This is an archived web site made available for research purposes. The web site is no longer maintained.

Challenge Information - CROMU_00093

Commonly known as: REMATCH_1--Hat_Trick--Morris_Worm


Rounds Enabled

46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60

Details

Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-215 - Information Exposure Through Debug Information
  • CWE-798 - Use of Hard-coded Credentials
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

debbie@cromulence.com

DARPA performer group

Cromulence LLC (CROMU)

Description

This challenge set contains 3 binaries that closely mimic the behavior of three services: fingerd, sendmail, and rsh and an additional 'front door' binary that provides access to the others. These services were involved in the propagation of the original Internet Worm written by Robert Morris. The fingerd service was vulnerable to a simple stack buffer overflow, originally caused by use of the gets() function. The sendmail service was vulnerable to a logic bug that existed in debug mode which allowed the shell interpreter to be the recipient of the message. The rsh service was inherently vulnerable by using a naive trust model and is vulnerable to password brute force attacks.

The services in this challenge set are lookupd, inspired by fingerd, mailsender, inspired by sendmail, and ish, inspired by rsh. Each contains similar functionality to the original services and the same original bugs.

Feature List

This is a multi binary challenge set. The first binary acts as the front door, handling the initial connection and directing input to one of three services (lookupd, mailsender, and ish).

Lookupd is a lookup service that provides name and contact info for users. This service is randomly populated with fake user data on startup. It allows querying for a particular user or listing all users on the system.

ISH is an internet shell service. It requires a login and password and implements a dummy shell with a limited command set. It contains one set of static credentials and then generates random additional credentials on startup.

Mailsender is a mail server. It allows listing known addresses, dumping mail queues, reading messages, and posting new messages.

Vulnerability

The vulnerability in lookupd is equivalent to a gets() call. This function reads input from the user onto the stack with no bounds checking. This allows a very straightforward buffer overflow. It should be easy to find, easy to prove, and easy to patch.

The vulnerability in ISH contains two elements. One is the existence of static credentials that would allow the CRS to login and execute commands. The second is that one of the shell commands allows arbitrary reads from memory, thus enabling a memory leak (type 2 POV). The CRS could eliminate this vulnerability by either deactivating the compromised account credentials or preventing the shell command from accessing the sensitive memory region. This bug should be easy to find, easy to prove, and easy to patch.

The vulnerability in mailsender is patterned after CVE-1999-0095 which allowed a remote user to access the root shell through a debug command. In this case if the CRS connects to mailsender using the -d flag and submits a message with the correct recipient, it can access a command shell that allows arbitrary read of memory. This vulnerability can be patched by either deactivating the -d debug mode or by restricting the shell from accessing the sensitive memory region. It should be easy to find, easy to prove, and easy to patch.

Generic class of vulnerability

The lookupd vulnerability is a stack buffer overflow. The ISH vulnerability is a logic bug leading to an arbitrary memory read. The mailsender vulnerability is also a logic bug leading to an arbitrary memory read.

CWE classification

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-798 Hard Coded Credentials CWE-215 Information Exposure Through Debug Information

Challenges

These vulnerabilities are patterned after very basic and outdated vulnerabilities so they should be straightforward to find, prove, and patch. One potential complicating matter is that there are four binaries in this system and some communication travels between them rather than directly to/from the user. Since most challenge sets are not designed in this manner it may prove difficult for some analysis systems.


