"James Nuttall" james@cromulence.co
Cromulence
This is a service that mimics a chess board and pieces. Each piece on the board moves similarly to its respective chess piece. Unlike chess, however, collisions on the board result in a swap of location rather than the opponent's piece being removed from the board. The user must find the combination of valid moves that will prove the vulnerability.
The game opens by printing the state of the board:
jhilkihj
gggggggg
........
........
........
........
aaaaaaaa
dbcfecbd
The user must take turns entering moves as both the white and black player. Each move must follow the chess piece's valid move: pawn, rook, knight, bishop, king, and queen.
The user may print the current board layout, make a move, or quit the game.
The game accepts input in the form of source coordinates and destionation coordinates x,y x,y
If a piece is located at the source coordinates the game will attempt to move it to the destination. It will check to see if the move is a valid one for that particular piece (following standard chess rules) and to make sure the path is clear from source to destination. If an opponent's piece is located at the destionation and it is an otherwise legal move, the game will swap the pieces.
Play continues until the user exits the game (or the vulnerable condition is achieved).
User must move a white knight (using legal moves) to the spot behind the rook's H8 rook (location 7,8 on this board).This will cause a one byte overwrite beyond the array to the function pointer controlling the display of the board. If the user then tries to display the board, there is an opportunity to jump to this overflowed pointer.
Specifically, in service.c:performMove, the white knight move-validator is before the bounds checking of the board. This allows the piece to jump off the board. Jumping off the board in the (7,8) location will overwite a function pointer located on the stack. The function pointer is subsequently accessed at service.c:164 by the user entering the '9' option (displayBoard).
Out of bounds write resulting in function pointer overwrite
CWE-787 Out of Bounds Write
Due to the size of this board, the various pieces, and the allowable moves the possible states of the game quickly explode. This requires the CRS to analyze the source to find the incorrectly bounded piece and focus fuzzing on that piece. The CRS will be required to learn the complicated rules necessary for valid movement. This requires some slightly complex mathematical reasoning due to the way valid moves are calculated. Until this knowledge is deduced, the CRS will not be able to develop a POV.
Curated by Lunge Technology, LLC. Questions or comments? Send us email