Rounds Enabled

59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73

Details

• POV Information

Original Versions

• Original Build: CB1
• Author-supplied patches: CB1
• Author-supplied POVs: POV1 , POV2
• Browse Source

Known Vulnerabilities

• CWE-193 - Off-by-one Error
• CWE-20 - Improper Input Validation
CWEs are listed as indicated by the challenge author.

Deployed patches

• Round 64 : CodeJitsu - CB1
• Round 64 : Shellphish - CB1
• Round 66 : CSDS - CB1
• Round 66 : DeepRed - CB1
• Round 66 : Disekt - CB1
• Round 66 : TECHx - CB1
• Round 73 : DeepRed - CB1

Deployed IDS rules

• Round 66 - TECHx

Author Information

"Joe Rogers" joe@cromulence.com

DARPA performer group

Cromulence (CROMU)

Description

This CB implements a basic shell and command line environment similar to busybox. It supports a single directory file system, the ability to create, delete and change between users, change user passwords, create files, and display their contents.

ShortDescription: A basic linux shell and command line environment

Feature List

The CB provides these features:

• Basic shell with command history accessible through up/down arrows
• Basic filesystem (single directory, list files, dump file contents)
• User management (change user, change password, create new user, delete a user)
• exit

Vulnerability

Vulnerability #1: The shell has a command history buffer with 16 entries. But, the PrependCommandHistory() function has an off-by-one error which allows 17 entries to be written. The CommandHistory buffer is stored in a structure directly adjacent to the User variable which determines the currently logged in user. If the CRS makes its first command one of the other defined users in the pre-confgiured password file (user 'root' or 'secure'), and then runs 16 more commands, the User variable will be overwritten with the username of their choosing. It's not immediately obvious that the username has been updated since the command history is prepended after the 17th command is entered.

Vulnerability #2: ':' characters are used as the field delimiter for the password file in the CB with the fields being "password:username:group". The 'passwd' command fails to check for ':' characters in user supplied passwords. So, it's possible to craft a fake 'root' user password file entry by changing the 'crs' user password to 'asdf:root:root' which will make the resulting password file entry "asdf:root:root:crs:crs". The extra fields at the end of the line are ignored by the 'su' command.

Generic class of vulnerability

Vulnerability #1: Incorrect array size calculation Vulnerability #2: Unchecked user input

CWE classification

Vulnerability #1: CWE-193 Off-by-one Error Vulnerability #2: CWE-20 Improper Input Validation

Challenges

The first vulnerability should be relatively easy to identify if the CRS sends more than 16 commands to the CB and correctly parses the CLI prompt which will change when the user name is overwritten. The CRS will then need to identify that the four bytes of secret flag data are stored in the 'secure' user's file and that the 'cat' command is the proper way to view that file's contents. Discovery: easy, Proving: easy, Fixing: easy.

The second vulnerability requires the CRS to identify the lack of input validation, understand the password file format, and figure out that the root user has the necessary access rights to the 'confidential' file even though it's owned by the 'secure' user. Discovery: medium, Proving: medium, Fixing: easy.

