Kaprica Security (KPRCA)
3M is a program that allows users to manage their memos. It provides a very simple interface with minimal yet useful features: create, modify, view, and delete. It supports auto-correction of misspelled words, where the user can specify custom corrections. In order to make the program more efficient, the latest version of the software uses threads!
The vulnerability is the use of the shared resource without a proper lock in multi-threaded environment. In order to perform the auto-correction of the words when creating a memo, the program runs a separate thread (ac_process) that is in charge of checking the queue of words to be examined (ac_queue) and updating the words if they are in the auto-correction dictionary.
Since the user can add a custom auto-correction word such that a shorter string to be replaced by a longer string, a heap-based buffer overflow can happen. The program attempts to guarantee that ac_buffer will be large enough to copy in the next word. However, if the realloc triggers a call to allocate then a thread switch may occur, and because the realloc happens before ac_idx is incremented and is not guarded, ac_idx may be modified by the other thread. Thus, once realloc returns, there is not actually enough memory allocated for the memcpy. The fix is to put the call to realloc in the guarded code section.
There is also a NULL pointer dereference bug where the buffer is not initialized when recv failed within a different thread. The buffer needs to be checked after achieving the lock for the resource.
The effect of the buffer overflow is attacker control of the heap structures for the subsequent block. This should give the attacker the ability to trigger remote code execution.
Heap Buffer Overlfow
TOCTOU (Time Of Check, Time Of Use) Error
NULL Pointer Dereference
Heap-based Buffer Overflow (CWE-122)
TOCTOU Error (CWE-367)
NULL Pointer Dereference (CWE-476)
The competitors need to realize that this is a multi-threaded program, and be able to analyze the use of a shared resource (without any locking) among the threads. In order to trigger the bug, the fact that auto-correction does not safely handle the correction that increases in string length must be exploited.
Curated by Lunge Technology, LLC. Questions or comments? Send us email