Kaprica Security (KPRCA)
PPMS is a simple service that supports a binary protocol to create and test one or more parking permits for the parking lot owner. This is meant to be used in embedded devices, so it has very limited features. The data returned from the service can be parsed and written on to the permit card. Since this system is used for VIP car owners that have multiple cars, it provides a "permit ring", which is like a key ring where multiple permits (up to 5) can be stored on a single card. Master key is needed to authenticate the manager, before using any of the features.
The vulnerability exists in the function that handles creating a new permit ring based on user-supplied data. The user can specify the count of permits that they want to include in a permit ring, which is limited to the maximum number of permits in a single permit ring, 5. However, when the program iterates through and copies over the data to a permit ring data structure on the stack, it may copy 1 more parking permit data due to a failure in loop condition.
Instead of having the condition to be i < count, i <= count is used. However, in normal situations, this would not trigger a stack buffer overflow since the following data (supposedly 6th permit data) must pass the permit_test function's validity test -- only when it passes the check, the data gets copied over. With a carefully crafted input, it is possible to arbitrarily control the EIP by overwriting the local variable (count) to copy more data onto the stack.
Stack Buffer Overlfow Off-by-one Error
Stack-based Buffer Overflow (CWE-121) Off-by-one Error (CWE-193)
The competitors need to analyze and find out about the hard-coded data (master key) in order to generate valid session keys, which are random each time they are generated and expire in 3 actions. In order to trigger the bug successfully, good understanding of stack structure (location of local variables and their usage) is important as well as computing the correct token values (constraint solving).
Curated by Lunge Technology, LLC. Questions or comments? Send us email