This is an archived web site made available for research purposes. The web site is no longer maintained.

Qualifier Challenge - KPRCA_00054


Original Versions

Known Vulnerabilities

  • CWE-416 - Use After Free
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 4.0
  • Shellphish: 3.55
  • Disekt: 3.05
  • CSDS: 0.66
  • CodeJitsu: 0.0
  • TECHx: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Shellphish - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • CSDS: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description

Simple shell-like file management system.

Feature List

``` list [file ..] - Lists files and directories.

create - Creates a file.

open - Opens a file.

close - Closes an open file.

close_all - Closes all open files.

read [pos] [len] - Reads a file.

modify [pos] - Modifies a file.

delete - Deletes a file.

mkdir - Creates a directory.

rmdir - Deletes a directory.

chdir - Changes the working directory.

quit - Quits the program.

help [command] - Displays the help message. ```

Vulnerability

  • When deleting a file, the file object pointer is not removed from the list that keeps track of currently opened files.
  • This yields a dangling pointer when a file is deleted while it's opened.
  • By allocating similar-sized buffer by writing into another file, it is possible to take over the memory for the dangling pointer -- allowing Use-After-Free condition.
  • Arbitrary code execution can be achieved by triggering a virtual function in the file object after carefully setting up the payload.

Generic class of vulnerability

Use After Free

CWE classification

CWE-416: Use After Free

Challenges

  • C++

Curated by Lunge Technology, LLC. Questions or comments? Send us email