This is an archived web site made available for research purposes. The web site is no longer maintained.

Qualifier Challenge - CROMU_00042


Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWE-131 - Incorrect Calculation of Buffer Size
  • CWE-190 - Integer Overflow or Wraparound
  • CWE-195 - Signed to Unsigned Conversion Error
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 3.33
  • DeepRed: 2.75
  • CodeJitsu: 1.93
  • CSDS: 1.92
  • TECHx: 0.72
  • TrailofBits: 0.21
  • Disekt: 0.0
  • Lekkertech: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • ForAllSecure - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • DeepRed: 100.0% - CB1
  • ForAllSecure: 33.3% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Jason Williams" jdw@cromulence.co “Joe Rogers” joe@cromulence.co "Debbie Nuttall" debbie@cromulence.co

DARPA performer group

Cromulence LLC (CROMU)

Description

This service is a joint effort from multiple Cromulence developers. It includes a command line interface with a command handler and registered command.

The first command is a sort command and allows the user to enter a number of integers to be sorted. The user then enters each integer one line at a time and the sorted list is printed back to the user.

The second command provides basic addition, subtraction, and scalar multiplication matrix math operations. Depending on the requested operation, the user is prompted to supply the matrices and/or the scalar multiplier. The resulting matrix is printed out before returning to the matrix operation menu.

The third command is a game similar to Simon says. The game outputs a sequence of colors and the user must generate a reply sequence that matches. After every correct answer, the sequence grows longer.

The fourth command is a data encoding function similar to Base64. Raw data is entered and the resulting encoded data is output.

Feature List

This service features an interactive command line, the ability to list commands, and numerous commands. The first command is the sort command which sorts integers entered by the user. The second command provides basic matrix math operations. The third command is a simon says game.

Vulnerability

This service has the following vulnerabilities.

The first vulnerability is in the sort command. A user can enter a negative number for the number of items to be sorted. Due to a sign/unsigned comparison bug it is possible for the user to enter a negative number and pass the max length check for the sort array. In doing so the user can then write outside of the array and corrupt the stack frame overwriting the return address.

The second vulnerability is in the matrix command. The program uses a fixed size array to store the matrices. It incorrectly checks the necessary size of the array by multiplying the supplied dimension values together without properly handling the possibility of an integer overflow.

The third vulnerability is in the simon command. The user response is written to a stack buffer. If the user successfully plays past the first 236 rounds of play, the response will begin writing past the end of the stack buffer. If the game is successfully played up to the maximum number of 256 rounds, a 20 byte stack overwrite will occur before the simon function exits.

Generic class of vulnerability

sort command: Signed to Unsigned Conversion Error Stack-based Buffer Overflow

matrix command: Integer overflow leading to an incorrect calculation of buffer size

simon command: Stack-based Buffer Overflow

CWE classification

sort command: CWE-195: Signed to Unsigned Conversion Error CWE-121: Stack-based Buffer Overflow

CWE-190: Integer Overflow or Wraparound CWE-131: Incorrect Calculation of Buffer Size

simon command: CWE-121: Stack-based Buffer Overflow

Challenges

This service presents the CRS with a number of possible commands that the CRS can select from. The service is designed to be simple in nature and have multiple bugs for the CRS to exploit. The only challenge is in determining the command table, entering the correct command, and setting the proper states for an exploitable command.


Curated by Lunge Technology, LLC. Questions or comments? Send us email