"Nick Davis" firstname.lastname@example.org
Narf Industries (NRFIN)
The hottest new thing in the beverage industry is the vending machine with a touch screen that lets a customer mix and match their favorite beverages into one drink.
What we are bringing to the table is the same hotness, but for breakfast cereal. Cereal Mixup is a breakfast cereal vending machine controller board. This magical board accepts the mix choices from the touch screen and directs the internal machinery to fill the user's bowl with the desired contents.
But, wait, this gets even more exciting!! We also provide an API over wifi, so you can use our unpatentable smartphone app to make your super yummy breakfast mixture selections from the palm of your clammy hand.
The poller/pov/CRS play the role of the touch screen and Wifi API that are sending commands to this controller.
The vulnerabilities in this CB simulate some of the most common object serialization bugs found in Java.
A bowl of cereal can be made by selecting one or more liquids, cereals, and toppings.
The touch screen has the following options and sub-options that the Cereal Mixup controller can process:
The API provided over Wifi accepts the same options and sub-options and the transmission is in a custom serialized format.
The serialized stream can contain types other than what are needed to make a breakfast. These types represent built-in objects/classes that may exist in imported libraries or default namespace. If one of the other types is de-serialized, its existence and instantiation is outside of the expectations of the Cereal Mixing code and can lead to unexpected operations.
In this case, one of those other objects 'CommandRunner' is an object that will execute the command as given on the command line. It takes a function address and 1 - 3 arguments. It calls the function at the given address and passes the 3 arguments to it.
To POV this CB, the function address is the IP Value and the second argument is the REG value. The first and third arguments are also passed via registers, but the POV itself uses the 2nd argument.
Deserialization of Untrusted Data
CWE-502: Deserialization of Untrusted Data CWE-822: Untrusted Pointer Dereference
Curated by Lunge Technology, LLC. Questions or comments? Send us email