This is an archived web site made available for research purposes. The web site is no longer maintained.

Challenge Information - CROMU_00083

Commonly known as: Filesystem_Command_Shell


Rounds Enabled

39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53

Details

Original Versions

Known Vulnerabilities

  • CWE-193 - Off-by-one Error
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

Author Information

"Steve Wood" swood@cromulence.com

DARPA performer group

Cromulence LLC (CROMU)

Description

This service implements a command line shell-like interface to an underlying filesystem--providing highlevel commands that encapsulate the lower level API calls of the filesystem.

Feature List

The filesystem supports "regular" files, and files mapped to a malloc'ed memory region. Commands are provided to create these files, read and write to them, copy them, and finally to erase them. In addition, the filesystem supports file ownership and "others" permissions so that access to individual files can be restricted or shared as the file owner desires. When started, the shell presents with a login prompt that uses data from the magic page for authentication information. However, the shell does allow for "guest" access using a built-in account with hardcoded credentials.

Vulnerability

The filesystem allocates one "block" of space to a file directory. As the block size is decided when the filesystem is initialized, the maximum number of directory entries is variable and is calculated during the initialization. In one calculation used to calculate the maximum number of files, the programmer forgets to subtract static overhead data from the total before dividing by the size of a directory entry, resulting in an off-by-one error on the maximum count. If this maximum number of files is created, the last one will overflow into the next block of storage space--overwriting up to 8 bytes of data there.

Generic class of vulnerability

Off By One

CWE classification

CWE-193 Off By One

Challenges

For the initial startup condition of this service, the block that can be overwritten is already allocated to a file created during initialization of the system. The block overwritten is essentially its "i-node" block, which has a list of the blocks containing the files data. Overwriting this data will most likely result in a crash and the read of some other service memory area, but not the magic page. Any attempt to write to this file will cause the file to be truncated to zero length first, clearing and releasing this corrupt block.

To successfully exploit this vulnerability, the exiting file using that block must be deleted and a file of the memory mapped type must be created first. For this file type, these overwritten block does not contain pointers to other blocks containing data, but instead holds the pointer and length of the memory malloc'ed for this file. By manipulating the filename used in the final file creation that overflows the directory, the pointer in this block can be overwritten to point to the magic page. The amount of program understanding required to successfully exploit this vulnerability makes this one difficult.

Finding Vulnerability 1: easy
Proving Vulnerability 1: hard
Fixing Vulnerability 1: easy

