Qualifier Challenge - CROMU_00001


Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-131 - Incorrect Calculation of Buffer Size
  • CWE-190 - Integer Overflow or Wraparound
  • CWEs are listed as indicated by the challenge author.

Scores

  • CodeJitsu: 1.85
  • CSDS: 0.9
  • ForAllSecure: 0.58
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Shellphish - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"John Berry" john.n.berry@gmail.com

DARPA performer group

Cromulence

Description

This is a basic message application with the ability to create new users, log in to existing users and send messages to others.

Feature List

A user can create new users and subsequently log in to their new account. From here they can send a message to a user, read a single message, list all of their messages, delete a message, log out, or exit the program. Once back at the log in screen they can create additional users, log in, or exit the program. Any new messages are automatically displayed to the user.

Vulnerability

Messages are stored in a singly linked list and have a field indicating whether or not they have been read by the recipient.

When a user logs in, all unread messages are written to a single buffer which is then displayed to the newly logged in user via the function list_unread_messages(). The display buffer is calculated by first counting the number of unread messages and multiplying this by the size that each message will require. However, the count field is only 8-bits. If the user has greater than 255 unread messages this field will wrap around. Since the buffer size is calcluated based upon this count, an overflow will result in a buffer of insufficient size to hold the message data. The crash will actually occur in the strlen() function due to local variables being overwritten.

Generic class of vulnerability

Integer overflow resulting in an incorrectly sized small buffer and subsequently a buffer overflow.

CWE classification

CWE-190 Integer overflow or wraparound CWE-131 Incorrect calculation of buffer size CWE-120 Buffer copy without checking size of input

The root cause of this vulnerablity is CWE-190 but it results in CWE-131 and since the size of the write is not checked, the ultimate crash is due to CWE-120.

Challenges

The attacker must be able to determine that the size field is based upon messages sent and that sending messages to themselves will not be enough to trigger the vulnerability.


Curated by Lunge Technology, LLC. Questions or comments? Send us email