Original Versions

• Author-supplied POVs: POV1
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-125 - Out-of-bounds Read
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 3.0
• Lekkertech: 3.0
• CSDS: 1.27
• CodeJitsu: 1.01
• TrailofBits: 0.53
• Disekt: 0.0
• TECHx: 0.0
• Shellphish: 0.0
• FuzzBOMB: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

• CodeJitsu - POV
• ForAllSecure - POV
• Lekkertech - POV
• TrailofBits - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• ForAllSecure: 100.0% - CB1
• TrailofBits: 100.0% - CB1
• CodeJitsu: 100.0% - CB1
• CSDS: 100.0% - CB1
• Lekkertech: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9
• Submission 10

Author Information

"John Berry" hj@cromulence.co

DARPA performer group

Cromulence

Description

Server similar to FTP.

Feature List

SEND <1 byte name length> <2 bytes file size> Maximum length that can be sent is 0x400 This is how a user can send a new file to the server. The name must be the full path

NDIR <1 byte name length> Create a new directory under root

RECV <1 byte name length> Retrieve a file from under root. This must be the full path

STOP Terminate the session

PRNT List files and type/length

REPO <1 byte name length> Removes the file specified by name. Does not remove directories.

Vulnerability

When the PRNT command is called the files are bubble sorted by name and any gaps due to files being deleted are filled in. However, the file count is not updated when a file is deleted which allows the PRNT command to later access beyond the valid list of files.

Generic class of vulnerability

Insufficent bounds checking of an array.

CWE classification

CWE-125 Out-of-bounds Read

Challenges

The tool authors must deal with the difficulties of bubble sort as well as combine the PRNT command with a prior use of the REPO command.