Narf Industries info@narfindustries.com
Narf Industries (NRFIN)
Mixology is a new chemical discovery service that allows one to efficiently mix chemical compounds from a list and name their new discoveries.
The chemical compounds list this is based off of is a random sample from: http://pubchem.ncbi.nlm.nih.gov/citations.html
It public domain information generated by a Government agency.
Mixology supports random sampling of a chemical list and sending of that list to the client in an efficient bloom filter-like format. The client chooses the seed for the random sample. The client can then send back a unique compound, compiled from that sample list, which is weighed and can be named by the user.
Certain compounds have a fixed molecular weight of more than 2.3. The client must determine which random seed to give to the server to get a sample that consists of > 20 compounds that weigh more than 2.3. This is because 2.320 > 224. The weight total for 20 of these compounds ends up being occupying the MSB byte in the unsigned mole integer in this struct:
typedef struct mixed_compound{ char compound_name[MAX_NEW_CMPND_SZ]; unsigned int moles;
}mixed_compound_t;
The comoound_name char[] var, is off by 1 so the upper byte of the moles variable is acting as its null terminator. When the client manages to create a sample (by choosing the correct random seed, and rebuilding a smaller sample bloom filter) where moles > 2**24 then the following lines will segfault:
(libmixology.c:225) size_t cpsz = strlen(mc->compound_name); memcpy(last_compound, mc->compound_name, cpsz);
This is because mc->compound_name is no longer null terminated and the last_compound is way too small for the size computed by strlen().
Buffer Overflow Off by one error Integer overflow (not technically, but practically)
CWE-120: Buffer Overflow CWE-193: Off-by-one Error
The challenges for the automated system will be: a) Tracking taint to understand how samples are packed into bloom filters and sent across the wire b) Understanding that the "MIX" command requires a smaller sample buffer then the "PREP" cmd c) Satisifying multiple requirements for the vulnerability (e.g. new compound name == 128 chars && molecular weight > 2.3 for each input compound) d) Isolating the hash function and determining which seed must be used to derive a sample with 20 compounds over 2.3 molecular weight. Note the hash is not cryptographic and its only a 4 byte integer. It is, however, diffuse and is based off murmur2 with many modifications. e) Understanding the relationship between the mole variable's MSB and the fact that a it effectively acts as a null terminator for the new compound name.
Curated by Lunge Technology, LLC. Questions or comments? Send us email