"Jason Williams" jdw@cromulence.com
Cromulence LLC (CROMU)
Flash File System (FFS) implements a simple NOR Flash file system that tracks files on a simulated NOR flash device that consists of memory blocks and sectors. Upon start up of the service, magic page data, is used to initialize the layout of the flash device (number of blocks per sector, block size, sectors per device). A file system test loop runs allowing the user to enter file system commands (read, write, open, close, and delete) where opening a file writeable without it existing will create a new file on the flash device. The flash file system treats each block as writeable, and can only set 1 bits to 0 (via the NOR Flash device) just as in a real flash memory chip. Inorder to reset the block back to 1, it must be erased. All attempts are made to erase at the sector level (consists 8, 12, or 16 blocks) to increase the speed of the flash file system (as erases are costly operations on a flash device). Each file consists of a file table entry, file header, and a data entries. The file table entry is loaded into memory and stored in a statically allocated array for easy access by the device (spending some memory consumption for increased speed).
The Flash File System service (FFS) has a number of features. It supports a basic file system with read, write, open, close, and delete operations. It allows up to 128 files to exist on the device. It reserves 4 sectors for spare area (temporary sectors, reserve copies, etc.) and always attempts to erase at the sector level whenever possible before erasing at the block level (to increase speed).
There is one vulnerability in this service, it is possible to access a file descriptor outside of the File Descriptor array via a CloseFile command and passing a negative File Descriptor index as the FD. The CloseFile operation resets the File Descriptor table with 0xFFFF (for the flash hdr ID) and the file position to zero. It is therefore possible to write 0xFFFF, and 0x0 (32-bit) to any location along 8-byte boundaries within memory. This scenario just happens to allow the user to overwrite the return address of an earlier stack frame and set the lower 16-bits to 0xFFFF. When this stack frame unrolls PC is set to 0x804FFFF resulting in a call to executable code within the floor math function. Execution completes through this function and further unrolls the stack frame, which results, in PC being restored from user controlled data. The user controlled data happens to be a stale buffer from a previous function call, therefore, it is possible by calling this function in advance and priming the stack layout to result in an arbitrary control of PC when calling the CloseFile command.
Vulnerability 1 of 1: Out-of-bounds Write Negative array access Use of stale data on the stack to gain control
Vulnerability 1 of 1: CWE-787: Out-of-bounds Write
Authors Subjective Challenge Difficulty: Discovering: Easy Proving: Hard Fixing: Easy
It is this authors subjective opinion that discovery of this vulnerability is easy as a negative array index to the CloseFile command should be easily identified. However proving this vulnerability with a type 1 register control PoV is much more difficult. The system would have to recognize that it can write to a previous stack frames PC and cause execution of nearly 30 instructions without issue to unroll the stack frame further giving full control of PC and the base pointer. Fixing is easy by adding a simple check for negative values before accessing the File Descriptor array table.
