This is an archived web site made available for research purposes. The web site is no longer maintained.

Challenge Information - CROMU_00088

Commonly known as: FaceMag


Rounds Enabled

51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65

Details

Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

"Steve Wood" swood@cromulence.com

DARPA performer group

Cromulence LLC (CROMU)

Description

This service is a social media server where users can post messages for others to view and comments on.

Feature List

This service is a social media server that provides a network protocol for new accounts to be created, message posts to be made, comments to those posts and a posting feed where the user can retrieve postings that she hasn't previously seen. Specific posts can be retrieved by their posting ID and all associated comments are also displayed. A filesystem is used for the underlying storage mechanism for the server with each user having an account file that maintains their state information as well as their real/full name.

Vulnerability

Vulnerability 1 is a buffer overwrite due to the server relying on user specified length parameters to dictate how long incoming messages, user names, passwords, and fullnames are. Even though these incoming messages overwrite the data structure they are cast to, they are still much shorter than the full 4K page of memory that was allocated, so they have no affect on program behavior when first received. The real overwrite occurs later when one of these strings, the fullname, is later retrieved from the user's account file and used to build a posting message for return to the user.

Generic class of vulnerability

Stack buffer overflow

CWE classification

CWE-121 Stack based buffer overflow

Challenges

Although this vulnerability is easily found and corrected, proving it to be exploitable is not. A buffer is created with an allocate() call that is much larger than is required to hold the incoming message. Even though the string's length is specified in the message, a single byte is allocated in the message for the length paramter which limits the string to 255 bytes--far too short to overwrite a 4K page. Several strings in the incoming messages have this same vulnerability but only one is not later truncated: the user's fullname. This string is stored in the user's account file and is used to tag posts with their real name rather than their username. However, when a post message is created, the username is null terminated at the proper length. Only when the username is applied to a comment that's been made to another post is the full string retrieved which allows the local stack space to be overwritten. Due to the arrangement of variables in the stack frame, the overwrite is not able to corrupt the stack frame and the saved registers. What can be overwritten is the file handle used to read the stored post and its comments. Another file on the system is persistently open and happens to be a memory-mapped file that points to the magic page. By overwriting the local file handle to the value of the other open file, the next read of a comment will actually load raw data from the magic page. An additional complication occurs if this read is done soon after the service is running though. The amount of data in the memory mapped file is too large and will completely corrupt the stack frame resulting in an uncontrollable program crash. Only after the memory-mapped file has been used well over 100 times does its read pointer move near enough to the end to not read too much data before EOF is reached. There are other nuances to making a working POV that involve the order of operations with the server as well.

Finding Vulnerability 1: easy
Proving Vulnerability 1: hard
Fixing Vulnerability 1: easy

