Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Empirical Security Advisory: New Otis Elevator Vulnerability

From: empirical () hushmail com (empirical () hushmail com)
Date: Thu, 19 Sep 2002 16:02:17 -0700
EMPIRICAL SECURITY ADVISORY 0x02

Product: Otis Elevator 12 Passenger, 2000lbs Model 

Summary
A denial of service is possible against users of this model elevator.

Background
I was on the elevator the other day, going downstairs to get a cup of coffee the other day, when on the 2nd floor a 
herd of fucking CATTLE came on.  These women were BIG.

I was strangely aroused by it, but as the 11 of them herded on, I got pushed in the corner and almost crushed to death. 
 Surrounded, crushed, and fighting for oxygen, I rode to the first floor, where the elevator came to a screeching halt 
(inertia is a real bitch).  The structual integrity of this elevator was in question.  That's when the realization of a 
potential denial of service, and a potential digital Battle Of The Bulge (similar to Digital Pearl Harbor) occurred to 
me.

For reference, let's define a few technical specs up front.

Otis Elevator 2000lbs 12 passenger
Height: 10 feet
Width:  14 feet
Depth:  6 feet

Steve Manzuik (hellNbak)
Height: 5' 5"
Width:  5' 5"
Weight: 350lbs
(this unit of measurement henceforth referred to as a "Manzuik")

Vulnerability
Due to an input validation error in Otis Elevators combined with a storage flaw, it may be possible to exceed the 
maximum Manzuik capacity of an Otis Elevator.

Observe:

   x       12
------- = -----
Manzuik     1

x = 12(Manzuik)
x = 12(350)
x = 4200

As we can see by the measurements of the elevator:

Prism Volume             B
V = ABC                ------
V = (10)(14)(6)     A |      |\
V = 60ft sq.          |      | \
                       \-----\ | 
                      C \     \| 
                         ------

As we can see from the measurements, it's possible to exceed the maximum number of Manzuiks permitted in one elevator.  
The design flaw of unchecked buffers in the elevator car, combined with a lack of input validation when measuring 
entering Manzuiks could present a potential disaster.

Theorhetical Attack
A terrorist performs a reconaissance mission on a tall office building, and discovers open commercial space on one of 
the upper floors of the building.

The terrorist opens a Krispy Kreme Donuts on the top floor of the building.

A group exceeding one Manzuik per party crams into the elevator and attempts to get to the Krispy Kreme, causing a 
severe mechanical failure of the elevator during transit.

Mitigating
Fill space in elevator car that could be used to exceed maximum Manzuik limit with large, empty, worthless objects, 
such as RFP's ego, Wysopal's trustworthiness, the talk to exploit ratio of Jay Dyson in the last ten years.

Solution
Remeasure elevator cars, and evaluate the size vs. maximum Manzuik ratio.



Get your free encrypted email at https://www.hushmail.com
Previous By Date Next
Previous By Thread Next

Current thread: