Original Versions

• Author-supplied POVs: POV1
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWEs are listed as indicated by the challenge author.

Scores

• FuzzBOMB: 4.0
• TrailofBits: 2.06
• TECHx: 1.07
• Disekt: 1.04
• Shellphish: 0.35
• CodeJitsu: 0.0
• ForAllSecure: 0.0
• Lekkertech: 0.0
• CSDS: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• DeepRed - CB1
• Disekt - CB1
• ForAllSecure - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TECHx - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

• CodeJitsu - POV
• Disekt - POV
• ForAllSecure - POV
• FuzzBOMB - POV
• Lekkertech - POV
• Shellphish - POV
• TrailofBits - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• TECHx: 100.0% - CB1
• Shellphish: 100.0% - CB1
• FuzzBOMB: 100.0% - CB1
• TrailofBits: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9
• Submission 10

Author Information

“Joe Rogers” joe@cromulence.co

DARPA performer group

Cromulence (CROMU)

Description

This CB implements a basic service for setting and querying named variables. It allows for string and 32-bit integer variables to be created, updated and queried by the client. Communications between the client and service is accomplished over a custom network protocol that defines packet formats for read, write, response, and error types.

Feature List

The service allows for the creation, update, and querying of named variables. Names can be things like "system.name". The contents of these variables can be strings or 32-bit integer values.

Vulnerability

An error in the read request handler allows for an incorrect variable name length to be specified in the packet which causes a buffer overflow in the local name variable used in that function.

Generic class of vulnerability

Buffer overflow

CWE classification

CWE-120: Buffer Copy without Checking Size of Input

Challenges

Even though the CB fails to check the supplied length of the name variable, the rest of the packet must still be properly formatted. It must have the correct version, must be a 'read' request, and must have an overall packet length that is properly calculated.