This is an archived web site made available for research purposes. The web site is no longer maintained.

Challenge Information - NRFIN_00063

Commonly known as: On_Sale


Rounds Enabled

48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62

Details

Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-121 - Stack-based Buffer Overflow
  • CWE-122 - Heap-based Buffer Overflow
  • CWE-131 - Incorrect Calculation of Buffer Size
  • CWE-787 - Out-of-bounds Write
  • CWE-788 - Access of Memory Location After End of Buffer
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

Author Information

"Nick Davis" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description:

Every vendor needs a point-of-sale product, so we have created the new and improved On Sale POS product featuring a package of predefined product sales options to make it easier for a vendor to put products on sale.

Upon installation of On Sale, the system is preloaded with all of the vendor's products. However, we know that product lines can change, so we've implemented features to update the product line with ease.

Feature List:

Purchase - Process the purchase of one or more products to calculate the total owed by the customer.

Check - Determine the model number, cost, and description of the product that is associated with a barcode. If the product is on sale, this check will return the sale price.

Add Product - Add a new product to the system

Remove Product - Remove a product from the system

Update Product - Update a product in the system

List Products - List all products. Only barcodes by default, but you can include other data depending on options provided.

On Sale - Set a product to be on sale using one of the options from the revolutionary sale package

Off Sale - Set a product back to full price and end the sale.

Vulnerability 1

In the do_add() function in products.c:240, the size of the recv_until_delim_n() call is larger than the description buffer storing the received bytes. In the unpatched version, the size is sizeof(Product), which is 24 bytes larger than the buffer having size of MAX_DESC_LEN. When receiving the product description having more than MAX_DESC_LEN bytes, the extra bytes will overwrite the product's model_num, cost, sfn pointer, and 12 bytes of the heap metadata in that order. For the POV, we overwrite the model_num, cost, and sfn pointer. The sfn pointer points to the current sale function, which takes the model_num and cost as parameters. And the sale functions pass those 2 parameters via registers. So, the next time do_check() is called on this product and the sale price is read, the POV controls the sfn function pointer as well as it's 2 parameters. When the sfn() is called in do_check(), it will crash and make a TYPE 1 POV.

Generic Class of Vulnerability

Heap Buffer Overflow Improper Bounds Checking

CWE Classification

CWE-122: Heap-Based Buffer Overflow CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write CWE-788: Access of Memory Location After End of Buffer

Challenges

  • There are a large number of product preloaded into the inventory and there are 100 predefined sale functions. This was an effort to make the binary larger in case that causes problems for any analysis tools.
  • The do_add() function can be accessed by a fuzzer once the fuzzer learns the command to reach that function. A solver could do this easily as well. Also, it should be relatively easy to figure out where the buffer overflow is happening on the receive call.
  • It will be more challenging to learn that the do_check() function has to be called on the exact same product that was added in order to trigger the POV. The large number of products preloaded into the inventory adds distracting product barcodes when creating this POV.
  • Fixing the overflow should be pretty easy.

Difficulty

  • Discovering is easy
  • Proving is medium
  • Fixing is easy

Vulnerability 2

In the do_update() function in products.c:312, the size of the recv_until_delim_n() call is larger than the desc_buf buffer storing the received bytes. In the unpatched version, the size is sizeof(Product), which is 24 bytes larger than the buffer having size of MAX_DESC_LEN. When receiving the product description having more than MAX_DESC_LEN bytes, the extra bytes will overwrite the function local variables and saved values on the stack. It overwrites, bc[], desc_copy, p, bytes_recvd, and the next 4 bytes on the stack in that order. For the POV, we overwrite the bc, desc_copy and p. The bc doesn't matter. The desc_copy is a function pointer that is used to copy the new description buffer contents into the existing product's description buffer. The product pointer p is used in the first parameter to this function call because it requires the address of p->desc. So, this POV controls the desc_copy() function pointer as well as it's first parameter. Since the desc_copy() function passes its parameters via registers, this can be made to crash and make the TYPE 1 POV.

Generic Class of Vulnerability

Stack Buffer Overflow Improper Bounds Checking

CWE Classification

CWE-120: Buffer Copy without Checking Size of Input CWE-121: Stack-based Buffer Overflow CWE-131: Incorrect Calculation of Buffer Size CWE-787: Out-of-bounds Write CWE-788: Access of Memory Location After End of Buffer

Challenges

  • There are a large number of products preloaded into the inventory and there are 100 predefined sale functions. This was an effort to make the binary larger in case that causes problems for any analysis tools.
  • The do_update() function can be accessed by a fuzzer once the fuzzer learns the command to reach that function. This should be relatively easy.
  • It should be relatively easy to figure out where the buffer overflow is happening on the receive call in do_update().
  • What is more challenging is that the analysis tools have to know to call the do_list() function to get a list of valid barcodes that can then be used in the do_update() function.
  • Additionally, the do_list() function takes a set of options. Those options determine how much data is returned for each product. When testing those options the code only checks to determine if they are odd or even. This will make a large number of valid inputs for these values that will give widely differing outputs. This should provide some distraction for analysis tools.
  • Fixing the overflow should be pretty easy.

