Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Bugtraq: RE: hacking the mitsubishi GB-50A

RE: hacking the mitsubishi GB-50A

From: Desai, Ashish <Ashish.Desai_at_fmr.com>
Date: Mon, 24 Mar 2008 11:06:44 -0400

If you read your own post you would realize that Mitsubishi
kept the device ipaddress prefix as 192.168.1 so only you can attack
yourself.

192.168 cannot be access from the internet ;-) [unless you NAT at which
point its your NAT config problem]
 

-----Original Message-----
From: Chris Withers [mailto:chris_at_simplistix.co.uk]
Sent: Friday, March 21, 2008 9:50 PM
To: bugtraq_at_securityfocus.com
Subject: hacking the mitsubishi GB-50A

Hi All,

Well, it's been over 4 months since my plea for a security contact at
Mitsubishi Electric to come forward. Since no one has, I thought I'd
release a POC for hacking one.

It's not exactly hard, the web controller uses a nasty set of Java
applets to interact with itself. The shocking thing is that these
communicate using a series of xml packets and absolutely zero
authentication or encryption :-(

Oh, and just in case you thought about maybe putting something secure
like an ssl webserver proxying the thing, these java applets are hard
coded to connect back to port 80 on the originating host using HTTP :-(

Still, you should get an idea of how the box is *supposed* to be used by

the fact that its ip address is set with dip switches where the
192.168.1 bit is hard coded!

*sigh*

Well, please find attached a little python script that will let you turn

on or off every aircon unit attached to a GB-50 that you know the ip
address of. Minor modifications will let you change the set point and
mode too, so you might be able to turn off a data centres aircon *or*
turn an office's aircon up to 28'C and then turn it all on ;-)

The plus side is that because it's so rediculously insecure, it's not
that hard to build a secure web app that can interact with it and then
just firewall it off from anywhere harmful...

If you have a GB-50 or a GB-50A, please make very sure you keep it on
its own private network until Mitsubishi Electric find a clue stick to
hit themselves with!

cheers,

Chris 

-- 
Simplistix - Content Management, Zope & Python Consulting
            - http://www.simplistix.co.uk
Received on Mar 24 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]