"Bryce Kerley" email@example.com
This service uses floating point and integer operations to set up internal state based on a provided seed. It then requires clients to make assertions about that state before allowing them access to an echo service with a buffer overrun vulnerability.
This service forces clients to seed a RNG with 256 bits of entropy. With that entropy, it initializes a 4096 bit pool using mixed floating-point and integer operations on the same data. This is intended to only allow CRSes capable of correctly implementing x86 math. Beyond that, it's a simple stack buffer overrun vulnerability.
Standard Type-Length-Value protocol. The functions in messages.c and constants in messages.h are generated by tool/message_builder.rb based on data in tool/messages.csv .
After navigating the RNG state matching, an echo message with length over 80 bytes will overflow the buffer on the stack for messages to be echoed back. Patching this vulnerability requires adding a length check, removing the buffer altogether, or dynamically allocating an appropriately-sized buffer.
Stack-based buffer overflow
CWE-121 Stack-based Buffer Overflow
The primary difficulty with this challenge is maintaining identical RNG state with mixed floating-point and integer operations.
Curated by Lunge Technology, LLC. Questions or comments? Send us email