Schon toll, so ein "Internet of Things"

Montag, 27.3.2017, 11:15 > da]v[ax

Heute: Der Miele-Geschirrspüler mit integriertem Webserver und entsprechend vorhersehbaren Sicherheitslücken. Ich kann mir da echt nur noch an den Kopp langen. m(

“The corresponding embedded Web server 'PST10 WebServer' typically listens to port 80 and is prone to a directory traversal attack, therefore an unauthenticated attacker may be able to exploit this issue to access sensitive information to aide in subsequent attacks.”

Proving it for yourself is simple: GET /../../../../../../../../../../../../etc/shadow HTTP/1.1 to whatever IP the dishwasher has on the LAN.

Directory traversal attacks let miscreants access directories other than those needed by a web server. And once they're in those directories, it's party time because they can insert their own code and tell the web server to execute it.

(via von-leitner-institut-für-verteiltes-echtzeit-java)