Round	Source	Destination	Result	POV	Analysis	Video
60	CSDS	CodeJitsu	Failed POV	POV		Watch
60	CSDS	DeepRed	Failed POV	POV		Watch
60	CSDS	Disekt	Failed POV	POV		Watch
60	CSDS	ForAllSecure	Failed POV	POV		Watch
60	CSDS	Shellphish	Failed POV	POV		Watch
60	CSDS	TECHx	Failed POV	POV		Watch
60	DeepRed	CodeJitsu	Failed POV	POV		Watch
60	DeepRed	CSDS	Failed POV	POV		Watch
60	DeepRed	Disekt	Failed POV	POV		Watch
60	DeepRed	ForAllSecure	Failed POV	POV		Watch
60	DeepRed	Shellphish	Failed POV	POV		Watch
60	DeepRed	TECHx	Failed POV	POV		Watch
61	CSDS	CodeJitsu	Failed POV	POV		Watch
61	CSDS	DeepRed	Failed POV	POV		Watch
61	CSDS	Disekt	Failed POV	POV		Watch
61	CSDS	ForAllSecure	Failed POV	POV		Watch
61	CSDS	Shellphish	Failed POV	POV		Watch
61	CSDS	TECHx	Failed POV	POV		Watch
61	DeepRed	CodeJitsu	Failed POV	POV		Watch
61	DeepRed	CSDS	Failed POV	POV		Watch
61	DeepRed	Disekt	Failed POV	POV		Watch
61	DeepRed	ForAllSecure	Failed POV	POV		Watch
61	DeepRed	Shellphish	Failed POV	POV		Watch
61	DeepRed	TECHx	Failed POV	POV		Watch
62	CSDS	CodeJitsu	Failed POV	POV		Watch
62	CSDS	DeepRed	Failed POV	POV		Watch
62	CSDS	Disekt	Failed POV	POV		Watch
62	CSDS	ForAllSecure	Failed POV	POV		Watch
62	CSDS	Shellphish	Failed POV	POV		Watch
62	CSDS	TECHx	Failed POV	POV		Watch
62	DeepRed	CodeJitsu	Failed POV	POV		Watch
62	DeepRed	CSDS	Failed POV	POV		Watch
62	DeepRed	Disekt	Failed POV	POV		Watch
62	DeepRed	ForAllSecure	Failed POV	POV		Watch
62	DeepRed	Shellphish	Failed POV	POV		Watch
62	DeepRed	TECHx	Failed POV	POV		Watch
63	CSDS	CodeJitsu	Failed POV	POV		Watch
63	CSDS	DeepRed	Failed POV	POV		Watch
63	CSDS	Disekt	Failed POV	POV		Watch
63	CSDS	ForAllSecure	Failed POV	POV		Watch
63	CSDS	Shellphish	Failed POV	POV		Watch
63	CSDS	TECHx	Failed POV	POV		Watch
63	DeepRed	CodeJitsu	Failed POV	POV		Watch
63	DeepRed	CSDS	Failed POV	POV		Watch
63	DeepRed	Disekt	Failed POV	POV		Watch
63	DeepRed	ForAllSecure	Failed POV	POV		Watch
63	DeepRed	Shellphish	Failed POV	POV		Watch
63	DeepRed	TECHx	Failed POV	POV		Watch
64	CodeJitsu	CSDS	Successful POV	POV	Analysis	Watch
64	CodeJitsu	DeepRed	Successful POV	POV	Analysis	Watch
64	CodeJitsu	Disekt	Successful POV	POV	Analysis	Watch
64	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
64	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
64	CodeJitsu	TECHx	Successful POV	POV	Analysis	Watch
64	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
64	CSDS	DeepRed	Failed POV	POV		Watch
64	CSDS	Disekt	Failed POV	POV		Watch
64	CSDS	ForAllSecure	Failed POV	POV		Watch
64	CSDS	Shellphish	Failed POV through defenses	POV		Watch
64	CSDS	TECHx	Failed POV	POV		Watch
64	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
64	DeepRed	CSDS	Failed POV	POV		Watch
64	DeepRed	Disekt	Failed POV	POV		Watch
64	DeepRed	ForAllSecure	Failed POV	POV		Watch
64	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
64	DeepRed	TECHx	Failed POV	POV		Watch
65	CodeJitsu	CSDS	Successful POV	POV	Analysis	Watch
65	CodeJitsu	DeepRed	Successful POV	POV	Analysis	Watch
65	CodeJitsu	Disekt	Successful POV	POV	Analysis	Watch
65	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
65	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
65	CodeJitsu	TECHx	Successful POV	POV	Analysis	Watch
65	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
65	CSDS	DeepRed	Failed POV	POV		Watch
65	CSDS	Disekt	Failed POV	POV		Watch
65	CSDS	ForAllSecure	Failed POV	POV		Watch
65	CSDS	Shellphish	Failed POV through defenses	POV		Watch
65	CSDS	TECHx	Failed POV	POV		Watch
65	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
65	DeepRed	CSDS	Failed POV	POV		Watch
65	DeepRed	Disekt	Failed POV	POV		Watch
65	DeepRed	ForAllSecure	Failed POV	POV		Watch
65	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
65	DeepRed	TECHx	Failed POV	POV		Watch
66	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
66	CodeJitsu	DeepRed	Failed POV through defenses	POV		Watch
66	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
66	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
