![]() The defense is simple, and it’s the same as everywhere else: disable the debug and configuration modes in your production systems, and sanitize your input. suggests lottery machines, package-delivery automats, and even hospitals. How many of these are vulnerable is an open question. However, we have many automated machines in our everyday life that use barcodes. ![]() Still, it’s a suspicious-looking attack to try to pull off where other people (think cashiers) are looking. The article details how they got their payload from requiring more than ten individual barcodes down to four. ADF even supports a delay function to allow time for the command window to pop up before running the rest of the input. Whatever computer is on the other side of the barcode scanner has just been owned. Through use of these Advanced Data Formatting (ADF) modes, sends Windows-Key-r, and then cmd.exe, ftps a file down, and runs it. The trick is that many POS terminals and barcode readers support command characters in their programming modes. The idea isn’t new, and in fact we’ve seen people trying to drop SQL attacks in barcodes long ago, but put a few different pieces together and came up with a viable attack. It’s a promising attack - nobody expects a takeover via barcodes. Has been playing around with barcodes lately, and trying to use them as a vector to gain control of the system that’s reading them. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |