Challenge Information - CROMU_00057

Commonly known as: Scrum_Database


Rounds Enabled

45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59

Details

Original Versions

Known Vulnerabilities

  • CWE-122 - Heap-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

Author Information

"Steve Wood" swood@cromulence.com

DARPA performer group

Cromulence LLC (CROMU)

Description

This service implements a backend database for a Scrum software development management tool. As the backend, it doesn't present a user interface, but instead provides a binary protocol for a frontend application to use.

Feature List

The database is designed to store a number of "products" and the requirements and tasks associated with their Agile development. Once a Product is defined, user requirements are stored in the Product Backlog. Sprints are also added to the Product to group user requirements into small blocks of development & test efforts. Requirements are moved from the Product Backlog to one of the defined Sprints. Once assigned to a Sprint, these Sprint Backlog Items can be updated to reflect changes that naturally occur during development as complexity and requirements are better understood. Backlog items can only be changed if they are assigned to a Sprint! However, Backlog items (requriements) can only be deleted from a Product if they are not assigned to a Sprint, i.e. they are on the Product Backlog. Sprints can also be deleted from the Product, but only if all Backlog items have been moved back to the Product Backlog or to another Sprint. This is to avoid the inadvertent deletion of user requirements or Product developement tasks. The only exception to this is if the Product itself is being deleted. In this case, all Product details, including populated Sprints are deleted from the database. The database tool will also output the entire Product in a consolidated report that lists Product, Sprint, and Product Backlog details.

Vulnerability

Vulnerability 1 is a buffer overflow that occurs when a Sprint Backlog item's text description field is updated. To conserve memory, the database allocates at runtime only the amount of memory needed to store a string. Unfortunately, the function to update the item's description field fails to reallocate a new string and simply reuses the previous one. If the new string is longer than the original string, heap memory is overwritten. By controlling the order in which items are added to the database, and then performing the overflow, a linked list's next pointer can be overwritten and directed to the secret memory page. The provided POV causes the list of Product Backlog items to point to this memory. When the Product details are displayed, some of this secret data is interpreted as a backlog item, thus leaking memory from this page.

Generic class of vulnerability

Heap buffer overflow

CWE classification

CWE-122 Heap-based Buffer Overflow

Challenges

Vulnerability 1 is a straightforward buffer overflow and should be easy to detect. To successfully exploit it, the heap must be groomed in such a way that a useful pointer is overwritten and without causing read violation to occur when text fields from the database are accessed. In addition, the vulnerability is only reachable once several specific operations have been performed in the database that allow for the function to update the text description field to be called. The ideal fix for the vulnerability is to properly allocated more memory for the new string, but the simplest mitigation is to fail the function call.

Finding Vulnerability 1: easy
Proving Vulnerability 1: medium
Fixing Vulnerability 1: medium