POV Information

Round Source Destination Result POV Analysis Video
40 CSDS CodeJitsu Failed POV POV Watch
40 CSDS DeepRed Failed POV POV Watch
40 CSDS Disekt Failed POV POV Watch
40 CSDS ForAllSecure Failed POV POV Watch
40 CSDS Shellphish Failed POV POV Watch
40 CSDS TECHx Failed POV POV Watch
40 DeepRed CodeJitsu Failed POV POV Watch
40 DeepRed CSDS Failed POV POV Watch
40 DeepRed Disekt Failed POV POV Watch
40 DeepRed ForAllSecure Failed POV POV Watch
40 DeepRed Shellphish Failed POV POV Watch
40 DeepRed TECHx Failed POV POV Watch
41 CodeJitsu Disekt Failed POV through defenses POV Watch
41 CSDS CodeJitsu Failed POV POV Watch
41 CSDS DeepRed Failed POV POV Watch
41 CSDS Disekt Failed POV through defenses POV Watch
41 CSDS ForAllSecure Failed POV POV Watch
41 CSDS Shellphish Failed POV POV Watch
41 DeepRed CodeJitsu Failed POV POV Watch
41 DeepRed CSDS Failed POV POV Watch
41 DeepRed Disekt Failed POV through defenses POV Watch
41 DeepRed ForAllSecure Failed POV POV Watch
41 DeepRed Shellphish Failed POV POV Watch
42 CodeJitsu Shellphish Failed POV through defenses POV Watch
42 CSDS CodeJitsu Failed POV POV Watch
42 CSDS DeepRed Failed POV POV Watch
42 CSDS Disekt Failed POV through defenses POV Watch
42 CSDS ForAllSecure Failed POV POV Watch
42 CSDS Shellphish Failed POV through defenses POV Watch
42 CSDS TECHx Failed POV through defenses POV Watch
42 DeepRed CodeJitsu Failed POV POV Watch
42 DeepRed CSDS Failed POV POV Watch
42 DeepRed Disekt Failed POV through defenses POV Watch
42 DeepRed ForAllSecure Failed POV POV Watch
42 DeepRed Shellphish Failed POV through defenses POV Watch
42 DeepRed TECHx Failed POV through defenses POV Watch
43 CSDS CodeJitsu Failed POV POV Watch
43 CSDS DeepRed Failed POV POV Watch
43 CSDS Disekt Failed POV through defenses POV Watch
43 CSDS ForAllSecure Failed POV POV Watch
43 CSDS Shellphish Failed POV through defenses POV Watch
43 CSDS TECHx Failed POV through defenses POV Watch
43 DeepRed CodeJitsu Failed POV POV Watch
43 DeepRed CSDS Failed POV POV Watch
43 DeepRed Disekt Failed POV through defenses POV Watch
43 DeepRed ForAllSecure Failed POV POV Watch
43 DeepRed Shellphish Failed POV through defenses POV Watch
43 DeepRed TECHx Failed POV through defenses POV Watch
44 CSDS CodeJitsu Failed POV POV Watch
44 CSDS DeepRed Failed POV POV Watch
44 CSDS Disekt Failed POV through defenses POV Watch
44 CSDS ForAllSecure Failed POV POV Watch
44 CSDS Shellphish Failed POV through defenses POV Watch
44 CSDS TECHx Failed POV through defenses POV Watch
44 DeepRed CodeJitsu Failed POV POV Watch
44 DeepRed CSDS Failed POV POV Watch
44 DeepRed Disekt Failed POV through defenses POV Watch
44 DeepRed ForAllSecure Failed POV POV Watch
44 DeepRed Shellphish Failed POV through defenses POV Watch
44 DeepRed TECHx Failed POV through defenses POV Watch
45 CSDS CodeJitsu Failed POV POV Watch
45 CSDS DeepRed Failed POV POV Watch
45 CSDS Disekt Failed POV through defenses POV Watch
45 CSDS ForAllSecure Failed POV POV Watch
45 CSDS Shellphish Failed POV through defenses POV Watch
45 CSDS TECHx Failed POV through defenses POV Watch
45 DeepRed CodeJitsu Failed POV POV Watch
45 DeepRed CSDS Failed POV POV Watch
45 DeepRed Disekt Failed POV through defenses POV Watch
45 DeepRed ForAllSecure Failed POV POV Watch
45 DeepRed Shellphish Failed POV through defenses POV Watch
45 DeepRed TECHx Failed POV through defenses POV Watch
46 CSDS CodeJitsu Failed POV POV Watch
46 CSDS DeepRed Failed POV POV Watch
46 CSDS Disekt Failed POV through defenses POV Watch
46 CSDS ForAllSecure Failed POV POV Watch
46 CSDS Shellphish Failed POV through defenses POV Watch
46 CSDS TECHx Failed POV through defenses POV Watch
46 DeepRed CodeJitsu Failed POV POV Watch
46 DeepRed CSDS Failed POV POV Watch
46 DeepRed Disekt Failed POV through defenses POV Watch
46 DeepRed ForAllSecure Failed POV POV Watch
46 DeepRed Shellphish Failed POV through defenses POV Watch
46 DeepRed TECHx Failed POV through defenses POV Watch
47 CSDS CodeJitsu Failed POV POV Watch
47 CSDS DeepRed Failed POV POV Watch
47 CSDS Disekt Failed POV through defenses POV Watch
47 CSDS ForAllSecure Failed POV POV Watch
47 CSDS Shellphish Failed POV through defenses POV Watch
47 CSDS TECHx Failed POV through defenses POV Watch
47 DeepRed CodeJitsu Failed POV POV Watch
47 DeepRed CSDS Failed POV POV Watch
47 DeepRed Disekt Failed POV through defenses POV Watch
47 DeepRed ForAllSecure Failed POV POV Watch
47 DeepRed Shellphish Failed POV through defenses POV Watch
47 DeepRed TECHx Failed POV through defenses POV Watch
48 CSDS CodeJitsu Failed POV POV Watch
48 CSDS DeepRed Failed POV POV Watch
48 CSDS Disekt Failed POV through defenses POV Watch
48 CSDS ForAllSecure Failed POV POV Watch
48 CSDS Shellphish Failed POV through defenses POV Watch
48 CSDS TECHx Failed POV through defenses POV Watch
48 DeepRed CodeJitsu Failed POV POV Watch
48 DeepRed CSDS Failed POV POV Watch
48 DeepRed Disekt Failed POV through defenses POV Watch
48 DeepRed ForAllSecure Failed POV POV Watch
48 DeepRed Shellphish Failed POV through defenses POV Watch
48 DeepRed TECHx Failed POV through defenses POV Watch
49 CSDS CodeJitsu Failed POV POV Watch
49 CSDS DeepRed Failed POV POV Watch
49 CSDS Disekt Failed POV through defenses POV Watch
49 CSDS ForAllSecure Failed POV POV Watch
49 CSDS Shellphish Failed POV through defenses POV Watch
49 CSDS TECHx Failed POV through defenses POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV through defenses POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV through defenses POV Watch
49 DeepRed TECHx Failed POV through defenses POV Watch
50 CSDS CodeJitsu Failed POV POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV through defenses POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV through defenses POV Watch
50 CSDS TECHx Failed POV through defenses POV Watch
50 DeepRed CodeJitsu Failed POV POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV through defenses POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV through defenses POV Watch
50 DeepRed TECHx Failed POV through defenses POV Watch
51 CSDS CodeJitsu Failed POV POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV through defenses POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV through defenses POV Watch
51 CSDS TECHx Failed POV through defenses POV Watch
51 DeepRed CodeJitsu Failed POV POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV through defenses POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV through defenses POV Watch
51 DeepRed TECHx Failed POV through defenses POV Watch
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV through defenses POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV through defenses POV Watch
52 CSDS TECHx Failed POV through defenses POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV through defenses POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV through defenses POV Watch
52 DeepRed TECHx Failed POV through defenses POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV through defenses POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV through defenses POV Watch
53 CSDS TECHx Failed POV through defenses POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV through defenses POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV through defenses POV Watch
53 DeepRed TECHx Failed POV through defenses POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email