Original Versions

• Author-supplied POVs: POV1
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWEs are listed as indicated by the challenge author.

Scores

• CodeJitsu: 2.0
• ForAllSecure: 2.0
• TECHx: 2.0
• Shellphish: 2.0
• FuzzBOMB: 2.0
• CSDS: 0.96
• Disekt: 0.0
• TrailofBits: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• DeepRed - CB1
• Disekt - CB1
• ForAllSecure - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TECHx - CB1

Proved a POV in reference challenge

POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• ForAllSecure: 100.0% - CB1
• TECHx: 100.0% - CB1
• Shellphish: 100.0% - CB1
• CSDS: 100.0% - CB1
• FuzzBOMB: 100.0% - CB1
• DeepRed: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

Author Information

“Joe Rogers” joe@cromulence.co

DARPA performer group

Cromulence (CROMU)

Description

This service reads in a morse code like language in the form of a PCM-encoded file, decodes the data, and prints out the message.

Feature List

This program supports the decoding of a PCM-based audio file format. It expects a sample rate of 44100 samples/sec with 16-bit samples. It decodes the audio data as a morse code like language, printing the decoded message as its output.

Vulnerability

The PCM format contains two length specifiers. DataSize is the length of the PCM data in the file. NumSamples number of PCM samples. The program can only handle 16-bit samples, so it checks that DataSize8/NumSamples == 16. However it does this check using integer division in the unpatched cb which allows DataSize8 to be larger than it should be. For example 648/32 == 16 but 658/32 == 16 as well. Since the program uses the DataSize field for reading in the rest of the PCM file, a stack-based overflow condition is created.

Generic class of vulnerability

Unchecked user input leads to overrun of fixed size buffer allowing control of EIP.

CWE classification

CWE-120 - Buffer Copy without Checking Size of Input

Challenges

The attacker must be able to determine there's a mistake in the sample size check and understand they can use that to send an overly large DataSize.