66	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
66	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
66	CSDS	DeepRed	Failed POV through defenses	POV		Watch
66	CSDS	Disekt	Failed POV through defenses	POV		Watch
66	CSDS	ForAllSecure	Failed POV	POV		Watch
66	CSDS	Shellphish	Failed POV through defenses	POV		Watch
66	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
66	DeepRed	CSDS	Failed POV through defenses	POV		Watch
66	DeepRed	Disekt	Failed POV through defenses	POV		Watch
66	DeepRed	ForAllSecure	Failed POV	POV		Watch
66	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
67	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
67	CodeJitsu	DeepRed	Failed POV through defenses	POV		Watch
67	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
67	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
67	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
67	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
67	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
67	CSDS	DeepRed	Failed POV through defenses	POV		Watch
67	CSDS	Disekt	Failed POV through defenses	POV		Watch
67	CSDS	ForAllSecure	Failed POV	POV		Watch
67	CSDS	Shellphish	Failed POV through defenses	POV		Watch
67	CSDS	TECHx	Failed POV through defenses	POV		Watch
67	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
67	DeepRed	CSDS	Failed POV through defenses	POV		Watch
67	DeepRed	Disekt	Failed POV through defenses	POV		Watch
67	DeepRed	ForAllSecure	Failed POV	POV		Watch
67	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
67	DeepRed	TECHx	Failed POV through defenses	POV		Watch
68	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
68	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
68	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
68	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
68	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
68	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
68	CSDS	DeepRed	Failed POV through defenses	POV		Watch
68	CSDS	Disekt	Failed POV through defenses	POV		Watch
68	CSDS	ForAllSecure	Failed POV	POV		Watch
68	CSDS	Shellphish	Failed POV through defenses	POV		Watch
68	CSDS	TECHx	Failed POV through defenses	POV		Watch
68	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
68	DeepRed	CSDS	Failed POV through defenses	POV		Watch
68	DeepRed	Disekt	Failed POV through defenses	POV		Watch
68	DeepRed	ForAllSecure	Failed POV	POV		Watch
68	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
68	DeepRed	TECHx	Failed POV through defenses	POV		Watch
69	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
69	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
69	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
69	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
69	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
69	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
69	CSDS	DeepRed	Failed POV through defenses	POV		Watch
69	CSDS	Disekt	Failed POV through defenses	POV		Watch
69	CSDS	ForAllSecure	Failed POV	POV		Watch
69	CSDS	Shellphish	Failed POV through defenses	POV		Watch
69	CSDS	TECHx	Failed POV through defenses	POV		Watch
69	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
69	DeepRed	CSDS	Failed POV through defenses	POV		Watch
69	DeepRed	Disekt	Failed POV through defenses	POV		Watch
69	DeepRed	ForAllSecure	Failed POV	POV		Watch
69	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
69	DeepRed	TECHx	Failed POV through defenses	POV		Watch
70	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
70	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
70	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
70	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
70	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
70	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
70	CSDS	DeepRed	Failed POV through defenses	POV		Watch
70	CSDS	Disekt	Failed POV through defenses	POV		Watch
