This is an archived web site made available for research purposes. The web site is no longer maintained.

Challenge Information - KPRCA_00088

Commonly known as: Sorter


Rounds Enabled

42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56

Details

Original Versions

Known Vulnerabilities

  • CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWE-122 - Heap-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

Kaprica Security

DARPA performer group

Kaprica Security (KPRCA)

Description

The service allows a user to input an array of ints and sort the values. It is meant to help students understand the differences in types of sort by showing enumerating, roughly, the number of comparisons each sort does.

The service protects the core of it's functionality by using a simple xor encryption on its core subroutines. When the program begins the subroutines are decrypted and placed in executable memory on the heap.

Feature List

Enter an Array Multiply an array Sort Array via -Insertion Sort -Selection Sort -Heap Sort

Vulnerability

Vuln 1

The service does an improper bounds check when there are > 1024 and <= 1048 ints in the array to be sorted. This bounds check error allows for a 24 byte overwrite from an allocated page into another allocated page which is marked as executable.

The vulnerability can only be triggered in arrays of length 1025 to 1048, inclusive. In order to exploit the vulnerability the ints in the shellcode must be stored as little endian signed ints instead of a char array.

Generic class of vulnerability

Heap-based Buffer Overflow

CWE classification

CWE-122: Heap-based Buffer Overflow CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

Challenges

This short CB does a very simple obfuscation technique to its code, in order to protect its IP. All of the code's functions have been generated by a normal -O0 compilation process (see commented out code in sort.c). The bytes were then taken from the disassembled functions, xor'd with key "CS10FUN!" and stored as arrays in packed.h.

This CB tests a CRS's ability for dynamic analysis of a service. The code is xor'd on disk to prevent naive code inspection of the data segment, and all of the subroutines are run via executable allocated memory on the heap.

One minor difficultly of exploiting the vulnerability is making sure to convert the shell code into an array of signed ints as opposed to a more typical byte stream. Those ints then need to be converted into strings in order for the CB to process them.