Difficulty

  • Discovering is easy
  • Proving is medium
  • Fixing is easy

POV Information

Round Source Destination Result POV Analysis Video
49 CSDS CodeJitsu Failed POV POV Watch
49 CSDS DeepRed Failed POV POV Watch
49 CSDS Disekt Failed POV POV Watch
49 CSDS ForAllSecure Failed POV POV Watch
49 CSDS Shellphish Failed POV POV Watch
49 CSDS TECHx Failed POV POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV POV Watch
49 DeepRed TECHx Failed POV POV Watch
50 CodeJitsu CSDS Successful POV POV Analysis Watch
50 CodeJitsu DeepRed Successful POV POV Analysis Watch
50 CodeJitsu Disekt Successful POV POV Analysis Watch
50 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
50 CodeJitsu Shellphish Successful POV POV Analysis Watch
50 CodeJitsu TECHx Successful POV POV Analysis Watch
50 CSDS CodeJitsu Failed POV through defenses POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV POV Watch
50 CSDS TECHx Failed POV POV Watch
50 DeepRed CodeJitsu Failed POV through defenses POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV POV Watch
50 DeepRed TECHx Failed POV POV Watch
51 CodeJitsu CSDS Successful POV POV Analysis Watch
51 CodeJitsu DeepRed Successful POV POV Analysis Watch
51 CodeJitsu Disekt Successful POV POV Analysis Watch
51 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
51 CodeJitsu Shellphish Failed POV through defenses POV Watch
51 CodeJitsu TECHx Successful POV POV Analysis Watch
51 CSDS CodeJitsu Failed POV through defenses POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV through defenses POV Watch
51 CSDS TECHx Failed POV POV Watch
51 DeepRed CodeJitsu Failed POV through defenses POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV through defenses POV Watch
51 DeepRed TECHx Failed POV POV Watch
52 CodeJitsu CSDS Successful POV POV Analysis Watch
52 CodeJitsu DeepRed Failed POV through defenses POV Watch
52 CodeJitsu Disekt Failed POV through defenses POV Watch
52 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
52 CodeJitsu Shellphish Failed POV through defenses POV Watch
52 CSDS CodeJitsu Failed POV through defenses POV Watch
52 CSDS DeepRed Failed POV through defenses POV Watch
52 CSDS Disekt Failed POV through defenses POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV through defenses POV Watch
52 DeepRed CodeJitsu Failed POV through defenses POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV through defenses POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV through defenses POV Watch
53 CodeJitsu CSDS Successful POV POV Analysis Watch
53 CodeJitsu DeepRed Failed POV through defenses POV Watch
53 CodeJitsu Disekt Failed POV through defenses POV Watch
53 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
53 CodeJitsu Shellphish Failed POV through defenses POV Watch
53 CodeJitsu TECHx Failed POV through defenses POV Watch
53 CSDS CodeJitsu Failed POV through defenses POV Watch
53 CSDS DeepRed Failed POV through defenses POV Watch
53 CSDS Disekt Failed POV through defenses POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV through defenses POV Watch
53 CSDS TECHx Failed POV through defenses POV Watch
53 DeepRed CodeJitsu Failed POV through defenses POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV through defenses POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV through defenses POV Watch
53 DeepRed TECHx Failed POV through defenses POV Watch
54 CodeJitsu CSDS Successful POV POV Analysis Watch
54 CodeJitsu DeepRed Successful POV through defenses POV Analysis Watch
54 CodeJitsu Disekt Failed POV through defenses POV Watch
54 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
54 CodeJitsu Shellphish Failed POV through defenses POV Watch
54 CodeJitsu TECHx Failed POV through defenses POV Watch
54 CSDS CodeJitsu Failed POV through defenses POV Watch
54 CSDS DeepRed Failed POV through defenses POV Watch
54 CSDS Disekt Failed POV through defenses POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV through defenses POV Watch
54 CSDS TECHx Failed POV through defenses POV Watch
54 DeepRed CodeJitsu Failed POV through defenses POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV through defenses POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV through defenses POV Watch
54 DeepRed TECHx Failed POV through defenses POV Watch
