This is an archived web site made available for research purposes. The web site is no longer maintained.

Qualifier Challenge - YAN01_00009


Original Versions

Known Vulnerabilities

  • CWE-134 - Use of Externally-Controlled Format String
  • CWEs are listed as indicated by the challenge author.

Scores

  • DeepRed: 0.38
  • CSDS: 0.23
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • ForAllSecure: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

Lok Yan Lok.Yan@us.af.mil

DARPA performer group

AFRL

Description:

This is a simple HTTP-proxy like service. This is an IPC cb where the main CB acts as a router and all other CBs act as individual web-servers. The protocol is very simple with three possible commands:

HELLO I AM [name] : Used by the client to initiate a conenction with the router HELLO [name] YOUR UID IS [uid] HOW CAN I HELP YOU : Used by the router to acknowledge the client [uid] SAYS GET [url] PLEASE : Used by the client to retrieve a specific page. GOODBYE : Used by the client to close the link. GOODBYE is also echoed by the router. BAD CMD : Used by the router to report a parsing error to the client. SERVER NOT FOUND : Used by the router to report an invalid server

Vulnerability Class:

Classic format string vulnerability that falls under CWE-134: Uncontrolled Format String.

Additional Notes:

A python script - textIntoPageData.py is provided to generate the pages.data file that is included into the CBs. This acts as their internal page database


Curated by Lunge Technology, LLC. Questions or comments? Send us email