Kaprica Security (KPRCA)
This is a simple movie rental service where the user can list available movies in the inventory and rent the ones that are not rented already. The user is also able to return the movie. There is also an interface for privileged user (admin) when successfully logged in. This interface allows the admin to add, remove, or update movies in the inventory. The movie rental service also allows a debug mode for allowing an admin to test adding genres and movie ratings.
This service supports the following "documented" features:
In normal mode,
In admin mode,
The service supports the following "undocumented" features:
In admin mode, Send byte array \x29\x78\x31\x16\x00\x29\x78\x31\x16\x00 to enter debug mode
In debug mode, 1. Debug Add Genre: Send integer 1294579383 appended with a string, adds appended string to the list of Genres 2. Debug Add Rating: Send integer 388502 appended with a string, adds appended string to the list of Movie Ratings
The vulnerability is a format string vulnerability triggered by a special debug function. Once in debug mode if the user sends the integer: 1294579383 (sent as a little endian byte array: \x4D\x29\xB6\xB7) The user can append a genre title to the integer. Since the user has complete control over the string they can trivially crash the program.
Getting to the vulenrable state requires -> logging in as admin -> passing the debug sequence \x29\x78\x31\x16\x00\x29\x78\x31\x16\x00 to enable debug mode -> passing the debug code \x4D\x29\xB6\xB7
CWE-134: Uncontrolled Format String
The CB generates a small random password stored in the heap which is meant to be bruce forceable. The more challenging part is determining the "undocumented" byte sequence (hardcoded in the binary) that enables debug mode. Once in debug mode a user must send the "undocumented" integer codes that call the debug functions, dag (debug add genre) and dar (debug add rating). Specifically the vulnerability is enabled by calling dag with a vulnerable string.
Once a competitor determines how to call the dag function and add a vulnerable string to the movie genre list, crashing the program requires the competitor use the admin mode function to add or update a movie. When it gets to the part that lists the "genres" the bug can be triggered.
Curated by Lunge Technology, LLC. Questions or comments? Send us email