55 CodeJitsu CSDS Successful POV POV Analysis Watch
55 CodeJitsu Disekt Failed POV through defenses POV Watch
55 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
55 CodeJitsu Shellphish Failed POV through defenses POV Watch
55 CodeJitsu TECHx Failed POV through defenses POV Watch
55 CSDS CodeJitsu Failed POV through defenses POV Watch
55 CSDS Disekt Failed POV through defenses POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV through defenses POV Watch
55 CSDS TECHx Failed POV through defenses POV Watch
55 DeepRed CodeJitsu Failed POV through defenses POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV through defenses POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV through defenses POV Watch
55 DeepRed TECHx Failed POV through defenses POV Watch
56 CodeJitsu CSDS Successful POV POV Analysis Watch
56 CodeJitsu Disekt Failed POV through defenses POV Watch
56 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
56 CodeJitsu Shellphish Failed POV through defenses POV Watch
56 CodeJitsu TECHx Failed POV through defenses POV Watch
56 CSDS CodeJitsu Failed POV through defenses POV Watch
56 CSDS DeepRed Failed POV through defenses POV Watch
56 CSDS Disekt Failed POV through defenses POV Watch
56 CSDS ForAllSecure Failed POV POV Watch
56 CSDS Shellphish Failed POV through defenses POV Watch
56 CSDS TECHx Failed POV through defenses POV Watch
56 DeepRed CodeJitsu Failed POV through defenses POV Watch
56 DeepRed CSDS Failed POV POV Watch
56 DeepRed Disekt Failed POV through defenses POV Watch
56 DeepRed ForAllSecure Failed POV POV Watch
56 DeepRed Shellphish Failed POV through defenses POV Watch
56 DeepRed TECHx Failed POV through defenses POV Watch
57 CodeJitsu CSDS Successful POV POV Analysis Watch
57 CodeJitsu Disekt Failed POV through defenses POV Watch
57 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
57 CodeJitsu Shellphish Failed POV through defenses POV Watch
57 CodeJitsu TECHx Failed POV through defenses POV Watch
57 CSDS CodeJitsu Failed POV through defenses POV Watch
57 CSDS DeepRed Failed POV through defenses POV Watch
57 CSDS Disekt Failed POV through defenses POV Watch
57 CSDS ForAllSecure Failed POV POV Watch
57 CSDS Shellphish Failed POV through defenses POV Watch
57 CSDS TECHx Failed POV through defenses POV Watch
57 DeepRed CodeJitsu Failed POV through defenses POV Watch
57 DeepRed CSDS Failed POV POV Watch
57 DeepRed Disekt Failed POV through defenses POV Watch
57 DeepRed ForAllSecure Failed POV POV Watch
57 DeepRed Shellphish Failed POV through defenses POV Watch
57 DeepRed TECHx Failed POV through defenses POV Watch
58 CodeJitsu CSDS Successful POV POV Analysis Watch
58 CodeJitsu Disekt Failed POV through defenses POV Watch
58 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
58 CodeJitsu Shellphish Failed POV through defenses POV Watch
58 CodeJitsu TECHx Failed POV through defenses POV Watch
58 CSDS CodeJitsu Failed POV through defenses POV Watch
58 CSDS DeepRed Failed POV through defenses POV Watch
58 CSDS Disekt Failed POV through defenses POV Watch
58 CSDS ForAllSecure Failed POV POV Watch
58 CSDS Shellphish Failed POV through defenses POV Watch
58 CSDS TECHx Failed POV through defenses POV Watch
58 DeepRed CodeJitsu Failed POV through defenses POV Watch
58 DeepRed CSDS Failed POV POV Watch
58 DeepRed Disekt Failed POV through defenses POV Watch
58 DeepRed ForAllSecure Failed POV POV Watch
58 DeepRed Shellphish Failed POV through defenses POV Watch
58 DeepRed TECHx Failed POV through defenses POV Watch
58 Shellphish CodeJitsu Failed POV through defenses POV Watch
58 Shellphish CSDS Successful POV POV Analysis Watch
58 Shellphish DeepRed Failed POV through defenses POV Watch
58 Shellphish Disekt Failed POV through defenses POV Watch
58 Shellphish ForAllSecure Successful POV POV Analysis Watch
59 CodeJitsu CSDS Successful POV POV Analysis Watch
59 CodeJitsu Disekt Failed POV through defenses POV Watch
59 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
59 CodeJitsu Shellphish Failed POV through defenses POV Watch
59 CodeJitsu TECHx Failed POV through defenses POV Watch
59 CSDS CodeJitsu Failed POV through defenses POV Watch
59 CSDS DeepRed Failed POV through defenses POV Watch
59 CSDS Disekt Failed POV through defenses POV Watch
