(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Information security firm Trustwave has reported a potential cyber-attack vector to a device you may have never expected the phrase "security vulnerability" would be applied (other than in reference to the end of a toilet paper roll, that is). In an advisory issued August 1, Trustwave warned of a Bluetooth security vulnerability in Inax's Satis automatic toilet.

Functions of the Satis—including the raising and lowering of its lid and operation of its bidet and flushing nozzles—can be remotely controlled from an Android application called "My Satis" over a Bluetooth connection. But the Bluetooth PIN to pair with the toilet—"0000"—is hard-coded into the app. "As such, any person using the 'My Satis' application can control any Satis toilet," the security advisory noted. "An attacker could simply download the 'My Satis' application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner. Attackers could cause the unit to unexpectedly open/close the lid, [or] activate bidet or air-dry functions, causing discomfort or distress to user."

And you thought the only thing you had to worry about was dropping your phone into the toilet.

Read 2 remaining paragraphs | Comments


A feature that allows Android users to authenticate themselves on Google websites without having to enter their account password can be abused by rogue apps to give attackers access to Google accounts, a security researcher showed Saturday at the Defcon security conference in Las Vegas.
Microsoft on Sunday cut the price of its Surface Pro tablet by $100, or between 10% and 11%, dropping the 64GB model to $799 and the 128GB to $899.

I saw a somewhat "odd" alert today hit this web server, and am wondering if there are any circumstances under which this attack would have actually worked. The full request:

I broke the request up into multiple lines to prevent an  overflow into the right part of the page, and I obfuscated the one embeded URL.

Decoded, the Javascript in the URL comes out to:

The "simulacre.org" site does not appear to be malicious or compromissed. The contact.php page does not appear to exist. (But the real contact form doesn't appear to work).
The PHP code looks a bit more interesting. After Base64 decoding, one gets to:
The code creates the function "ex", which then attempts to execute a command on the server using pretty much any different way that php may use to execute commands trying to bypass some restrictions that may have been put in place. However, I never see the $cmd string populated unless the exploit relies on register_globals which would be a stretch and odd given the careful command execution.
Anybody seeing this? Just another broken exploit? Or will this actually work against some old version of CMS "x"? 
Postscript: Well, I was all proud to be able to post this and not cause any XSS issues in our diary. But turns out some AV filters triggered (like ClamAV) so I converted the code to images.

------ Johannes B. Ullrich, Ph.D. SANS Technology Institute Twitter

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Mozilla's Firefox browser has lost more than 11% of its user share in the last two months, giving Google's Chrome another shot at replacing it as the world's No. 2 browser, according to new data.
Internet Storm Center Infocon Status