Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Wendy's Drive-up Order System Information D isclosure
From: Rob Keown <Keown () MACDIRECT COM>
Date: Wed, 7 Jul 2004 07:40:59 -0400

My understanding is that McDonalds is recommending the abandonment of
Wendy's as a late-night drive-thru and adoption of it as an alternative
eatery.

Wendy's is rapidly preparing a fix, which involves PGP PKI. You *will* have
to email your public key to Wendy's in order to submit or confirm your
order.

Lastly, as expected, it has been found that Wendy's utilizes a client-server
app, running on IIS 5.0, for its menuing. The menu display itself is IE 6.0
SP1 (of course)!

Rob


-----Original Message-----
From: Sapheriel [mailto:sapheriel () wwwp de] 
Sent: Wednesday, July 07, 2004 6:32 AM
To: mi2g-research () hushmail com; full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com; vulnwatch () vulnwatch org
Subject: RE: [Full-disclosure] Wendy's Drive-up Order System Information
Disclosure

oh shi-- 

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On Behalf Of
mi2g-research () hushmail com
Sent: Wednesday, July 07, 2004 8:06 AM
To: full-disclosure () lists netsys com
Cc: bugtraq () securityfocus com; vulnwatch () vulnwatch org
Subject: [Full-disclosure] Wendy's Drive-up Order System Information
Disclosure

*** PGP SIGNATURE VERIFICATION ***
*** Status:   Unknown Signature
*** Signer:   Unknown Key (0x005E9A0F)
*** Signed:   7/7/2004 2:08:31 AM
*** Verified: 7/7/2004 7:32:21 AM
*** BEGIN PGP VERIFIED MESSAGE ***


-- SIPS EXCERPT -- ADVISORY -- SIPS EXCERPT -- ADVISORY --

Wendy's Drive-up Order System Information Disclosure

Reporter: mi2g (http://www.mi2g.com/)
Date: July 07, 2004
Severity: Medium to High
Attack Class: Physical, Remote, Race Condition
Vendor: Wendy's (http://www.wendys.com/)


I. BACKGROUND

Wendy's International, Inc. is one of the world's largest restaurant
operating and franchising companies with more than 9,300 total restaurants
and quality brands - Wendy's Old Fashioned HamburgersR, Tim HortonsR and
Baja FreshR Mexican Grill. The Company invested in two additional quality
brands during 2002 - Cafe ExpressT and Pasta PomodoroR.

II. DESCRIPTION

Remote exploitation of the Wendy's Drive-up ordering system allows an
attacker to gain sensitive information about the order of arbitrary
customers.

During customer/vendor "handshake", the customer vehicle must come to a stop
beside the vendor menu ordering system which contains a large screen to
display the current order.
During this process, adequate protection is not given to the space between
the vehicle and the menu allowing for a number of remote attackers to obtain
sensitive order information.

Once the victim has finished ordering, the information stays available on
the screen for up to several minutes or until another customer has pulled
forward. This creates a great window for exploitation and increases the
chance of winning the "race condition".

III. ANALYSIS

Successful exploitation allows unauthenticated remote malicious arbitrary
attackers to retrieve the contents of the previous customer's food order
which is a serious breach of confidentiality.

As proof of concept, this attack was carried out against mi2g CEO DK Matai.
It was disclosed that he ordered a grilled chicken sandwich, large fries and
a large Coca-Cola.

IV. DETECTION

mi2g has confirmed that all Wendy's with a Drive-up menu display are
affected. Other vendors may be affected but were not tested.

V. WORKAROUND

Use a hard object such as a rock or baseball bat to disable the order
display screen after the late night drive-thru has closed.

VI. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CAN-2004-2934 to this issue. This is a candidate for inclusion in the CVE
list (http://cve.mitre.org), which standardizes names for security problems.

VII. DISCLOSURE TIMELINE

07/07/02   Exploit discovered by mi2g
07/08/02   mi2g clients (the "Inner Sanctum") notified
01/08/03   The Queen notified
03/22/03   bespoke security architecture updated
09/01/03   mi2g clients notified again
07/07/04   Public Disclosure
07/08/04   Vendor notified

VIII. CREDIT

Rear Admiral John Hilton and Geoffrey Hancock are credited with discovering
this vulnerability.

IX. SPECIAL THANKS

Donny Werner for verifying Wendy's drive up systems are not vulnerable to
XSS issues!

X. LEGAL NOTICES

Copyright (c) 2004 mi2g Limited.

Permission is granted for the redistribution of this alert electronically
provided a small royalty is paid. It may not be edited in any way without
the express written consent of mi2g. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email mi2g-research () hushmail com for permission.

Disclaimer: The information in the advisory is believed to be accurate at
the time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition. There are
no warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect, or consequential
loss or damage arising from use of, or reliance on, this information.


*** END PGP VERIFIED MESSAGE ***




Concerned about your privacy? Follow this link to get secure FREE email:
http://www.hushmail.com/?l=2

Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434

Promote security and make money with the Hushmail Affiliate Program: 
http://www.hushmail.com/about-affiliate?l=427

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]