<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2900.3268" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Although, in all seriousness, I can imagine
"physical world" things being compromised, possibly via software attacks alone
(or, equally likely, a single disgruntled employee). Allow me to explain
using a particular example: safes. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>Companies that make safes (be they old-fashioned
mechanical or electronic) often have records of their combinations corresponding
to a unique serial number for each safe. Yes, they have an electronic database
of all the combinations for all their safes. In the case of electronic
safes, this combination is often un-changeable; the user of the safe can use
that factory default code initially to create a "user combination" that can open
the safe, but can later be changed (if you wish to disallow that user access
later on). Anyway, the factory default combination can't be changed and is in a
database somewhere. This presents a convenience on the part of the business that
produces the safes (avoids angry customers who are locked out of their safes)
but reduces security for all users of that company's products.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>I understand the business case for keeping records
of all combinations for all safes, but the downside is security in the event
that that list/database is ever leaked.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>- G</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<BLOCKQUOTE
style="PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV style="FONT: 10pt arial">----- Original Message ----- </DIV>
<DIV
style="BACKGROUND: #e4e4e4; FONT: 10pt arial; font-color: black"><B>From:</B>
<A title=evilrabbi@gmail.com href="mailto:evilrabbi@gmail.com">evilrabbi</A>
</DIV>
<DIV style="FONT: 10pt arial"><B>To:</B> <A title=nate.mcfeters@gmail.com
href="mailto:nate.mcfeters@gmail.com">Nate McFeters</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Cc:</B> <A
title=full-disclosure@lists.grok.org.uk
href="mailto:full-disclosure@lists.grok.org.uk">full-disclosure@lists.grok.org.uk</A>
; <A title=bugtraq@securityfocus.com
href="mailto:bugtraq@securityfocus.com">bugtraq@securityfocus.com</A> </DIV>
<DIV style="FONT: 10pt arial"><B>Sent:</B> Tuesday, April 01, 2008 9:58
AM</DIV>
<DIV style="FONT: 10pt arial"><B>Subject:</B> Re: [Full-disclosure]
CAU-2008-0001 - Slowly Closing Door RaceCondition</DIV>
<DIV><BR></DIV>Why would you realease something like this without telling the
vendor? What you did is irresponsible.<BR><BR><BR>
<DIV class=gmail_quote>On Tue, Apr 1, 2008 at 12:18 AM, Nate McFeters <<A
href="mailto:nate.mcfeters@gmail.com">nate.mcfeters@gmail.com</A>>
wrote:<BR>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0pt 0pt 0pt 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">Hahaha,
nice find.<BR><BR>
<DIV><SPAN class=gmail_quote>On 4/1/08, <B class=gmail_sendername>I)ruid</B>
<<A href="mailto:druid@caughq.org" target=_blank>druid@caughq.org</A>>
wrote:</SPAN>
<BLOCKQUOTE class=gmail_quote
style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: rgb(204,204,204) 1px solid">
____ ____
__ __<BR> / \ / \
| | | |<BR>
----====####/ /\__\##/ /\ \##| |##| |####====----<BR> | | | |__| |
| | | |<BR> | | ___
| __ |
| | | |<BR>------======######\ \/ /#| |##| |#| |##| |######======------<BR> \____/ |__| |__| \______/
<DIV>
<DIV></DIV>
<DIV
class=Wj3C7c><BR><BR>
Computer Academic
Underground<BR>
<A href="http://www.caughq.org"
target=_blank>http://www.caughq.org</A><BR>
Security
Advisory<BR><BR>===============/========================================================<BR>Advisory
ID: CAU-2008-0001<BR>Release Date:
04/01/2008<BR>Title: Slowly
Closing Door Race Condition<BR>Application/OS: Physical
Structures<BR>Topic: Physical
structures employing exit doors with
locks<BR>
are vulnerable to a race condition.<BR>Vendor Status: Not
Notified<BR>Attributes: Physical, Race
Condition<BR>Advisory URL: <A
href="http://www.caughq.org/advisories/CAU-2008-0001.txt"
target=_blank>http://www.caughq.org/advisories/CAU-2008-0001.txt</A><BR>Author/Email:
CAU <advisories (at) <A href="http://caughq.org"
target=_blank>caughq.org</A>><BR>===============/========================================================<BR><BR>Overview<BR>========<BR><BR>Physical
structures which employ automatically locking doors to secure<BR>exit
points expose a race condition which may allow unauthorized
