This is an archived web site made available for research purposes. The web site is no longer maintained.
Qualifier Challenge - KPRCA_00037
- CWE-190 - Integer Overflow or Wraparound
- CWE-839 - Numeric Range Comparison Without Minimum Check CWEs are listed as indicated by the challenge author.
- ForAllSecure: 4.0
- Shellphish: 1.93
- CSDS: 1.65
- CodeJitsu: 1.24
- TrailofBits: 0.05
- Disekt: 0.03
- TECHx: 0.0
- FuzzBOMB: 0.0
- DeepRed: 0.0 The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.
Passed consensus evaluation
- CodeJitsu - CB1
- CSDS - CB1
- Disekt - CB1
- ForAllSecure - CB1
- FuzzBOMB - CB1
- Shellphish - CB1
- TrailofBits - CB1
Proved a POV in reference challenge
Defense against reference POVs
- CodeJitsu: 100.0% - CB1
- Disekt: 100.0% - CB1
- ForAllSecure: 100.0% - CB1
- Shellphish: 100.0% - CB1
- CSDS: 100.0% - CB1
- FuzzBOMB: 100.0% - CB1
- TrailofBits: 100.0% - CB1
- Eighth Place Team
- Eleventh Place Team
- Fifth Place Team - Finalist
- First Place Team - Finalist
- Fourth Place Team - Finalist
- Ninth Place Team
- Second Place Team - Finalist
- Seventh Place Team - Finalist
- Sixth Place Team - Finalist
- Tenth Place Team
- Third Place Team - Finalist
- Thirteenth Place Team
- Twelfth Place Team
DARPA performer group
Kaprica Security (KPRCA)
This service prints out the section and symbol information for a given CGC exectuable.
- Parses and validates CGC executables
- Displays section info (name, type, address, offset, and size)
- Displays symbol info (name, value, size, type, and bind)
- Output format is similar to what readcgcef utility outputs
- It's a lot less strict about the actual contents, however.
- Input: Raw bytes that represent the CGC executable file, prepended by its size in bytes.
- Output: Text display showing information about the file (sections and symbols).
- The parser does not correctly validate the value of index to the section headers when calculating the offset to the section header data.
- The idx value can be negative passing the check of idx < shnum in cgcf.c:125.
- Also, there's an integer overflow bug which can be caused by supplying large (yet valid) field values.
- This may yield an access violation on invalid memory, given a carefully crafted input.
Generic class of vulnerability
Insufficient range check Integer Overflow
CWE-839: Numeric Range Comparison Without Minimum Check CWE-190: Integer Overflow or Wraparound
- Lots of mutable fields that can affect the state of the parsing
- Sometimes mutating one field is not enough to trigger the bug due to other checks. In such case, multiple fields must be carefully manipulated in order to trigger the bug.
Curated by Lunge Technology, LLC. Questions or comments? Send us email