[VIM] Starbucks Barrista Iced Tea Buffer Overflow

security curmudgeon jericho at attrition.org
Wed May 31 15:05:26 EDT 2006

Little humor to take your mind away from the XSS madness..



May 25, 2006
Vulnerability Report: Starbucks Barrista Iced Tea Buffer Overflow

For those who don't know, a couple of years ago I invested a bunch of time 
in becoming certified as a clinical hypnotherapist. Beyond the fun of 
having C.Ht. on my business card and the interesting party tricks, I have 
found the skills learned particularly useful in management and observing 
the world around me.

Because of those skills, I have to report a particularly interesting 
vulnerability that I've enjoyed exploiting of late.

Title: Starbucks Barrista Iced Tea Buffer Overflow
Type: Denial of Service

Starbucks barristas are particularly skilled at handling detailed orders 
for coffee beverages - an order for a "half-decafinated non-fat mocha 
frappucino" is handled without much difficulty.

However, there are other less exercised code paths that have significant 
input validation errors. My personal favorite is the "iced tea" overflow. 
Barristas are used to only a two variables of input when taking an order 
for iced tea - "sweetened/unsweetened", and "lemonade/no lemonade".

If an order is given to an unpatched barrista containing extended 
variables, a buffer overflow occurs and the results of service delivery 
are extremely unpredictable.

Proof of Concept

Go to a Starbucks with an unpatched (i.e. not previously exploited) 
Barrista behind the counter. Order some variant of iced tea - my current 
favorite is:

Venti, Half-Black, Half-Passion, Unsweetened Iced Tea.

The results are unpredictable, leading the vulnerable barrista to return 
anything from the wrong sized beverage to a beverage containing both 
sweetener and lemonade, to an iced tea containing nothing but the iced-tea 
concentrate that they use to generate the beverage.


The efficacy of the proof of concept is geographically dependent, as 
cultures where iced tea is normally unsweetened are less suceptible to 
this attack. (In that case, order a sweetened tea or lemondae).

Additionally, once a Barrista has been exploited (and had to re-make the 
beverage two or three times), the Barrista becomes innoculated to the 
effects of the attack.

Credits: Shoutz to Melina who has watched far too many barristas become 
confused, and a big thanks to anyone else who has ever visited Starbucks 
with me and had to wait while barristas remade my order. Major props to 
the Barrista at the Starbucks where I'm writing this entry, who had to 
re-make my drink 3 times (and who refrained from throwing it at me).

More information about the VIM mailing list