Qualifier Challenge - CROMU_00023

Original Versions

Known Vulnerabilities

  • CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
  • CWEs are listed as indicated by the challenge author.


  • Disekt: 1.99
  • CodeJitsu: 0.96
  • TrailofBits: 0.38
  • ForAllSecure: 0.08
  • TECHx: 0.08
  • DeepRed: 0.08
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Jason Williams" jdw@cromulence.co

DARPA performer group

Cromulence LLC (CROMU)


This service is an implementation of Divelogger using C++ instead of C. This service accepts diver information and has the ability to log dives into a database.

Feature List

The service features the ability to enter diver specific information: Phone Number, First Name, Last Name, etc. It also has the ability to enter individual dive information such as location, date, average and max depth, dive duration, etc. The user can insert, remove, add, or download dive data into the database. During download the service accepts binary timestamps and depth points and stores those in the dive log.


There is one vulnerability in this service. It is associated with the download dive functionality. During the download process the user enters binary data into the service and this data is entered as two 4-byte number (a timestamp and depth point). A static array is used to store these points in memory. In the vulnerable service upon entry the array length is not checked allowing the user to overflow this variable and corrupt the heap. If the data passes a page boundary (or future memory allocation/free operations) occur a page fault can occur resulting in a crash.

Generic class of vulnerability

Out of bounds write

CWE classification

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer


This CB incorporates a single vulnerability. This vulnerability will require a CRS system to enter the appropriate state (navigating the state machine) and entering more than 128 dive points when downloading dive data. The difficulty lies in the numerous code paths available in the service as well as the unconstrained inputs available to the user.

Curated by Lunge Technology, LLC. Questions or comments? Send us email