entry.<BR><BR><BR>Impact<BR>======<BR><BR>Malicious outsiders may be able
to enter a structure via an exit point.<BR><BR>Exit points may
additionally provide an exit from a secure area of the<BR>structure,
allowing an outsider entering through the exit point to gain<BR>direct
access to the secure area.<BR><BR><BR>Affected
Systems<BR>================<BR><BR>Physical structures which employ
automatically locking doors at exit<BR>points of the
structure.<BR><BR><BR>Technical
Explanation<BR>=====================<BR><BR>An exit's lock[1] generally
converts a two-way door into a one-way<BR>door, allowing a person to
traverse the door's threshold in one<BR>direction but not in the
other. These types of locks are used to<BR>secure exit points
of structures so that people may exit via the door<BR>but not re-enter
without disabling the lock through force or<BR>authentication.<BR><BR>When
a person exits the structure through an exit point which is<BR>secured by
such a mechanism, a race condition exists wherein a<BR>malicious outsider
may be able to reach the door and enter through it<BR>before it closes and
locks itself.<BR><BR>Many doors, especially heavier ones, also employ
closing mechanisms[2]<BR>which are designed to cause the door to close
slowly so as not to slam<BR>the door shut and damage the door frame, or
damage any human appendage<BR>which may be in between the door and it's
frame. Such closing<BR>mechanisms can greatly increase the
amount of time that the race<BR>condition exists.<BR><BR><BR>Solution
& Recommendations<BR>==========================<BR><BR>1) Always
ensure that personnel exiting an exit door wait outside
the<BR> door until it has completely closed and locked before
walking<BR> away.<BR><BR>2) Employ a double door system such as
is used in an air-lock where<BR> the interior door must be
secured prior to the exterior door being<BR> allowed to
open.<BR><BR><BR>Exploitation<BR>============<BR><BR>First identify the
exit point that you want to exploit. Stand at a<BR>safe
distance during a high-traffic time and watch for people to use<BR>the
exit point. Time how long it takes for the door to close
and<BR>lock itself when someone traverses the exit point.<BR><BR>Next,
identify a safe hiding place near the exit point, preferably<BR>in a
direction that would be behind a person exiting the door, but<BR>which is
within a distance to the exit point which you could traverse<BR>in under
the door's closing time at a brisk pace or run.<BR><BR>Finally, hide in
this location during a lower traffic time and wait<BR>for someone to
utilize the exit point. After they have exited the<BR>door and
are walking away, run to the door and enter before it has<BR>closed and
locked. Extra points are awarded for a spectacular
dive<BR>and/or roll to catch the door at the very last
second.<BR><BR><BR>References<BR>==========<BR><BR>[1] <A
href="http://en.wikipedia.org/wiki/Lock_%28device%29"
target=_blank>http://en.wikipedia.org/wiki/Lock_%28device%29</A><BR>[2] <A
href="http://en.wikipedia.org/wiki/Door_closer"
target=_blank>http://en.wikipedia.org/wiki/Door_closer</A><BR><BR><BR>Credits
& Gr33ts<BR>================<BR><BR>Theodor Geisel, AHA!, NMRC,
Uninformed Journal, dc214<BR><BR><BR>--<BR>I)ruid, C˛ISSP<BR><A
href="mailto:druid@caughq.org" target=_blank>druid@caughq.org</A><BR><A
href="http://druid.caughq.org"
target=_blank>http://druid.caughq.org</A><BR><BR></DIV></DIV>_______________________________________________<BR>Full-Disclosure
- We believe in it.<BR>Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html"
target=_blank>http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>Hosted
and sponsored by Secunia - <A href="http://secunia.com/"
target=_blank>http://secunia.com/</A><BR><BR></BLOCKQUOTE></DIV><BR><BR>_______________________________________________<BR>Full-Disclosure
- We believe in it.<BR>Charter: <A
href="http://lists.grok.org.uk/full-disclosure-charter.html"
target=_blank>http://lists.grok.org.uk/full-disclosure-charter.html</A><BR>Hosted
and sponsored by Secunia - <A href="http://secunia.com/"
target=_blank>http://secunia.com/</A><BR></BLOCKQUOTE></DIV><BR><BR
clear=all><BR>-- <BR>-- h0 h0 h0 --<BR><A
href="http://www.nopsled.net">www.nopsled.net</A>
<P>
<HR>
<P></P>_______________________________________________<BR>Full-Disclosure - We
believe in it.<BR>Charter:
http://lists.grok.org.uk/full-disclosure-charter.html<BR>Hosted and sponsored
by Secunia - http://secunia.com/</BLOCKQUOTE></BODY></HTML>