70	CSDS	ForAllSecure	Failed POV	POV		Watch
70	CSDS	Shellphish	Failed POV through defenses	POV		Watch
70	CSDS	TECHx	Failed POV through defenses	POV		Watch
70	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
70	DeepRed	CSDS	Failed POV through defenses	POV		Watch
70	DeepRed	Disekt	Failed POV through defenses	POV		Watch
70	DeepRed	ForAllSecure	Failed POV	POV		Watch
70	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
70	DeepRed	TECHx	Failed POV through defenses	POV		Watch
71	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
71	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
71	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
71	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
71	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
71	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
71	CSDS	DeepRed	Failed POV through defenses	POV		Watch
71	CSDS	Disekt	Failed POV through defenses	POV		Watch
71	CSDS	ForAllSecure	Failed POV	POV		Watch
71	CSDS	Shellphish	Failed POV through defenses	POV		Watch
71	CSDS	TECHx	Failed POV through defenses	POV		Watch
71	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
71	DeepRed	CSDS	Failed POV through defenses	POV		Watch
71	DeepRed	Disekt	Failed POV through defenses	POV		Watch
71	DeepRed	ForAllSecure	Failed POV	POV		Watch
71	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
71	DeepRed	TECHx	Failed POV through defenses	POV		Watch
72	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
72	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
72	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
72	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
72	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
72	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
72	CSDS	DeepRed	Failed POV through defenses	POV		Watch
72	CSDS	Disekt	Failed POV through defenses	POV		Watch
72	CSDS	ForAllSecure	Failed POV	POV		Watch
72	CSDS	Shellphish	Failed POV through defenses	POV		Watch
72	CSDS	TECHx	Failed POV through defenses	POV		Watch
72	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
72	DeepRed	CSDS	Failed POV through defenses	POV		Watch
72	DeepRed	Disekt	Failed POV through defenses	POV		Watch
72	DeepRed	ForAllSecure	Failed POV	POV		Watch
72	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
72	DeepRed	TECHx	Failed POV through defenses	POV		Watch
73	CodeJitsu	CSDS	Failed POV through defenses	POV		Watch
73	CodeJitsu	DeepRed	Failed POV through defenses	POV		Watch
73	CodeJitsu	Disekt	Failed POV through defenses	POV		Watch
73	CodeJitsu	ForAllSecure	Successful POV	POV	Analysis	Watch
73	CodeJitsu	Shellphish	Failed POV through defenses	POV		Watch
73	CodeJitsu	TECHx	Failed POV through defenses	POV		Watch
73	CSDS	CodeJitsu	Failed POV through defenses	POV		Watch
73	CSDS	DeepRed	Failed POV through defenses	POV		Watch
73	CSDS	Disekt	Failed POV through defenses	POV		Watch
73	CSDS	ForAllSecure	Failed POV	POV		Watch
73	CSDS	Shellphish	Failed POV through defenses	POV		Watch
73	CSDS	TECHx	Failed POV through defenses	POV		Watch
73	DeepRed	CodeJitsu	Failed POV through defenses	POV		Watch
73	DeepRed	CSDS	Failed POV through defenses	POV		Watch
73	DeepRed	Disekt	Failed POV through defenses	POV		Watch
73	DeepRed	ForAllSecure	Failed POV	POV		Watch
73	DeepRed	Shellphish	Failed POV through defenses	POV		Watch
73	DeepRed	TECHx	Failed POV through defenses	POV		Watch
73	Disekt	CodeJitsu	Failed POV through defenses	POV		Watch
73	Disekt	DeepRed	Failed POV through defenses	POV		Watch
73	Disekt	ForAllSecure	Successful POV	POV	Analysis	Watch
73	Disekt	Shellphish	Failed POV through defenses	POV		Watch
73	Disekt	TECHx	Failed POV through defenses	POV		Watch
73	Shellphish	CodeJitsu	Failed POV through defenses	POV		Watch
73	Shellphish	CSDS	Failed POV through defenses	POV		Watch
73	Shellphish	DeepRed	Failed POV through defenses	POV		Watch
73	Shellphish	ForAllSecure	Successful POV	POV	Analysis	Watch
73	Shellphish	TECHx	Failed POV through defenses	POV		Watch