"Nick Davis" info@narfindustries.com
Narf Industries (NRFIN)
Institutionally-sponsored popularity contests are common events in the lives of American adolescents. In response to the roar of demanding parents, we've developed One Vote to optimally support the needs of these myriad institutions.
One Vote will guarantee that: only the most popular adolescent wins the contest, an individual's vote can never be seen by other voters, an individual's vote can never be associated with their name, and each potential voter can only vote one time (although they can change their vote as many times as they want while voting is open).
Admin -- Create Election: create election manager's credentials, define election name, opt to (dis/en)able write-in candidates, define number of winning candidate(s), and max number of total candidates. -- Open Voting: election manager can start voting period. -- Close Voting: election manager can end voting period.
Voting -- Login: voters or election manager can login to access functions requiring authorization. -- Register Voter: enter first and last name and get voter ID number. -- Vote: enter voter ID and last name and make voting choice. If already voted, can change choice. -- Add Candidate: add a new candidate to the election.
Results -- Election status: list number of voters, number of votes, number of candidates -- Voting Results: list winning candidate(s) along with vote count in order from highest to lowest vote count. -- Voter Turnout: list number of votes, number of voters, names of all voters -- Candidate Summary: list number of candidates, names of all candidates with vote counts.
When a voter submits a vote, they get a voting receipt that contains a confirmation number. In the unpatched version, that confirmation number is the voter's ID xor'd with the first 4 bytes of the flag page. The function get_next_vote_id() contains this vulnerability.
Information Leakage
CWE-201: Information Exposure Through Sent Data
When a voter submits a vote, a vote record is created that contains the voters information as well as the candidates information. The vote record is stored in a hash table where the key is the concatenation of the first and last name of the voter. The key is created using snprintf and a format string that will combine the first and last name, separated by a space, into a single string. In the unpatched version, the format string was accidentally omitted from the call to snprintf, so the voter's first name is used as the format string. This is in election.c:create_and_insert_vote().
Buffer Overflow Uncontrolled Format String
CWE-120 Buffer Copy without Checking Size of Input CWE-121 Stack-based Buffer Overflow CWE-134 Uncontrolled Format String CWE-787 Out-of-bounds Write CWE-788 Access of Memory Location After End of Buffer CWE-806 Buffer Access Using Size of Source Buffer
Curated by Lunge Technology, LLC. Questions or comments? Send us email