"Brian Pak" email@example.com
Kaprica Security (KPRCA)
This is a simple movie rental service where the user can list available movies in the inventory and rent the ones that are not rented already. The user is also able to return the movie. There is also an interface for privileged user (admin) when successfully logged in. This interface allows the admin to add, remove, or update movies in the inventory.
This service supports the following features:
In normal mode,
In admin mode,
Upon specific sequence of actions (and appropriate input), it is possible to cause a use-after-free (UAF) bug and crash the program. With specially crafted input, arbitrary code execution is also possible.
There are actually 2 bugs in the service. The first bug allows the attacker to get into admin mode without knowing the correct password. There exists a stack buffer overflow which results in the overwrite of the return status local variable that determines if the login was successful. However, this bug is not enough to crash the service. The second bug is a UAF bug with the movie lists, where the rental list holds a stale pointer to the free'd movie entry.
Specifically, in main.c:445, when the movie is removed (in admin menu), it is removed only from the full list, not the rented list. Then, by allocating memory of size equivalent of the movie object, it is possible to control the contents of the stale movie pointer, which has a function pointer in it. By setting the function pointer, EIP control is possible.
Stack Buffer Overflow
Stack-based Buffer Overflow (CWE-121)
This CB tests if the competitors can chain two vulnerabilities to perform a successful attack. Since the password for the admin account is randomly generated each time the program is run, the stack buffer overflow needs to be used to bypass the login validation. It requires a good understanding of how the memory allocation and free work. Also, in order to successfully crash the program, one needs to use both modes (normal & admin) in a specific order to manipulate the layout of the heap.
Curated by Lunge Technology, LLC. Questions or comments? Send us email