POV Information

Round Source Destination Result POV Analysis Video
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV POV Watch
52 CSDS TECHx Failed POV POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV POV Watch
52 DeepRed TECHx Failed POV POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV POV Watch
53 CSDS TECHx Failed POV POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV POV Watch
53 DeepRed TECHx Failed POV POV Watch
54 CodeJitsu Shellphish Failed POV through defenses POV Watch
54 CSDS CodeJitsu Failed POV POV Watch
54 CSDS DeepRed Failed POV POV Watch
54 CSDS Disekt Failed POV POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV through defenses POV Watch
54 CSDS TECHx Failed POV POV Watch
54 DeepRed CodeJitsu Failed POV POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV through defenses POV Watch
54 DeepRed TECHx Failed POV POV Watch
55 CSDS CodeJitsu Failed POV POV Watch
55 CSDS DeepRed Failed POV POV Watch
55 CSDS Disekt Failed POV POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV through defenses POV Watch
55 CSDS TECHx Failed POV POV Watch
55 DeepRed CodeJitsu Failed POV POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV through defenses POV Watch
55 DeepRed TECHx Failed POV POV Watch
56 CSDS CodeJitsu Failed POV POV Watch
56 CSDS DeepRed Failed POV POV Watch
56 CSDS Disekt Failed POV POV Watch
56 CSDS ForAllSecure Failed POV POV Watch
56 CSDS Shellphish Failed POV through defenses POV Watch
56 CSDS TECHx Failed POV POV Watch
56 DeepRed CodeJitsu Failed POV POV Watch
56 DeepRed CSDS Failed POV POV Watch
56 DeepRed Disekt Failed POV POV Watch
56 DeepRed ForAllSecure Failed POV POV Watch
56 DeepRed Shellphish Failed POV through defenses POV Watch
56 DeepRed TECHx Failed POV POV Watch
57 CSDS CodeJitsu Failed POV POV Watch
57 CSDS DeepRed Failed POV POV Watch
57 CSDS Disekt Failed POV POV Watch
57 CSDS ForAllSecure Failed POV POV Watch
57 CSDS Shellphish Failed POV through defenses POV Watch
57 CSDS TECHx Failed POV POV Watch
57 DeepRed CodeJitsu Failed POV POV Watch
57 DeepRed CSDS Failed POV POV Watch
57 DeepRed Disekt Failed POV POV Watch
57 DeepRed ForAllSecure Failed POV POV Watch
57 DeepRed Shellphish Failed POV through defenses POV Watch
57 DeepRed TECHx Failed POV POV Watch
58 CSDS CodeJitsu Failed POV POV Watch
58 CSDS DeepRed Failed POV POV Watch
58 CSDS Disekt Failed POV POV Watch
58 CSDS ForAllSecure Failed POV POV Watch
58 CSDS Shellphish Failed POV through defenses POV Watch
58 CSDS TECHx Failed POV POV Watch
58 DeepRed CodeJitsu Failed POV POV Watch
58 DeepRed CSDS Failed POV POV Watch
58 DeepRed Disekt Failed POV POV Watch
58 DeepRed ForAllSecure Failed POV POV Watch
58 DeepRed Shellphish Failed POV through defenses POV Watch
58 DeepRed TECHx Failed POV POV Watch
59 CSDS CodeJitsu Failed POV POV Watch
59 CSDS DeepRed Failed POV POV Watch
59 CSDS Disekt Failed POV POV Watch
59 CSDS ForAllSecure Failed POV POV Watch
59 CSDS Shellphish Failed POV through defenses POV Watch
59 CSDS TECHx Failed POV POV Watch
59 DeepRed CodeJitsu Failed POV POV Watch
59 DeepRed CSDS Failed POV POV Watch
59 DeepRed Disekt Failed POV POV Watch
59 DeepRed ForAllSecure Failed POV POV Watch
59 DeepRed Shellphish Failed POV through defenses POV Watch
59 DeepRed TECHx Failed POV POV Watch
60 CSDS CodeJitsu Failed POV POV Watch
60 CSDS DeepRed Failed POV POV Watch
60 CSDS Disekt Failed POV POV Watch
60 CSDS ForAllSecure Failed POV POV Watch
60 CSDS Shellphish Failed POV through defenses POV Watch
60 CSDS TECHx Failed POV POV Watch
60 DeepRed CodeJitsu Failed POV POV Watch
60 DeepRed CSDS Failed POV POV Watch
60 DeepRed Disekt Failed POV POV Watch
60 DeepRed ForAllSecure Failed POV POV Watch
60 DeepRed Shellphish Failed POV through defenses POV Watch