Difficulty

Discovering = Medium Proving = Medium Patching = Medium


POV Information

Round Source Destination Result POV Analysis Video
43 CSDS CodeJitsu Failed POV POV Watch
43 CSDS DeepRed Failed POV POV Watch
43 CSDS Disekt Failed POV POV Watch
43 CSDS ForAllSecure Failed POV POV Watch
43 CSDS Shellphish Failed POV POV Watch
43 CSDS TECHx Failed POV POV Watch
43 DeepRed CodeJitsu Failed POV POV Watch
43 DeepRed CSDS Failed POV POV Watch
43 DeepRed Disekt Failed POV POV Watch
43 DeepRed ForAllSecure Failed POV POV Watch
43 DeepRed Shellphish Failed POV POV Watch
43 DeepRed TECHx Failed POV POV Watch
44 CSDS CodeJitsu Failed POV POV Watch
44 CSDS DeepRed Failed POV POV Watch
44 CSDS Disekt Failed POV POV Watch
44 CSDS ForAllSecure Failed POV POV Watch
44 CSDS Shellphish Failed POV POV Watch
44 CSDS TECHx Failed POV POV Watch
44 DeepRed CodeJitsu Failed POV POV Watch
44 DeepRed CSDS Failed POV POV Watch
44 DeepRed Disekt Failed POV POV Watch
44 DeepRed ForAllSecure Failed POV POV Watch
44 DeepRed Shellphish Failed POV POV Watch
44 DeepRed TECHx Failed POV POV Watch
45 CodeJitsu Shellphish Failed POV through defenses POV Watch
45 CSDS CodeJitsu Failed POV POV Watch
45 CSDS DeepRed Failed POV POV Watch
45 CSDS Disekt Failed POV POV Watch
45 CSDS ForAllSecure Failed POV POV Watch
45 CSDS Shellphish Failed POV through defenses POV Watch
45 CSDS TECHx Failed POV POV Watch
45 DeepRed CodeJitsu Failed POV POV Watch
45 DeepRed CSDS Failed POV POV Watch
45 DeepRed Disekt Failed POV POV Watch
45 DeepRed ForAllSecure Failed POV POV Watch
45 DeepRed Shellphish Failed POV through defenses POV Watch
45 DeepRed TECHx Failed POV POV Watch
46 CSDS CodeJitsu Failed POV POV Watch
46 CSDS DeepRed Failed POV POV Watch
46 CSDS Disekt Failed POV POV Watch
46 CSDS ForAllSecure Failed POV POV Watch
46 CSDS Shellphish Failed POV through defenses POV Watch
46 CSDS TECHx Failed POV POV Watch
46 DeepRed CodeJitsu Failed POV POV Watch
46 DeepRed CSDS Failed POV POV Watch
46 DeepRed Disekt Failed POV POV Watch
46 DeepRed ForAllSecure Failed POV POV Watch
46 DeepRed Shellphish Failed POV through defenses POV Watch
46 DeepRed TECHx Failed POV POV Watch
47 CSDS CodeJitsu Failed POV POV Watch
47 CSDS DeepRed Failed POV POV Watch
47 CSDS Disekt Failed POV POV Watch
47 CSDS ForAllSecure Failed POV POV Watch
47 CSDS Shellphish Failed POV through defenses POV Watch
47 CSDS TECHx Failed POV POV Watch
47 DeepRed CodeJitsu Failed POV POV Watch
47 DeepRed CSDS Failed POV POV Watch
47 DeepRed Disekt Failed POV POV Watch
47 DeepRed ForAllSecure Failed POV POV Watch
47 DeepRed Shellphish Failed POV through defenses POV Watch
47 DeepRed TECHx Failed POV POV Watch
48 CSDS CodeJitsu Failed POV POV Watch
48 CSDS DeepRed Failed POV POV Watch
48 CSDS Disekt Failed POV POV Watch
48 CSDS ForAllSecure Failed POV POV Watch
48 CSDS Shellphish Failed POV through defenses POV Watch
48 CSDS TECHx Failed POV POV Watch
48 DeepRed CodeJitsu Failed POV POV Watch
48 DeepRed CSDS Failed POV POV Watch
48 DeepRed Disekt Failed POV POV Watch
48 DeepRed ForAllSecure Failed POV POV Watch
48 DeepRed Shellphish Failed POV through defenses POV Watch
48 DeepRed TECHx Failed POV POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV through defenses POV Watch
49 DeepRed TECHx Failed POV POV Watch
50 CSDS CodeJitsu Failed POV POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV through defenses POV Watch
50 CSDS TECHx Failed POV POV Watch
50 DeepRed CodeJitsu Failed POV POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV through defenses POV Watch
50 DeepRed TECHx Failed POV POV Watch
51 CSDS CodeJitsu Failed POV POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV through defenses POV Watch
51 CSDS TECHx Failed POV POV Watch
51 DeepRed CodeJitsu Failed POV POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV through defenses POV Watch
51 DeepRed TECHx Failed POV POV Watch
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV through defenses POV Watch
52 CSDS TECHx Failed POV POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV through defenses POV Watch
52 DeepRed TECHx Failed POV POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV through defenses POV Watch
53 CSDS TECHx Failed POV POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV through defenses POV Watch
53 DeepRed TECHx Failed POV POV Watch
54 CSDS CodeJitsu Failed POV POV Watch
54 CSDS DeepRed Failed POV POV Watch
54 CSDS Disekt Failed POV POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV through defenses POV Watch
54 CSDS TECHx Failed POV POV Watch
54 DeepRed CodeJitsu Failed POV POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV through defenses POV Watch
54 DeepRed TECHx Failed POV POV Watch
55 CSDS CodeJitsu Failed POV POV Watch
55 CSDS DeepRed Failed POV POV Watch
55 CSDS Disekt Failed POV POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV through defenses POV Watch
55 CSDS TECHx Failed POV POV Watch
55 DeepRed CodeJitsu Failed POV POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV through defenses POV Watch
55 DeepRed TECHx Failed POV POV Watch
56 CSDS CodeJitsu Failed POV POV Watch
56 CSDS DeepRed Failed POV POV Watch
56 CSDS Disekt Failed POV POV Watch
56 CSDS ForAllSecure Failed POV POV Watch
56 CSDS Shellphish Failed POV through defenses POV Watch
56 CSDS TECHx Failed POV POV Watch
56 DeepRed CodeJitsu Failed POV POV Watch
56 DeepRed CSDS Failed POV POV Watch
56 DeepRed Disekt Failed POV POV Watch
56 DeepRed ForAllSecure Failed POV POV Watch
56 DeepRed Shellphish Failed POV through defenses POV Watch
56 DeepRed TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email