This is an archived web site made available for research purposes. The web site is no longer maintained.

Challenge Information - KPRCA_00091

Commonly known as: FailAV


Rounds Enabled

50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64

Details

Original Versions

Known Vulnerabilities

  • CWE-786 - Access of Memory Location Before Start of Buffer
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

DARPA performer group

Kaprica Security (KPRCA)

Description

A C++ rule-based malware detection engine, with heuristics to handle different file formats. Utilizes an emulator to unpack malware before apply rules.

Feature List

Malware engine rules can be updated at run-time. Detection algorithm is fast: speed is not affected by number of rules. Emulator supports 19 common instructions with up to 64KB of stack space and 1GB of heap space. Malware is sandboxed so that it cannot modify memory outside of its stack and heap. Heuristics for both executables and bitmaps.

Vulnerability

Vuln 1

In Emulator::in_stack (emulator.h:37), the service fails to ensure that the shadow stack pointer is in-bounds. This allows the attacker to read and write from memory that they shouldn't be able to, such as the C stack. An attacker can overwrite a return address to gain EIP control and then use a gadget to have a complete type-1 exploit.

Generic class of vulnerability

Memory Corruption

CWE classification

CWE-786: Access of Memory Location Before Start of Buffer

Challenges

  • The challenge encountered when proving is how to control both EIP and another register without causing a premature crash. Using a gadget is likely essential. A type 2 is more difficult and would probably require a call to Interface::send_response.

  • Discovery with fuzzing should be possible but the required input size is non-trivial. Mutation fuzzing is likely the easiest method to discover the vulnerability.