60 DeepRed TECHx Failed POV POV Watch
61 CSDS CodeJitsu Failed POV POV Watch
61 CSDS DeepRed Failed POV POV Watch
61 CSDS Disekt Failed POV POV Watch
61 CSDS ForAllSecure Failed POV POV Watch
61 CSDS Shellphish Failed POV through defenses POV Watch
61 CSDS TECHx Failed POV POV Watch
61 DeepRed CodeJitsu Failed POV POV Watch
61 DeepRed CSDS Failed POV POV Watch
61 DeepRed Disekt Failed POV POV Watch
61 DeepRed ForAllSecure Failed POV POV Watch
61 DeepRed Shellphish Failed POV through defenses POV Watch
61 DeepRed TECHx Failed POV POV Watch
62 CSDS CodeJitsu Failed POV POV Watch
62 CSDS DeepRed Failed POV POV Watch
62 CSDS Disekt Failed POV POV Watch
62 CSDS ForAllSecure Failed POV POV Watch
62 CSDS Shellphish Failed POV through defenses POV Watch
62 CSDS TECHx Failed POV POV Watch
62 DeepRed CodeJitsu Failed POV POV Watch
62 DeepRed CSDS Failed POV POV Watch
62 DeepRed Disekt Failed POV POV Watch
62 DeepRed ForAllSecure Failed POV POV Watch
62 DeepRed Shellphish Failed POV through defenses POV Watch
62 DeepRed TECHx Failed POV POV Watch
62 Shellphish CodeJitsu Failed POV POV Watch
62 Shellphish CSDS Failed POV POV Watch
62 Shellphish DeepRed Failed POV POV Watch
62 Shellphish Disekt Failed POV POV Watch
62 Shellphish ForAllSecure Failed POV POV Watch
62 Shellphish TECHx Failed POV POV Watch
63 CSDS CodeJitsu Failed POV POV Watch
63 CSDS DeepRed Failed POV POV Watch
63 CSDS Disekt Failed POV POV Watch
63 CSDS ForAllSecure Failed POV POV Watch
63 CSDS Shellphish Failed POV through defenses POV Watch
63 CSDS TECHx Failed POV POV Watch
63 DeepRed CodeJitsu Failed POV POV Watch
63 DeepRed CSDS Failed POV POV Watch
63 DeepRed Disekt Failed POV POV Watch
63 DeepRed ForAllSecure Failed POV POV Watch
63 DeepRed Shellphish Failed POV through defenses POV Watch
63 DeepRed TECHx Failed POV POV Watch
63 Shellphish CodeJitsu Failed POV POV Watch
63 Shellphish CSDS Failed POV POV Watch
63 Shellphish DeepRed Failed POV POV Watch
63 Shellphish Disekt Failed POV POV Watch
63 Shellphish ForAllSecure Failed POV POV Watch
63 Shellphish TECHx Failed POV POV Watch
64 CSDS CodeJitsu Failed POV POV Watch
64 CSDS DeepRed Failed POV POV Watch
64 CSDS Disekt Failed POV POV Watch
64 CSDS ForAllSecure Failed POV POV Watch
64 CSDS Shellphish Failed POV through defenses POV Watch
64 CSDS TECHx Failed POV POV Watch
64 DeepRed CodeJitsu Failed POV POV Watch
64 DeepRed CSDS Failed POV POV Watch
64 DeepRed Disekt Failed POV POV Watch
64 DeepRed ForAllSecure Failed POV POV Watch
64 DeepRed Shellphish Failed POV through defenses POV Watch
64 DeepRed TECHx Failed POV POV Watch
64 Shellphish CodeJitsu Successful POV POV Analysis Watch
64 Shellphish CSDS Successful POV POV Analysis Watch
64 Shellphish DeepRed Successful POV POV Analysis Watch
64 Shellphish Disekt Successful POV POV Analysis Watch
64 Shellphish ForAllSecure Successful POV POV Analysis Watch
64 Shellphish TECHx Successful POV POV Analysis Watch
65 CSDS CodeJitsu Failed POV POV Watch
65 CSDS DeepRed Failed POV POV Watch
65 CSDS Disekt Failed POV POV Watch
65 CSDS ForAllSecure Failed POV POV Watch
65 CSDS Shellphish Failed POV through defenses POV Watch
65 CSDS TECHx Failed POV POV Watch
65 DeepRed CodeJitsu Failed POV POV Watch
65 DeepRed CSDS Failed POV POV Watch
65 DeepRed Disekt Failed POV POV Watch
65 DeepRed ForAllSecure Failed POV POV Watch
65 DeepRed Shellphish Failed POV through defenses POV Watch
65 DeepRed TECHx Failed POV POV Watch
65 Shellphish CodeJitsu Failed POV POV Watch
65 Shellphish CSDS Failed POV POV Watch
65 Shellphish DeepRed Failed POV POV Watch
65 Shellphish Disekt Failed POV POV Watch
65 Shellphish ForAllSecure Failed POV POV Watch
65 Shellphish TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email