This is an archived web site made available for research purposes. The web site is no longer maintained.

Final Event Style Sample Challenge - KPRCA_00060


Original Versions

Known Vulnerabilities

  • CWE-122 - Heap-based Buffer Overflow

DARPA performer group

Kaprica Security (KPRCA)

Description

Simple Printer Protocol. The service acts like a printer service, but obviously doesn't really print things. All of data are parsed, but most of them are left unused -- except for few fields used in queue state report.

Feature List

- Print jobs - Receive print jobs - Manage print jobs (via control files) - See queue state - Remove jobs

Vulnerability

Vuln 1

  • One of the control subcommands is not securely handled.
  • Specifically, a user-provided argument to the 'T' (title for the document banner) control subcommand is used without the validity check on its length, causing a heap buffer overflow.
  • The overflow happens inside of job_t structure, which is located inside of a printer_t structure as part of an array. Right next to the array of jobs is a function pointer for 'tick' function.
  • By carefully choosing the job_id and title data, it is possible to achieve an arbitrary code execution.

Generic class of vulnerability

Buffer Overflow

CWE classification

CWE-122: Heap-based Buffer Overflow

Challenges

  • There are many possible subcommands available for control file. There is one case that isn't properly guarded.

Difficulty

  • Discovery: easy
  • Proving: medium
  • Patching: medium

Curated by Lunge Technology, LLC. Questions or comments? Send us email