Qualifier Challenge - CROMU_00038

Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-823 - Use of Out-of-range Pointer Offset
  • CWE-824 - Access of Uninitialized Pointer
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 3.67
  • Lekkertech: 2.33
  • CSDS: 1.93
  • Shellphish: 1.78
  • Disekt: 1.45
  • TECHx: 0.91
  • CodeJitsu: 0.73
  • TrailofBits: 0.12
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • ForAllSecure - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • Disekt: 66.7% - CB1
  • ForAllSecure: 66.7% - CB1
  • TECHx: 66.7% - CB1
  • TrailofBits: 66.7% - CB1
  • Lekkertech: 33.3% - CB1
  • Shellphish: 33.3% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

Steve Wood swood@cromulence.co

DARPA performer group



The program is an utility that parses a metadata format used with various types of media. The utility simply displays the contents of the metadata to STDOUT.

Feature List

The utility dynamically parses the metadata format as there are no mandatory data tags and additional tags can be added as needed. If the utility does not understand a particular tag type, the raw data for the tag is displayed.


The utility has three vulnerabilities. The first is related to a function pointer that is initialized to handle byte swapping functionality depending upon if the metadata is stored in little endian or big endian format in accordance with a value stored in the metadata itself. The vulnerability is that the utility assumes only a valid flag is passed in via the metadata. If one of the two valid values isn't passed in, the function pointer is uninitialized and crashes the application upon the first attempt to call the routine.

The second vulnerability is found in a routine that outputs an embedded string in the metadata pointed to by an offset embedded in the data. The offset is not properly sanity checked and an out of range value will cause the application to crash.

The third vulnerability is an overflow in the way the CB handles vsprintf. If the resulting buffer is greater than 4096 bytes a stacke based buffer overflow will occur.

Generic class of vulnerability

Vuln 1: Uninitialized pointer Vuln 2: Out of range pointer Vuln 3: Stack based buffer overflow

CWE classification

CWE-824 Access of Uninitialized Pointer CWE-823 Use of Out-of-Range pointer offset CWE-120 Buffer copy without checking the size of input


Curated by Lunge Technology, LLC. Questions or comments? Send us email