Qualifier Challenge - CROMU_00043


Original Versions

Known Vulnerabilities

  • CWE-125 - Out-of-bounds Read
  • CWE-134 - Use of Externally-Controlled Format String
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 4.0
  • Disekt: 0.43
  • CSDS: 0.19
  • CodeJitsu: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • ForAllSecure - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • Disekt: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Debbie Nuttall" debbie@cromulence.co

DARPA performer group

Cromulence LLC (CROMU)

Description

This service is a protocol aware packet analyzer. It analyzes packets in the newly defined DCAP file format and produces text output with varying levels of detail. It can also operate in continuous mode to analyze traffic as it is received.

Feature List

The Packet Parser is aware of the following protocols: Physical Layer - Wire, Radio, and Raw Transport Layer - Stream and Message Network Layer - Endpoint, Broadcast, and Debug Application Layer - Web, Music, Video, Email, and File

Upon first connecting to the service, a header is sent to configure the mode and display parameters. The modes are: File - In file mode a DCAP file is sent, the output is returned, and the session ends. Stream - In stream mode the service continuously receives packets and sends output until a zero length packet is received.

The display parameters are: Physical - enable/disable display of the physical layer information Transport - enable/disable display of the transport layer information Connection - enable/disable display of the connection information Application - enable/disable display of the content information Statistics - enable/disable display of packet statistics

Multiple positive and negative packet filters can be applied to each session.

Vulnerability

There are two vulnerabilities in this service.

The first vulnerability in this service is an uncontrolled format string vulnerability. The TransmitOptionHeader function in packet_analysis.c passes a user supplied string directly to the TransmitFormattedBytes function which takes a variable number of arguments and processes a formatted string for output similar to printf. The TransmitFormattedBytes has a format specifier that reads an address and value from the input stream and writes that value to that address. If the user supplied string contains the appropriate format specifier, the result will be a write of user supplied data to a user supplied address.

The second vulnerability in this service is an out of bounds read. In the AnalyzeApplicationLayer function, a specially crafted packet can cause the parser to read past the end of the packet buffer in memory. The vulnerability occurs because the length field of the To and Subject fields of an email message are not checked for proper bounds.

Generic class of vulnerability

Uncontrolled format string that results in a write what where condition. Out of bounds read past the end of a heap buffer.

CWE classification

CWE-134 - Uncontrolled Format String CWE-125 - Out of Bounds Read

Challenges

No example inputs are provided to the CRS for this challenge. The CRS must discover the proper input format by examining the binary. In order to leverage the write what where vulnerability, the CRS must create an input that passes enough format checks to reach the point in the service where a format string will be passed to the output function. It must then include a format specifier in the correct place within the input to trigger the vulnerability.

In order to prove the out of bounds read vulnerability the CRS must construct an input that passes every analysis step to reach the inner Application layer of the packet. The Application layer must be properly constructed except for an invalid length field in either the To or Subject email field.


Curated by Lunge Technology, LLC. Questions or comments? Send us email