Forwarded from: mi2g-research@private To: full-disclosure@private Cc: bugtraq@private, vulnwatch@private [Real mi2g, fake mi2g, whatever, it had me in stiches! :) - WK] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - -- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY -- Wendy's Drive-up Order System Information Disclosure Reporter: mi2g (http://www.mi2g.com/) Date: July 07, 2004 Severity: Medium to High Attack Class: Physical, Remote, Race Condition Vendor: Wendy's (http://www.wendys.com/) I. BACKGROUND Wendy's International, Inc. is one of the world's largest restaurant operating and franchising companies with more than 9,300 total restaurants and quality brands - Wendy's Old Fashioned Hamburgers®, Tim Hortons® and Baja Fresh® Mexican Grill. The Company invested in two additional quality brands during 2002 - Cafe Express™ and Pasta Pomodoro®. II. DESCRIPTION Remote exploitation of the Wendy's Drive-up ordering system allows an attacker to gain sensitive information about the order of arbitrary customers. During customer/vendor "handshake", the customer vehicle must come to a stop beside the vendor menu ordering system which contains a large screen to display the current order. During this process, adequate protection is not given to the space between the vehicle and the menu allowing for a number of remote attackers to obtain sensitive order information. Once the victim has finished ordering, the information stays available on the screen for up to several minutes or until another customer has pulled forward. This creates a great window for exploitation and increases the chance of winning the "race condition". III. ANALYSIS Successful exploitation allows unauthenticated remote malicious arbitrary attackers to retrieve the contents of the previous customer's food order which is a serious breach of confidentiality. As proof of concept, this attack was carried out against mi2g CEO DK Matai. It was disclosed that he ordered a grilled chicken sandwich, large fries and a large Coca-Cola. IV. DETECTION mi2g has confirmed that all Wendy's with a Drive-up menu display are affected. Other vendors may be affected but were not tested. V. WORKAROUND Use a hard object such as a rock or baseball bat to disable the order display screen after the late night drive-thru has closed. VI. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VII. DISCLOSURE TIMELINE 07/07/02 Exploit discovered by mi2g 07/08/02 mi2g clients (the "Inner Sanctum") notified 01/08/03 The Queen notified 03/22/03 bespoke security architecture updated 09/01/03 mi2g clients notified again 07/07/04 Public Disclosure 07/08/04 Vendor notified VIII. CREDIT Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering this vulnerability. IX. SPECIAL THANKS Donny Werner for verifying Wendy's drive up systems are not vulnerable to XSS issues! X. LEGAL NOTICES Copyright (c) 2004 mi2g Limited. Permission is granted for the redistribution of this alert electronically provided a small royalty is paid. It may not be edited in any way without the express written consent of mi2g. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email mi2g-research@private for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkDrk18ACgkQa74Q1wBemg8ZEACfTaxcsaq/mkOAWZ8A5TPRhM/gq8gA n0pcaILhtSzHGnGbdBi1BCHQCi7s =YRgk -----END PGP SIGNATURE----- Concerned about your privacy? Follow this link to get secure FREE email: http://www.hushmail.com/?l=2 Free, ultra-private instant messaging with Hush Messenger http://www.hushmail.com/services-messenger?l=434 Promote security and make money with the Hushmail Affiliate Program: http://www.hushmail.com/about-affiliate?l=427 _________________________________________ Help InfoSec News with a donation: http://www.c4i.org/donation.html
This archive was generated by hypermail 2.1.3 : Wed Jul 07 2004 - 06:05:31 PDT