POV Information

Round Source Destination Result POV Analysis Video
46 CSDS CodeJitsu Failed POV POV Watch
46 CSDS DeepRed Failed POV POV Watch
46 CSDS Disekt Failed POV POV Watch
46 CSDS ForAllSecure Failed POV POV Watch
46 CSDS Shellphish Failed POV POV Watch
46 CSDS TECHx Failed POV POV Watch
46 DeepRed CodeJitsu Failed POV POV Watch
46 DeepRed CSDS Failed POV POV Watch
46 DeepRed Disekt Failed POV POV Watch
46 DeepRed ForAllSecure Failed POV POV Watch
46 DeepRed Shellphish Failed POV POV Watch
46 DeepRed TECHx Failed POV POV Watch
47 CSDS CodeJitsu Failed POV POV Watch
47 CSDS DeepRed Failed POV POV Watch
47 CSDS Disekt Failed POV POV Watch
47 CSDS ForAllSecure Failed POV POV Watch
47 CSDS Shellphish Failed POV POV Watch
47 DeepRed CodeJitsu Failed POV POV Watch
47 DeepRed CSDS Failed POV POV Watch
47 DeepRed Disekt Failed POV POV Watch
47 DeepRed ForAllSecure Failed POV POV Watch
47 DeepRed Shellphish Failed POV POV Watch
48 CSDS CodeJitsu Failed POV POV Watch
48 CSDS DeepRed Failed POV POV Watch
48 CSDS Disekt Failed POV POV Watch
48 CSDS ForAllSecure Failed POV POV Watch
48 CSDS Shellphish Failed POV POV Watch
48 CSDS TECHx Failed POV through defenses POV Watch
48 DeepRed CodeJitsu Failed POV POV Watch
48 DeepRed CSDS Failed POV POV Watch
48 DeepRed Disekt Failed POV POV Watch
48 DeepRed ForAllSecure Failed POV POV Watch
48 DeepRed Shellphish Failed POV POV Watch
48 DeepRed TECHx Failed POV through defenses POV Watch
49 CodeJitsu Disekt Failed POV through defenses POV Watch
49 CSDS CodeJitsu Failed POV POV Watch
49 CSDS DeepRed Failed POV POV Watch
49 CSDS Disekt Failed POV through defenses POV Watch
49 CSDS ForAllSecure Failed POV POV Watch
49 CSDS Shellphish Failed POV POV Watch
49 CSDS TECHx Failed POV through defenses POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV through defenses POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV POV Watch
49 DeepRed TECHx Failed POV through defenses POV Watch
50 CSDS CodeJitsu Failed POV POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV through defenses POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV POV Watch
50 CSDS TECHx Failed POV through defenses POV Watch
50 DeepRed CodeJitsu Failed POV POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV through defenses POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV POV Watch
50 DeepRed TECHx Failed POV through defenses POV Watch
51 CSDS CodeJitsu Failed POV POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV through defenses POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV POV Watch
51 CSDS TECHx Failed POV through defenses POV Watch
51 DeepRed CodeJitsu Failed POV POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV through defenses POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV POV Watch
51 DeepRed TECHx Failed POV through defenses POV Watch
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV through defenses POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV POV Watch
52 CSDS TECHx Failed POV through defenses POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV through defenses POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV POV Watch
52 DeepRed TECHx Failed POV through defenses POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV through defenses POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV POV Watch
53 CSDS TECHx Failed POV through defenses POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV through defenses POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV POV Watch
53 DeepRed TECHx Failed POV through defenses POV Watch
54 CSDS CodeJitsu Failed POV POV Watch
54 CSDS DeepRed Failed POV POV Watch
54 CSDS Disekt Failed POV through defenses POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV POV Watch
54 CSDS TECHx Failed POV through defenses POV Watch
54 DeepRed CodeJitsu Failed POV POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV through defenses POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV POV Watch
54 DeepRed TECHx Failed POV through defenses POV Watch
55 CSDS CodeJitsu Failed POV POV Watch
55 CSDS DeepRed Failed POV POV Watch
55 CSDS Disekt Failed POV through defenses POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV POV Watch
55 CSDS TECHx Failed POV through defenses POV Watch
55 DeepRed CodeJitsu Failed POV POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV through defenses POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV POV Watch
55 DeepRed TECHx Failed POV through defenses POV Watch
56 CSDS CodeJitsu Failed POV POV Watch
56 CSDS DeepRed Failed POV POV Watch
56 CSDS Disekt Failed POV through defenses POV Watch
56 CSDS ForAllSecure Failed POV POV Watch
56 CSDS Shellphish Failed POV POV Watch
56 CSDS TECHx Failed POV through defenses POV Watch
56 DeepRed CodeJitsu Failed POV POV Watch
56 DeepRed CSDS Failed POV POV Watch
56 DeepRed Disekt Failed POV through defenses POV Watch
56 DeepRed ForAllSecure Failed POV POV Watch
56 DeepRed Shellphish Failed POV POV Watch
56 DeepRed TECHx Failed POV through defenses POV Watch
57 CSDS CodeJitsu Failed POV POV Watch
57 CSDS DeepRed Failed POV POV Watch
57 CSDS Disekt Failed POV through defenses POV Watch
57 CSDS ForAllSecure Failed POV POV Watch
57 CSDS Shellphish Failed POV POV Watch
57 CSDS TECHx Failed POV through defenses POV Watch
57 DeepRed CodeJitsu Failed POV POV Watch
57 DeepRed CSDS Failed POV POV Watch
57 DeepRed Disekt Failed POV through defenses POV Watch
57 DeepRed ForAllSecure Failed POV POV Watch
57 DeepRed Shellphish Failed POV POV Watch
57 DeepRed TECHx Failed POV through defenses POV Watch
58 CSDS CodeJitsu Failed POV POV Watch
58 CSDS DeepRed Failed POV POV Watch
58 CSDS Disekt Failed POV through defenses POV Watch
58 CSDS ForAllSecure Failed POV POV Watch
58 CSDS Shellphish Failed POV POV Watch
58 CSDS TECHx Failed POV through defenses POV Watch
58 DeepRed CodeJitsu Failed POV POV Watch
58 DeepRed CSDS Failed POV POV Watch
58 DeepRed Disekt Failed POV through defenses POV Watch
58 DeepRed ForAllSecure Failed POV POV Watch
58 DeepRed Shellphish Failed POV POV Watch
58 DeepRed TECHx Failed POV through defenses POV Watch
59 CSDS CodeJitsu Failed POV POV Watch
59 CSDS DeepRed Failed POV POV Watch
59 CSDS Disekt Failed POV through defenses POV Watch
59 CSDS ForAllSecure Failed POV POV Watch
59 CSDS Shellphish Failed POV POV Watch
59 CSDS TECHx Failed POV through defenses POV Watch
59 DeepRed CodeJitsu Failed POV POV Watch
59 DeepRed CSDS Failed POV POV Watch
59 DeepRed Disekt Failed POV through defenses POV Watch
59 DeepRed ForAllSecure Failed POV POV Watch
59 DeepRed Shellphish Failed POV POV Watch
59 DeepRed TECHx Failed POV through defenses POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email