"Steve Wood" swood@cromulence.com
Cromulence LLC (CROMU)
This service implements a backend database for a Scrum software development management tool. As the backend, it doesn't present a user interface, but instead provides a binary protocol for a frontend application to use.
The database is designed to store a number of "products" and the requirements and tasks associated with their Agile development. Once a Product is defined, user requirements are stored in the Product Backlog. Sprints are also added to the Product to group user requirements into small blocks of development & test efforts. Requirements are moved from the Product Backlog to one of the defined Sprints. Once assigned to a Sprint, these Sprint Backlog Items can be updated to reflect changes that naturally occur during development as complexity and requirements are better understood. Backlog items can only be changed if they are assigned to a Sprint! However, Backlog items (requriements) can only be deleted from a Product if they are not assigned to a Sprint, i.e. they are on the Product Backlog. Sprints can also be deleted from the Product, but only if all Backlog items have been moved back to the Product Backlog or to another Sprint. This is to avoid the inadvertent deletion of user requirements or Product developement tasks. The only exception to this is if the Product itself is being deleted. In this case, all Product details, including populated Sprints are deleted from the database. The database tool will also output the entire Product in a consolidated report that lists Product, Sprint, and Product Backlog details.
Vulnerability 1 is a buffer overflow that occurs when a Sprint Backlog item's text description field is updated. To conserve memory, the database allocates at runtime only the amount of memory needed to store a string. Unfortunately, the function to update the item's description field fails to reallocate a new string and simply reuses the previous one. If the new string is longer than the original string, heap memory is overwritten. By controlling the order in which items are added to the database, and then performing the overflow, a linked list's next pointer can be overwritten and directed to the secret memory page. The provided POV causes the list of Product Backlog items to point to this memory. When the Product details are displayed, some of this secret data is interpreted as a backlog item, thus leaking memory from this page.
Heap buffer overflow
CWE-122 Heap-based Buffer Overflow
Vulnerability 1 is a straightforward buffer overflow and should be easy to detect. To successfully exploit it, the heap must be groomed in such a way that a useful pointer is overwritten and without causing read violation to occur when text fields from the database are accessed. In addition, the vulnerability is only reachable once several specific operations have been performed in the database that allow for the function to update the text description field to be called. The ideal fix for the vulnerability is to properly allocated more memory for the new string, but the simplest mitigation is to fail the function call.
Finding Vulnerability 1: easy
Proving Vulnerability 1: medium
Fixing Vulnerability 1: medium
| Round | Source | Destination | Result | POV | Analysis | Video |
|---|---|---|---|---|---|---|
| 46 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 46 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 46 | CSDS | Disekt | Failed POV | POV | Watch | |
| 46 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 46 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 46 | CSDS | TECHx | Failed POV | POV | Watch | |
| 46 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 46 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 46 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 46 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 46 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 46 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 47 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 47 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 47 | CSDS | Disekt | Failed POV | POV | Watch | |
| 47 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 47 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 47 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 47 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 47 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 47 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 47 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 48 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 48 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 48 | CSDS | Disekt | Failed POV | POV | Watch | |
| 48 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 48 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 48 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 48 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 48 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 48 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 48 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 48 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 49 | CodeJitsu | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 49 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 49 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 49 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 49 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 49 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 49 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 49 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 49 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 50 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 50 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 50 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 50 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 50 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 50 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 50 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 50 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 51 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 51 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 51 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 51 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 51 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 51 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 51 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 51 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 52 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 52 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 52 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 52 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 52 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 52 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 52 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 52 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 53 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 53 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 53 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 53 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 53 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 53 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 53 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 53 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 54 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 54 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 54 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 54 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 54 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 54 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 54 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 54 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 55 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 55 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 55 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 55 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 55 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 55 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 55 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 55 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 56 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 56 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 56 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 56 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 56 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 56 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 56 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 56 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 56 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 56 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 56 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 56 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 57 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 57 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 57 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 57 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 57 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 57 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 57 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 57 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 57 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 57 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 57 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 57 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 58 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 58 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 58 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 58 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 58 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 58 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 58 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 58 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 58 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 58 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 58 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 58 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 59 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 59 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 59 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 59 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 59 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 59 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 59 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 59 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 59 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 59 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 59 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 59 | DeepRed | TECHx | Failed POV through defenses | POV | Watch |
Curated by Lunge Technology, LLC. Questions or comments? Send us email