Difficulty

  • Discovery: medium
  • Proving: medium
  • Patching: medium

POV Information

Round Source Destination Result POV Analysis Video
51 CSDS CodeJitsu Failed POV POV
51 CSDS DeepRed Failed POV POV
51 CSDS Disekt Failed POV POV
51 CSDS ForAllSecure Failed POV POV
51 CSDS Shellphish Failed POV POV
51 CSDS TECHx Failed POV POV
51 DeepRed CodeJitsu Failed POV POV
51 DeepRed CSDS Failed POV POV
51 DeepRed Disekt Failed POV POV
51 DeepRed ForAllSecure Failed POV POV
51 DeepRed Shellphish Failed POV POV
51 DeepRed TECHx Failed POV POV
52 CSDS CodeJitsu Failed POV POV
52 CSDS DeepRed Failed POV POV
52 CSDS Disekt Failed POV POV
52 CSDS ForAllSecure Failed POV POV
52 CSDS Shellphish Failed POV POV
52 CSDS TECHx Failed POV POV
52 DeepRed CodeJitsu Failed POV POV
52 DeepRed CSDS Failed POV POV
52 DeepRed Disekt Failed POV POV
52 DeepRed ForAllSecure Failed POV POV
52 DeepRed Shellphish Failed POV POV
52 DeepRed TECHx Failed POV POV
53 CSDS CodeJitsu Failed POV POV
53 CSDS DeepRed Failed POV POV
53 CSDS Disekt Failed POV POV
53 CSDS ForAllSecure Failed POV POV
53 CSDS Shellphish Failed POV POV
53 CSDS TECHx Failed POV POV
53 DeepRed CodeJitsu Failed POV POV
53 DeepRed CSDS Failed POV POV
53 DeepRed Disekt Failed POV POV
53 DeepRed ForAllSecure Failed POV POV
53 DeepRed Shellphish Failed POV POV
53 DeepRed TECHx Failed POV POV
54 CodeJitsu Shellphish Failed POV through defenses POV
54 CSDS CodeJitsu Failed POV POV
54 CSDS DeepRed Failed POV POV
54 CSDS Disekt Failed POV POV
54 CSDS ForAllSecure Failed POV POV
54 CSDS Shellphish Failed POV through defenses POV
54 CSDS TECHx Failed POV POV
54 DeepRed CodeJitsu Failed POV POV
54 DeepRed CSDS Failed POV POV
54 DeepRed Disekt Failed POV POV
54 DeepRed ForAllSecure Failed POV POV
54 DeepRed Shellphish Failed POV through defenses POV
54 DeepRed TECHx Failed POV POV
55 CSDS CodeJitsu Failed POV POV
55 CSDS DeepRed Failed POV POV
55 CSDS Disekt Failed POV POV
55 CSDS ForAllSecure Failed POV POV
55 CSDS Shellphish Failed POV through defenses POV
55 CSDS TECHx Failed POV POV
55 DeepRed CodeJitsu Failed POV POV
55 DeepRed CSDS Failed POV POV
55 DeepRed Disekt Failed POV POV
55 DeepRed ForAllSecure Failed POV POV
55 DeepRed Shellphish Failed POV through defenses POV
55 DeepRed TECHx Failed POV POV
56 CSDS CodeJitsu Failed POV POV
56 CSDS DeepRed Failed POV POV
56 CSDS Disekt Failed POV POV
56 CSDS ForAllSecure Failed POV POV
56 CSDS Shellphish Failed POV through defenses POV
56 CSDS TECHx Failed POV POV
56 DeepRed CodeJitsu Failed POV POV
56 DeepRed CSDS Failed POV POV
56 DeepRed Disekt Failed POV POV
56 DeepRed ForAllSecure Failed POV POV
56 DeepRed Shellphish Failed POV through defenses POV
56 DeepRed TECHx Failed POV POV
57 CodeJitsu Shellphish Failed POV POV
57 CSDS CodeJitsu Failed POV POV
57 CSDS DeepRed Failed POV POV
57 CSDS Disekt Failed POV POV
57 CSDS ForAllSecure Failed POV POV
57 CSDS Shellphish Failed POV POV
57 CSDS TECHx Failed POV POV
57 DeepRed CodeJitsu Failed POV POV
57 DeepRed CSDS Failed POV POV
57 DeepRed Disekt Failed POV POV
57 DeepRed ForAllSecure Failed POV POV
57 DeepRed Shellphish Failed POV POV
57 DeepRed TECHx Failed POV POV
58 CSDS CodeJitsu Failed POV POV
58 CSDS DeepRed Failed POV POV
58 CSDS Disekt Failed POV POV
58 CSDS ForAllSecure Failed POV POV
58 CSDS Shellphish Failed POV POV
58 CSDS TECHx Failed POV POV
58 DeepRed CodeJitsu Failed POV POV
58 DeepRed CSDS Failed POV POV
58 DeepRed Disekt Failed POV POV
58 DeepRed ForAllSecure Failed POV POV
58 DeepRed Shellphish Failed POV POV
58 DeepRed TECHx Failed POV POV
59 CSDS CodeJitsu Failed POV POV
59 CSDS DeepRed Failed POV POV
59 CSDS Disekt Failed POV POV
59 CSDS ForAllSecure Failed POV POV
59 CSDS Shellphish Failed POV POV
59 CSDS TECHx Failed POV POV
59 DeepRed CodeJitsu Failed POV POV
59 DeepRed CSDS Failed POV POV
59 DeepRed Disekt Failed POV POV
59 DeepRed ForAllSecure Failed POV POV
59 DeepRed Shellphish Failed POV POV
59 DeepRed TECHx Failed POV POV
60 CSDS CodeJitsu Failed POV POV
60 CSDS DeepRed Failed POV POV
60 CSDS Disekt Failed POV POV
60 CSDS ForAllSecure Failed POV POV
60 CSDS Shellphish Failed POV POV
60 CSDS TECHx Failed POV POV
60 DeepRed CodeJitsu Failed POV POV
60 DeepRed CSDS Failed POV POV
60 DeepRed Disekt Failed POV POV
60 DeepRed ForAllSecure Failed POV POV
60 DeepRed Shellphish Failed POV POV
60 DeepRed TECHx Failed POV POV
61 CSDS CodeJitsu Failed POV POV
61 CSDS DeepRed Failed POV POV
61 CSDS Disekt Failed POV POV
61 CSDS ForAllSecure Failed POV POV
61 CSDS Shellphish Failed POV POV
61 CSDS TECHx Failed POV POV
61 DeepRed CodeJitsu Failed POV POV
61 DeepRed CSDS Failed POV POV
61 DeepRed Disekt Failed POV POV
61 DeepRed ForAllSecure Failed POV POV
61 DeepRed Shellphish Failed POV POV
61 DeepRed TECHx Failed POV POV
62 CSDS CodeJitsu Failed POV POV
62 CSDS DeepRed Failed POV POV
62 CSDS Disekt Failed POV POV
62 CSDS ForAllSecure Failed POV POV
62 CSDS Shellphish Failed POV POV
62 CSDS TECHx Failed POV POV
62 DeepRed CodeJitsu Failed POV POV
62 DeepRed CSDS Failed POV POV
62 DeepRed Disekt Failed POV POV
62 DeepRed ForAllSecure Failed POV POV
62 DeepRed Shellphish Failed POV POV
62 DeepRed TECHx Failed POV POV
63 CSDS CodeJitsu Failed POV POV
63 CSDS DeepRed Failed POV POV
63 CSDS Disekt Failed POV POV
63 CSDS ForAllSecure Failed POV POV
63 CSDS Shellphish Failed POV POV
63 CSDS TECHx Failed POV POV
63 DeepRed CodeJitsu Failed POV POV
63 DeepRed CSDS Failed POV POV
63 DeepRed Disekt Failed POV POV
63 DeepRed ForAllSecure Failed POV POV
63 DeepRed Shellphish Failed POV POV
63 DeepRed TECHx Failed POV POV
64 CSDS CodeJitsu Failed POV POV
64 CSDS DeepRed Failed POV POV
64 CSDS Disekt Failed POV POV
64 CSDS ForAllSecure Failed POV POV
64 CSDS Shellphish Failed POV POV
64 CSDS TECHx Failed POV POV
64 DeepRed CodeJitsu Failed POV POV
64 DeepRed CSDS Failed POV POV
64 DeepRed Disekt Failed POV POV
64 DeepRed ForAllSecure Failed POV POV
64 DeepRed Shellphish Failed POV POV
64 DeepRed TECHx Failed POV POV

Curated by Lunge Technology, LLC. Questions or comments? Send us email