POV Information

Round Source Destination Result POV Analysis Video
47 CSDS CodeJitsu Failed POV POV Watch
47 CSDS DeepRed Failed POV POV Watch
47 CSDS Disekt Failed POV POV Watch
47 CSDS ForAllSecure Failed POV POV Watch
47 CSDS Shellphish Failed POV POV Watch
47 CSDS TECHx Failed POV POV Watch
47 DeepRed CodeJitsu Failed POV POV Watch
47 DeepRed CSDS Failed POV POV Watch
47 DeepRed Disekt Failed POV POV Watch
47 DeepRed ForAllSecure Failed POV POV Watch
47 DeepRed Shellphish Failed POV POV Watch
47 DeepRed TECHx Failed POV POV Watch
48 CodeJitsu Disekt Failed POV through defenses POV
48 CSDS CodeJitsu Failed POV POV Watch
48 CSDS DeepRed Failed POV POV Watch
48 CSDS Disekt Failed POV through defenses POV Watch
48 CSDS ForAllSecure Failed POV POV Watch
48 CSDS Shellphish Failed POV POV Watch
48 CSDS TECHx Failed POV POV Watch
48 DeepRed CodeJitsu Failed POV POV Watch
48 DeepRed CSDS Failed POV POV Watch
48 DeepRed Disekt Failed POV through defenses POV Watch
48 DeepRed ForAllSecure Failed POV POV Watch
48 DeepRed Shellphish Failed POV POV Watch
48 DeepRed TECHx Failed POV POV Watch
49 CSDS CodeJitsu Failed POV POV Watch
49 CSDS DeepRed Failed POV POV Watch
49 CSDS Disekt Failed POV through defenses POV Watch
49 CSDS ForAllSecure Failed POV POV Watch
49 CSDS Shellphish Failed POV POV Watch
49 CSDS TECHx Failed POV POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV through defenses POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV POV Watch
49 DeepRed TECHx Failed POV POV Watch
50 CSDS CodeJitsu Failed POV POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV through defenses POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV POV Watch
50 CSDS TECHx Failed POV POV Watch
50 DeepRed CodeJitsu Failed POV POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV through defenses POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV POV Watch
50 DeepRed TECHx Failed POV POV Watch
51 CodeJitsu Shellphish Failed POV through defenses POV Watch
51 CSDS CodeJitsu Failed POV POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV through defenses POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV through defenses POV Watch
51 CSDS TECHx Failed POV POV Watch
51 DeepRed CodeJitsu Failed POV POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV through defenses POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV through defenses POV Watch
51 DeepRed TECHx Failed POV POV Watch
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV through defenses POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV through defenses POV Watch
52 CSDS TECHx Failed POV POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV through defenses POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV through defenses POV Watch
52 DeepRed TECHx Failed POV POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV through defenses POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV through defenses POV Watch
53 CSDS TECHx Failed POV POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV through defenses POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV through defenses POV Watch
53 DeepRed TECHx Failed POV POV Watch
54 CSDS CodeJitsu Failed POV POV Watch
54 CSDS DeepRed Failed POV POV Watch
54 CSDS Disekt Failed POV through defenses POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV through defenses POV Watch
54 CSDS TECHx Failed POV POV Watch
54 DeepRed CodeJitsu Failed POV POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV through defenses POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV through defenses POV Watch
54 DeepRed TECHx Failed POV POV Watch
55 CSDS CodeJitsu Failed POV POV Watch
55 CSDS DeepRed Failed POV POV Watch
55 CSDS Disekt Failed POV through defenses POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV through defenses POV Watch
55 CSDS TECHx Failed POV POV Watch
55 DeepRed CodeJitsu Failed POV POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV through defenses POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV through defenses POV Watch
55 DeepRed TECHx Failed POV POV Watch
56 CSDS CodeJitsu Failed POV POV Watch
56 CSDS DeepRed Failed POV POV Watch
56 CSDS Disekt Failed POV through defenses POV Watch
56 CSDS ForAllSecure Failed POV POV Watch
56 CSDS Shellphish Failed POV through defenses POV Watch
56 CSDS TECHx Failed POV POV Watch
56 DeepRed CodeJitsu Failed POV POV Watch
56 DeepRed CSDS Failed POV POV Watch
56 DeepRed Disekt Failed POV through defenses POV Watch
56 DeepRed ForAllSecure Failed POV POV Watch
56 DeepRed Shellphish Failed POV through defenses POV Watch
56 DeepRed TECHx Failed POV POV Watch
57 CSDS CodeJitsu Failed POV POV Watch
57 CSDS DeepRed Failed POV POV Watch
57 CSDS Disekt Failed POV through defenses POV Watch
57 CSDS ForAllSecure Failed POV POV Watch
57 CSDS Shellphish Failed POV through defenses POV Watch
57 CSDS TECHx Failed POV POV Watch
57 DeepRed CodeJitsu Failed POV POV Watch
57 DeepRed CSDS Failed POV POV Watch
57 DeepRed Disekt Failed POV through defenses POV Watch
57 DeepRed ForAllSecure Failed POV POV Watch
57 DeepRed Shellphish Failed POV through defenses POV Watch
57 DeepRed TECHx Failed POV POV Watch
58 CSDS CodeJitsu Failed POV POV Watch
58 CSDS DeepRed Failed POV POV Watch
58 CSDS Disekt Failed POV through defenses POV Watch
58 CSDS ForAllSecure Failed POV POV Watch
58 CSDS Shellphish Failed POV through defenses POV Watch
58 CSDS TECHx Failed POV POV Watch
58 DeepRed CodeJitsu Failed POV POV Watch
58 DeepRed CSDS Failed POV POV Watch
58 DeepRed Disekt Failed POV through defenses POV Watch
58 DeepRed ForAllSecure Failed POV POV Watch
58 DeepRed Shellphish Failed POV through defenses POV Watch
58 DeepRed TECHx Failed POV POV Watch
59 CSDS CodeJitsu Failed POV POV Watch
59 CSDS DeepRed Failed POV POV Watch
59 CSDS Disekt Failed POV through defenses POV Watch
59 CSDS ForAllSecure Failed POV POV Watch
59 CSDS Shellphish Failed POV through defenses POV Watch
59 CSDS TECHx Failed POV POV Watch
59 DeepRed CodeJitsu Failed POV POV Watch
59 DeepRed CSDS Failed POV POV Watch
59 DeepRed Disekt Failed POV through defenses POV Watch
59 DeepRed ForAllSecure Failed POV POV Watch
59 DeepRed Shellphish Failed POV through defenses POV Watch
59 DeepRed TECHx Failed POV POV Watch
60 CSDS CodeJitsu Failed POV POV Watch
60 CSDS DeepRed Failed POV POV Watch
60 CSDS Disekt Failed POV through defenses POV Watch
60 CSDS ForAllSecure Failed POV POV Watch
60 CSDS Shellphish Failed POV through defenses POV Watch
60 CSDS TECHx Failed POV POV Watch
60 DeepRed CodeJitsu Failed POV POV Watch
60 DeepRed CSDS Failed POV POV Watch
60 DeepRed Disekt Failed POV through defenses POV Watch
60 DeepRed ForAllSecure Failed POV POV Watch
60 DeepRed Shellphish Failed POV through defenses POV Watch
60 DeepRed TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email