59 CSDS ForAllSecure Failed POV POV Watch
59 CSDS Shellphish Failed POV through defenses POV Watch
59 CSDS TECHx Failed POV through defenses POV Watch
59 DeepRed CodeJitsu Failed POV through defenses POV Watch
59 DeepRed CSDS Failed POV POV Watch
59 DeepRed Disekt Failed POV through defenses POV Watch
59 DeepRed ForAllSecure Failed POV POV Watch
59 DeepRed Shellphish Failed POV through defenses POV Watch
59 DeepRed TECHx Failed POV through defenses POV Watch
59 Shellphish CodeJitsu Successful POV through defenses POV Analysis Watch
59 Shellphish CSDS Successful POV POV Analysis Watch
59 Shellphish DeepRed Failed POV through defenses POV Watch
59 Shellphish Disekt Failed POV through defenses POV Watch
59 Shellphish ForAllSecure Successful POV POV Analysis Watch
60 CodeJitsu CSDS Successful POV POV Analysis Watch
60 CodeJitsu Disekt Failed POV through defenses POV Watch
60 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
60 CodeJitsu Shellphish Failed POV through defenses POV Watch
60 CodeJitsu TECHx Failed POV through defenses POV Watch
60 CSDS CodeJitsu Failed POV through defenses POV Watch
60 CSDS DeepRed Failed POV through defenses POV Watch
60 CSDS Disekt Failed POV through defenses POV Watch
60 CSDS ForAllSecure Failed POV POV Watch
60 CSDS Shellphish Failed POV through defenses POV Watch
60 CSDS TECHx Failed POV through defenses POV Watch
60 DeepRed CodeJitsu Failed POV through defenses POV Watch
60 DeepRed CSDS Failed POV POV Watch
60 DeepRed Disekt Failed POV through defenses POV Watch
60 DeepRed ForAllSecure Failed POV POV Watch
60 DeepRed Shellphish Failed POV through defenses POV Watch
60 DeepRed TECHx Failed POV through defenses POV Watch
60 Shellphish CodeJitsu Successful POV through defenses POV Analysis Watch
60 Shellphish CSDS Successful POV POV Analysis Watch
60 Shellphish Disekt Failed POV through defenses POV Watch
60 Shellphish ForAllSecure Successful POV POV Analysis Watch
61 CodeJitsu CSDS Successful POV POV Analysis Watch
61 CodeJitsu Disekt Failed POV through defenses POV Watch
61 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
61 CodeJitsu Shellphish Failed POV through defenses POV Watch
61 CodeJitsu TECHx Failed POV through defenses POV Watch
61 CSDS CodeJitsu Failed POV through defenses POV Watch
61 CSDS DeepRed Failed POV through defenses POV Watch
61 CSDS Disekt Failed POV through defenses POV Watch
61 CSDS ForAllSecure Failed POV POV Watch
61 CSDS Shellphish Failed POV through defenses POV Watch
61 CSDS TECHx Failed POV through defenses POV Watch
61 DeepRed CodeJitsu Failed POV through defenses POV Watch
61 DeepRed CSDS Failed POV POV Watch
61 DeepRed Disekt Failed POV through defenses POV Watch
61 DeepRed ForAllSecure Failed POV POV Watch
61 DeepRed Shellphish Failed POV through defenses POV Watch
61 DeepRed TECHx Failed POV through defenses POV Watch
61 Shellphish CodeJitsu Successful POV through defenses POV Analysis Watch
61 Shellphish CSDS Successful POV POV Analysis Watch
61 Shellphish Disekt Failed POV through defenses POV Watch
61 Shellphish ForAllSecure Successful POV POV Analysis Watch
62 CodeJitsu CSDS Successful POV POV Analysis Watch
62 CodeJitsu Disekt Failed POV through defenses POV Watch
62 CodeJitsu ForAllSecure Successful POV POV Analysis Watch
62 CodeJitsu Shellphish Failed POV through defenses POV Watch
62 CodeJitsu TECHx Failed POV through defenses POV Watch
62 CSDS CodeJitsu Failed POV through defenses POV Watch
62 CSDS DeepRed Failed POV through defenses POV Watch
62 CSDS Disekt Failed POV through defenses POV Watch
62 CSDS ForAllSecure Failed POV POV Watch
62 CSDS Shellphish Failed POV through defenses POV Watch
62 CSDS TECHx Failed POV through defenses POV Watch
62 DeepRed CodeJitsu Failed POV through defenses POV Watch
62 DeepRed CSDS Failed POV POV Watch
62 DeepRed Disekt Failed POV through defenses POV Watch
62 DeepRed ForAllSecure Failed POV POV Watch
62 DeepRed Shellphish Failed POV through defenses POV Watch
62 DeepRed TECHx Failed POV through defenses POV Watch
62 Shellphish CodeJitsu Successful POV through defenses POV Analysis Watch
62 Shellphish CSDS Successful POV POV Analysis Watch
62 Shellphish Disekt Failed POV through defenses POV Watch
62 Shellphish ForAllSecure Successful POV POV Analysis Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email