Qualifier Challenge - CROMU_00016

Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-131 - Incorrect Calculation of Buffer Size
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 2.5
  • TECHx: 1.63
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • Lekkertech: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • Disekt: 50.0% - CB1
  • ForAllSecure: 50.0% - CB1
  • TECHx: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

“Joe Rogers” joe@cromulence.co

DARPA performer group

Cromulence (CROMU)


This CB implements a network queuing simulator. Based on inputs from the user, the program simulates the transmission of network traffic through an interface tracking statistics like total packets sent, dropped packets, average latency, etc.

Feature List

Users are able configure these items: - Interface bit-rate - Packet generator - Number of queues - Types, depths, priorities, and weights of those queues - Length of the simulation


Multiple vulnerabilities exist in this CB.

  1. A very simple buffer overflow exists in the packet generator selection code. The buffer reading the user's selected packet generator is sized too small for the number of characters they are allowed to enter.

  2. A slightly more complicated buffer overflow exists in the packet statistics output code which is run at the end of the simulation. During the input phase, the user is prompted for the run time of the simulation. The prompt describes allowable inputs of 1 - 10 seconds. However, the unpatched CB allows for larger values. If run with a large enough value, and appropriately selected interface and input packet rates, the interface total packet counter will exceed its available print buffer when the statistics are displayed.

Generic class of vulnerability

  1. Buffer overflow

  2. Buffer overflow

CWE classification

  1. CWE-131: Incorrect Calculation of Buffer Size

  2. CWE-120: Buffer Copy without Checking Size of Input


The first vulnerability in this CB is realatively easy to identify. The second will require more in depth code analysis or careful selection of inputs to trigger the overflow.

Curated by Lunge Technology, LLC. Questions or comments? Send us email