HC's Capture the Flag website
CTF Contests
25C3-CTF

25C3-CTF final results

Advisory #37

From team WiiPhonies

New advisory by : Ge0rG
Affected service(s): vdspi
Severity [lmh] : low

===== Problem =====

Certain IDs can crash the service, causing a DoS.

The following calculation in persondb.adb causes the Log() function to
terminate the application:

"n : ID_Type := 10 ** (Integer (Log (Long_Float (id)) / Log (10.0)) + 1);"

===== Impact =====

The current session is terminated abruptly, when an ID=0 is submitted. Lock
files remain in the file system, preventing further usability of the VDspi
service.

===== Fix =====

The code can be replaced by the following:

n : ID_Type := 10 * id;
function pred (p : Person_Type) return Boolean is
begin
if n > 0 then
return (Person.ID (p) mod n = id);
else
return (Person.ID (p) mod 10 = 0);
end if;
end pred;

Rating

[0] proposed fix introduces a new bug - service could return unintended results

Go back

---

Impressum