the Hotel’s website. There are SQL injections, XSS, Local File Inclusions and much more but I don’t want to talk more about it because there was something much more interesting. Normally when you offer a Hotspot as a hotel or any other company, you should separate it from your internal LAN but don’t even think of anyone is really doing this unless they have to for any reason. So, my IP address was now 192.168.44.36 which’s an internal IP address. The next step was of course to use our all friend nmap and let’s see what I’ve got:

Interesting ports on 192.168.1.5:
PORT STATE SERVICE VERSION
25/tcp open smtp Microsoft ESMTP 5.0.2195.6713
80/tcp open http Microsoft IIS webserver 5.0

Jackpot, I’ve got a Microsoft IIS 5.0 webserver on the standard HTTP port 80 and this means hopefully an internal web application

I connected to 192.168.1.5 with my favorite web browser and wow, amazing security measures there. No sorry, I’m just joking. There where no security measures at all. I simply get a menu, where I could choose a “console”. I took the first one because the others seemed to be offline. Oh my god (who’s by the way the FSM), I was now having control over more or less the whole hotel (don’t ask me why this is the case with the product of a company describing itself as “OTRUM is a leading provider of interactive TV solutions and content to the hospitality industry.”).

Let’s have a look at who’re my neighbors:

(Click the image to enlarge)

Cool stuff, with this I even know in which language I can say good morning to my neighbors

There where much more information than just the things for the reception. When you clicked on “Main Menu”, you had several other options than just “Reception”. For example you where able to create new rooms, new employers, new TV channels, have a look at a whole bunch of statistics or define even a room’s temperature and much more. The funniest thing I found (which wasn’t used by the hotel I was in), was a statistic, checking if the mini bar has been opened and how many times. My advice if you want to make the guys at the reception looking strange at you would be to open your mini bar at least one hundred times a day

As you can think, it was fun to see all this stuff and an evil guy (or girl) could have done nasty stuff there but hey, I never had to authenticate myself so it was open to everyone and because of this it’s not illegal to just surf this “website”.

For sure this application was the most interesting thing for me but there where even more security problems like:

http://192.168.1.5/cgi-bin/thrusocket.pl?&gltemplatefile=../../../../../boot.ini

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server” /fastdetect

OK, anyone can read your data on the server but who want’s to read files if you can make an automated wake up call at 5 o’clock in the morning to every guest in the whole hotel?

There was also a Directory Listing at http://192.168.1.5/cgi-bin/ and some other not really interesting things. I can say, that I enjoyed the stay in this hotel for sure.

Lesson learned here: Don’t let security guys into your hotel if you don’t want them to have a look at your infrastructure

Hallo,
das warst doch du, der unser Sprachportal (MobiLingua, Uni Passau) über das Forum gehackt hat und mir damit einen gehörigen Schrecken eingejagt hat, oder?
Jedenfalls danke für den Hinweis – das ist halt der Nachteil von CMS: Man kann zwar mit relativ wenig Hintergrundwissen ein Layout anpassen und Inhalte bereitstellen, denkt aber in der Regel nicht an Sicherheitsaspekte (in der Hoffnung, dass das System das schon macht )

LG, [name of the sender]

In English this means, that someone of the University of Passau thinks, that I’ve hacked their online platform called MobiLingua. Of course I didn’t hack their page and also I never heard about this MobiLingua before. Because of this, I answered the following:

Hallo,
ich beschäftige mich zwar beruflich sowie privat mit der Sicherheit von Webanwendungen, doch habe ich noch nie von genanntem Portal (MobiLingua, Uni Passau) gehört, geschweige denn habe ich dieses angegriffen.

Ich würde mich sehr darüber freuen, wenn Sie mich so schnell als möglich darüber informieren könnten, wie Sie auf mich kommen in diesem Zusammenhang.

Freundliche Grüsse und ein schönes Wochenende,
Sven Vetsch

This means, that I just wanted to know, why they think that I have attacked their site because it’s true that I have to deal with web application security every day but why they think I’ve done something when I know, that I didn’t do anything? The next mail I get answered this question:

Hallo,
bitte entschuldigen Sie, wenn ich mit meiner Vermutung falsch lag. Jemand hatte ein Online-Portal mit einem Foreneintrag gehackt, in dem HTML und Javascript untergebracht worden war. Dies war ein nett gemeinter Hinweis, auf eine bestehende Sicherheitslücke, offensichtlich ohne böse Absichten. Jedenfalls wurde dadurch in mein Layout statt dem üblichen Logo ein “Hacked”-Logo eingebaut, bei dem die URL auf Ihre Domain verwies. Ein Blick auf die Inhalte dieser Seite hat gezeigt, dass Sie sich mit eben solchen Sicherheitslücken auseinandersetzen und ich glaubte den “Verursacher” gefunden zu haben.

Ich entschuldige mich deshalb vielmals für meinen Fehler..

Mit freundlichen Grüßen und ein schönes Wochenende,
[name of the sender]

First it was written, that they’re sorry for suspecting me and afterwards it was described, why they think that I’ve done the hack on their platform and also what happened. Someone has inserted a “Hacked”-logo through a HTML- and Javascript-Injection (today aka. XSS) and on request I get the injected code:

<script>
alert('Ihre Festplatte wird formatiert wenn Sie OK klicken. Schalten Sie Ihren Rechner aus um abzubrechen.');
document.getElementsByTagName("body")[0].style.backgroundColor = "fuchsia";
document.getElementById("site-logo").src = "http://www.disenchant.ch/blog/images/entries/hacked.gif";
document.getElementById("page").lastChild.innerHTML += '<br>Defacement: Da 3v1l H4X0rZ 2007 ;) lol';
for(i = 0; i < 50; i++){
document.getElementsByTagName("div")[i].style.backgroundColor = "fuchsia";
}
</script>

Now it was clear what happened. The image (http://www.disenchant.ch/blog/images/entries/hacked.gif) which was used for the hack or better call it now a defacement, was the one I’ve uploaded for my blog posting “owasp.org hacked“, where I wrote about someone who “hacked” the OWASP website/Wiki. When the people from the University of Passau checked the code, they found out, that the image was hosted on my domain and that I’ve got something to do with web application security. Now everything is clear and life goes on but this story really make me think of what can happen by just linking to or on the other side hosting images, even if it’s just mistake. It really shows, how easy someone can become a suspect in our so called information century.

PS: I really have to translate the alert message of the used payload to English. “Ihre Festplatte wird formatiert wenn Sie OK klicken. Schalten Sie Ihren Rechner aus um abzubrechen.” means “Your hard disk will be formatted when you click OK. Turn off your computer to cancel.”. And I thought that at least these idiots became extinct years ago

ruby -e 'puts "h!c!.!t!n!a!h!c!n!e!s!i!d!@!h!c!s!t!e!v!.!n!e!v!s".split("!").join.reverse'

Of course no normal or better say “non-geek” person will be able to contact you anymore but I think it’s a cool idea and of course you can rewrite it for your favorite programming language just like Python or Perl

Btw. sorry to everyone that I’m not writing that much at the moment but I’ve really much to do. Don’t worry, I’m working on some nice stuff and as soon as possible I’ll inform you on what you can expect from me in the near future.

Craziest Captchas on the Web