Kaprica Security (KPRCA)
A secure authentication service with an extensible protocol that can support multiple authentication methods and multiple upper layer services.
Full support for the cleartext password authentication method; user can change password using a change request.
Timing attack resistance to prevent exposure of usernames and passwords.
Packets are padded to 8-byte boundaries with random data to make it easier to implement on top of a secure channel in the future.
In service.c:285, there is an integer overflow that allows an attacker to bypass the length check. This vulnerable function is called from service.c:513 and is passed a stack buffer of a fixed size. An attacker is able to use the integer overflow to cause the stack buffer to overflow if they give a string length of 0xFFFFFFFF and a packet with 0x8000 bytes of data. This is provable with a type 1 POV.
Buffer overflow
CWE-121: Stack-based Buffer Overflow
CWE-190: Integer Overflow or Wraparound
No major challenges. Requires reasoning about integer overflows and function argument types.
Curated by Lunge Technology, LLC. Questions or comments? Send us email