Kaprica Security (KPRCA)
A simple service that receives sensor readings, verifies them, and reports back the latest aggregated reading.
Three types of sensor inputs:
Customizable absolute bounds on the inputs to filter out bad inputs. Additionally, change in location is checked against the limits on speed.
Every packet is timestamped. Timestamps are used for ordering and calculating speed from location. If a packet arrives out-of-order, either it will be dropped or the preceding packet will be dropped.
A sensor can send a reset packet if the system is out-of-sync and the state needs to be cleared.
In queue.h:76, there is an intended bug that causes stateq_pop_tail to return uninitialized heap memory. This can be triggered by the attacker when a packet is sent that causes the previous packet to be dropped. The error packet sent back to the attacker may now contain 4 bytes of uninitialized memory. Because the secret page was copied to the heap at the beginning of the program, and then freed, this uninitialized memory will actually contain some obfuscated bytes of the secret page. Exploitable as a type 2 POV.
Read of uninitialized memory
CWE-125: Out-of-bounds Read
CWE-226: Sensitive Information Uncleared Before Release
Involves reuse of memory without initialization, so some understanding of heap allocation is helpful. One possible avenue for discovery is fuzzing combined with taint analysis. The sensitive memory is XORd with a deterministic value and a POV must XOR the memory it reads to get the real type 2 value.
Curated by Lunge Technology, LLC. Questions or comments? Send us email