This is an archived web site made available for research purposes. The web site is no longer maintained.

Qualifier Challenge - KPRCA_00045


Original Versions

Known Vulnerabilities

  • CWE-122 - Heap-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Scores

  • DeepRed: 2.0
  • ForAllSecure: 1.65
  • CSDS: 1.03
  • CodeJitsu: 0.87
  • TECHx: 0.56
  • Disekt: 0.14
  • TrailofBits: 0.08
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • DeepRed: 100.0% - CB1
  • TECHx: 50.0% - CB1
  • TrailofBits: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description

Sad Face Template Engine provides a tempalte rendering service, where a user defines variables with values and submits a templated text to be rendered. The default tag identifier is :(...):

Feature List

Features

  • Define variables
  • Add new variables
  • Undefine variables
  • View variables
  • Submit templated text
  • Render text

There are 4 supported types for a variable: String, Integer, Float, and Bool.

Template engine understands 3 tag types:

  • Variable
  • :(name):
  • Conditional Section
  • :(@is_valid):Rendered only when is_valid is true!:(/is_valid):
  • Comment
  • :(#sad comment):

Protocol

  • User-interactive interface (aka menu selection)

Vulnerability

  • There are 2 exploitable bugs in sadface_render function.
  • When the engine renders a given template, it fails to check for a buffer overflow.
  • Specifically, when copying normal/static text from the input, the total length isn't checked to see that it will lead to a heap-based buffer overflow.
  • When handling variable substitution, it also suffers the problem where the total length isn't validated against the maximum buffer size, leading to a heap-based buffer overflow.

Generic class of vulnerability

Heap-based Buffer Overflow

CWE classification

CWE-122: Heap-based Buffer Overflow

Challenges

  • Input is not directly used to generate the output. One must realize that, by carefully crafting the variables, it is possible to manimpulate the output to an exploitable condition.

Curated by Lunge Technology, LLC. Questions or comments? Send us email