Qualifier Challenge - CROMU_00044

Original Versions

Known Vulnerabilities

  • CWE-416 - Use After Free
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 4.0
  • Disekt: 1.75
  • CodeJitsu: 1.04
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Jason Williams" jdw@cromulence.co

DARPA performer group

Cromulence LLC (CROMU)


This service is a reimplementation of the service CROMU_00001 specification with additional functionality added including an admin login, admin console, admin and user passwords, and written using C++ classes.

Feature List

This service features an an initial menu that allows a user to login, a new user to be created, or an administrator to login to administrator console. The service allows users to send messages to each other from there user menu after logging in. New messages that are received are marked as unread and when a user attempts to read their messages they first are prompted with any unread messages. The administrator console allows an admin after proper authentication to list all users, delete a user, or change their password.


There is one vulnerability in this service. It is due to the method in which unread messages are tracked per user. An unread message pointer points to the last unread message in the linked list of user messages. When a message is deleted by a user (but not read -- as this will clear the unread message pointer) and that message that is chosen to be deleted is the one the unread message is pointing to the unread message pointer will now point to deleted data. Hence a use after free event can occur. When a user then goes to read a message the program will attempt to display the oldest unread message (which points to deleted data) and a use after free will occur.

Generic class of vulnerability

Use after free

CWE classification

CWE-416: Use After Free


This CB requires the reasoning system to login and provide the proper credentials. In order for the reasoning system to effectively do this it must track the state of the users in the database and provide the proper authentication parameters to access the user console where messages can be sent and the vulnerability exercised. Lastly a use after free event does not immediately constitute a crash. The memory pointer that points to stale data on the heap must be manipulated in a manner to cause a crashing event.

Curated by Lunge Technology, LLC. Questions or comments? Send us email