Qualifier Challenge - CROMU_00005


Original Versions

Known Vulnerabilities

  • CWE-787 - Out-of-bounds Write
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 4.0
  • CSDS: 1.65
  • TECHx: 0.75
  • CodeJitsu: 0.23
  • TrailofBits: 0.1
  • Disekt: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • ForAllSecure - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"James Nuttall" james@cromulence.co

DARPA performer group

Cromulence

Description

This is a service that mimics a chess board and pieces. Each piece on the board moves similarly to its respective chess piece. Unlike chess, however, collisions on the board result in a swap of location rather than the opponent's piece being removed from the board. The user must find the combination of valid moves that will prove the vulnerability.

Feature List

The game opens by printing the state of the board:

jhilkihj
gggggggg
........
........
........
........
aaaaaaaa
dbcfecbd

The user must take turns entering moves as both the white and black player. Each move must follow the chess piece's valid move: pawn, rook, knight, bishop, king, and queen.

The user may print the current board layout, make a move, or quit the game.

The game accepts input in the form of source coordinates and destionation coordinates x,y x,y

If a piece is located at the source coordinates the game will attempt to move it to the destination. It will check to see if the move is a valid one for that particular piece (following standard chess rules) and to make sure the path is clear from source to destination. If an opponent's piece is located at the destionation and it is an otherwise legal move, the game will swap the pieces.

Play continues until the user exits the game (or the vulnerable condition is achieved).

Vulnerability

User must move a white knight (using legal moves) to the spot behind the rook's H8 rook (location 7,8 on this board).This will cause a one byte overwrite beyond the array to the function pointer controlling the display of the board. If the user then tries to display the board, there is an opportunity to jump to this overflowed pointer.

Specifically, in service.c:performMove, the white knight move-validator is before the bounds checking of the board. This allows the piece to jump off the board. Jumping off the board in the (7,8) location will overwite a function pointer located on the stack. The function pointer is subsequently accessed at service.c:164 by the user entering the '9' option (displayBoard).

Generic class of vulnerability

Out of bounds write resulting in function pointer overwrite

CWE classification

CWE-787 Out of Bounds Write

Challenges

Due to the size of this board, the various pieces, and the allowable moves the possible states of the game quickly explode. This requires the CRS to analyze the source to find the incorrectly bounded piece and focus fuzzing on that piece. The CRS will be required to learn the complicated rules necessary for valid movement. This requires some slightly complex mathematical reasoning due to the way valid moves are calculated. Until this knowledge is deduced, the CRS will not be able to develop a POV.


Curated by Lunge Technology, LLC. Questions or comments? Send us email