Qualifier Challenge - CROMU_00004


Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWEs are listed as indicated by the challenge author.

Scores

  • CodeJitsu: 2.0
  • ForAllSecure: 2.0
  • TECHx: 2.0
  • Shellphish: 2.0
  • FuzzBOMB: 2.0
  • CSDS: 0.96
  • Disekt: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • FuzzBOMB: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

“Joe Rogers” joe@cromulence.co

DARPA performer group

Cromulence (CROMU)

Description

This service reads in a morse code like language in the form of a PCM-encoded file, decodes the data, and prints out the message.

Feature List

This program supports the decoding of a PCM-based audio file format. It expects a sample rate of 44100 samples/sec with 16-bit samples. It decodes the audio data as a morse code like language, printing the decoded message as its output.

Vulnerability

The PCM format contains two length specifiers. DataSize is the length of the PCM data in the file. NumSamples number of PCM samples. The program can only handle 16-bit samples, so it checks that DataSize8/NumSamples == 16. However it does this check using integer division in the unpatched cb which allows DataSize8 to be larger than it should be. For example 648/32 == 16 but 658/32 == 16 as well. Since the program uses the DataSize field for reading in the rest of the PCM file, a stack-based overflow condition is created.

Generic class of vulnerability

Unchecked user input leads to overrun of fixed size buffer allowing control of EIP.

CWE classification

CWE-120 - Buffer Copy without Checking Size of Input

Challenges

The attacker must be able to determine there's a mistake in the sample size check and understand they can use that to send an overly large DataSize.


Curated by Lunge Technology, LLC. Questions or comments? Send us email