"Andrew Wesie" andrew.wesie@kapricasecurity.com
Kaprica Security (KPRCA)
This service implements a storage device over a USB-like network protocol. Basic functionality is implemented including read, write, and query size. The protocol implements functionality to eventually support hosting multiple devices on one server.
Protocol based on proven technology used everyday by millions of people. Storage device emulates a 128 blocks with a 512-byte block size. This gives the user an impressive 64KB (!) of disk space. Large enough to hold one picture (maybe?). Privacy guaranteed because your data will never be stored on disk, and is lost as soon as you disconnect.
Buffer overflow in the WRITE command allows an attacker to overflow the memory buffer and overwrite the function pointers in the usb_t structure. The memcpy_fast function, used by the WRITE command, assumes that the length of a data packet will be greater than zero, which leads to a 16-byte overflow. If the length is set to zero, then the block address can be set to NUM_BLOCKS, which is the end of the memory buffer. This gives 16-byte overwrite of the data after the memory buffer, which is the usb_t structure.
Buffer Overflow
CWE-787: Out-of-bounds Write
The commands are wrapped in two structures, which increases the depth needed to get to the exploitable function. Additionally, the instructions that result in the overflow use SSE registers, which must be supported by the analysis platform. In order to get to the point where commands can be sent, the devlist command must be sent, the devid extracted, and then sent as part of the import command. Lastly, the use of function pointers may make control flow more difficult to analyze.
Curated by Lunge Technology, LLC. Questions or comments? Send us email