Qualifier Challenge - CROMU_00009

Original Versions

Known Vulnerabilities

  • CWE-476 - NULL Pointer Dereference
  • CWE-787 - Out-of-bounds Write
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 3.5
  • Shellphish: 1.2
  • CodeJitsu: 0.9
  • CSDS: 0.87
  • TECHx: 0.69
  • DeepRed: 0.26
  • TrailofBits: 0.16
  • Disekt: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • ForAllSecure - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • DeepRed: 100.0% - CB1
  • Disekt: 50.0% - CB1
  • ForAllSecure: 50.0% - CB1
  • TECHx: 50.0% - CB1
  • Shellphish: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

“Joe Rogers” joe@cromulence.co

DARPA performer group

Cromulence (CROMU)


This service implements a RAM-based filesystem and provides a simple shell to interact with the filesystem.

Feature List

The shell supports the creation and deletion of folders. It allows for files with both printable and non-printable data to be created, appended to, and deleted. It also provides basic directory listing and filesystem utilization reporting commands.

The filesystem is defined by a superblock which contains a list of pointers to inode pages. The inodes on these pages can point to directories or files made up of blocks. The block size is 512 bytes.


The directories of the filesystem were designed to support up to 128 subdirectories or files. An overflow exists in the directory creation function which allows 129 entries to be written. Because the last entry overflows into another block of data, it is possible to craft a proof of vulnerability to gain control over an inode definition and the data blocks to which that inode points. With control over those data block pointers, arbitrary writes are possible.

The second vulnerability is due to a NULL pointer dref when indexing file system blocks.

Generic class of vulnerability

Incorrect array bounds check leading to buffer overflow and arbitrary writes.

CWE classification

CWE-787: Out-of-bounds Write CWE-476: NULL Pointer Dereference


After gaining an understanding of the data structures which make up the filesystem, the CGC competitor will need to identify the specific array bounds check overflow and mitigate that bug.

Curated by Lunge Technology, LLC. Questions or comments? Send us email