[VIM] Starbucks Barrista Iced Tea Buffer Overflow
jericho at attrition.org
Wed May 31 15:05:26 EDT 2006
Little humor to take your mind away from the XSS madness..
May 25, 2006
Vulnerability Report: Starbucks Barrista Iced Tea Buffer Overflow
For those who don't know, a couple of years ago I invested a bunch of time
in becoming certified as a clinical hypnotherapist. Beyond the fun of
having C.Ht. on my business card and the interesting party tricks, I have
found the skills learned particularly useful in management and observing
the world around me.
Because of those skills, I have to report a particularly interesting
vulnerability that I've enjoyed exploiting of late.
Title: Starbucks Barrista Iced Tea Buffer Overflow
Type: Denial of Service
Starbucks barristas are particularly skilled at handling detailed orders
for coffee beverages - an order for a "half-decafinated non-fat mocha
frappucino" is handled without much difficulty.
However, there are other less exercised code paths that have significant
input validation errors. My personal favorite is the "iced tea" overflow.
Barristas are used to only a two variables of input when taking an order
for iced tea - "sweetened/unsweetened", and "lemonade/no lemonade".
If an order is given to an unpatched barrista containing extended
variables, a buffer overflow occurs and the results of service delivery
are extremely unpredictable.
Proof of Concept
Go to a Starbucks with an unpatched (i.e. not previously exploited)
Barrista behind the counter. Order some variant of iced tea - my current
Venti, Half-Black, Half-Passion, Unsweetened Iced Tea.
The results are unpredictable, leading the vulnerable barrista to return
anything from the wrong sized beverage to a beverage containing both
sweetener and lemonade, to an iced tea containing nothing but the iced-tea
concentrate that they use to generate the beverage.
The efficacy of the proof of concept is geographically dependent, as
cultures where iced tea is normally unsweetened are less suceptible to
this attack. (In that case, order a sweetened tea or lemondae).
Additionally, once a Barrista has been exploited (and had to re-make the
beverage two or three times), the Barrista becomes innoculated to the
effects of the attack.
Credits: Shoutz to Melina who has watched far too many barristas become
confused, and a big thanks to anyone else who has ever visited Starbucks
with me and had to wait while barristas remade my order. Major props to
the Barrista at the Starbucks where I'm writing this entry, who had to
re-make my drink 3 times (and who refrained from throwing it at me).
More information about the VIM