| Round | Source | Destination | Result | POV | Analysis | Video |
|---|---|---|---|---|---|---|
| 29 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 29 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 29 | CSDS | Disekt | Failed POV | POV | Watch | |
| 29 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 29 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 29 | CSDS | TECHx | Failed POV | POV | Watch | |
| 29 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 29 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 29 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 29 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 29 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 29 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 30 | CodeJitsu | TECHx | Failed POV through defenses | POV | Watch | |
| 30 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 30 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 30 | CSDS | Disekt | Failed POV | POV | Watch | |
| 30 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 30 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 30 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 30 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 30 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 30 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 30 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 30 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 30 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 30 | ForAllSecure | CodeJitsu | Failed POV | POV | Watch | |
| 30 | ForAllSecure | CSDS | Failed POV | POV | Watch | |
| 30 | ForAllSecure | DeepRed | Failed POV | POV | Watch | |
| 30 | ForAllSecure | Disekt | Failed POV | POV | Watch | |
| 30 | ForAllSecure | Shellphish | Failed POV | POV | Watch | |
| 30 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 31 | CodeJitsu | Shellphish | Failed POV through defenses | POV | Watch | |
| 31 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 31 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 31 | CSDS | Disekt | Failed POV | POV | Watch | |
| 31 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 31 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 31 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 31 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 31 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 31 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 31 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 31 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 31 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 31 | ForAllSecure | CodeJitsu | Failed POV | POV | Watch | |
| 31 | ForAllSecure | CSDS | Failed POV | POV | Watch | |
| 31 | ForAllSecure | DeepRed | Failed POV | POV | Watch | |
| 31 | ForAllSecure | Disekt | Failed POV | POV | Watch | |
| 31 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 31 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 32 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 32 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 32 | CSDS | Disekt | Failed POV | POV | Watch | |
| 32 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 32 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 32 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 32 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 32 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 32 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 32 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 32 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 32 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 32 | ForAllSecure | CodeJitsu | Failed POV | POV | Watch | |
| 32 | ForAllSecure | CSDS | Failed POV | POV | Watch | |
| 32 | ForAllSecure | DeepRed | Failed POV | POV | Watch | |
| 32 | ForAllSecure | Disekt | Failed POV | POV | Watch | |
| 32 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 32 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 33 | CodeJitsu | TECHx | Failed POV through defenses | POV | Watch | |
| 33 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 33 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 33 | CSDS | Disekt | Failed POV | POV | Watch | |
| 33 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 33 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 33 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 33 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 33 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 33 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 33 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 33 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 33 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 33 | ForAllSecure | CodeJitsu | Failed POV | POV | Watch | |
| 33 | ForAllSecure | CSDS | Failed POV | POV | Watch | |
| 33 | ForAllSecure | DeepRed | Failed POV | POV | Watch | |
| 33 | ForAllSecure | Disekt | Failed POV | POV | Watch | |
| 33 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 33 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 34 | CodeJitsu | Disekt | Failed POV through defenses | POV | Watch | |
| 34 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 34 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 34 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 34 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 34 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 34 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 34 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 34 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 34 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 34 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 34 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 34 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 34 | ForAllSecure | CodeJitsu | Failed POV | POV | Watch | |
| 34 | ForAllSecure | CSDS | Failed POV | POV | Watch | |
| 34 | ForAllSecure | DeepRed | Failed POV | POV | Watch | |
| 34 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 34 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 34 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 35 | CodeJitsu | CSDS | Failed POV through defenses | POV | Watch | |
| 35 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 35 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 35 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 35 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 35 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 35 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 35 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 35 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 35 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 35 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 35 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 35 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 35 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 35 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 35 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 35 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 36 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 36 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 36 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 36 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 36 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 36 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 36 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 36 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 36 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 36 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 36 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 36 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 36 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 36 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 36 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 36 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 36 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 36 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 37 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 37 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 37 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 37 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 37 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 37 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 37 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 37 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 37 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 37 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 37 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 37 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 37 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 37 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 37 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 37 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 37 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 37 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 38 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 38 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 38 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 38 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 38 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 38 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 38 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 38 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 38 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 38 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 38 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 38 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 38 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 38 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 38 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 38 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 38 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 38 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 39 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 39 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 39 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 39 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 39 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 39 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 39 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 39 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 39 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 39 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 39 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 39 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 39 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 39 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 39 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 39 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 39 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 39 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 40 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 40 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 40 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 40 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 40 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 40 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 40 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 40 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 40 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 40 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 40 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 40 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 40 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 40 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 40 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 40 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 40 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 40 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 41 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 41 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 41 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 41 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 41 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 41 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 41 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 41 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 41 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 41 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 41 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 41 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 41 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | DeepRed | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 42 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | CSDS | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 42 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 42 | ForAllSecure | CodeJitsu | Failed POV through defenses | POV | Watch | |
| 42 | ForAllSecure | CSDS | Failed POV through defenses | POV | Watch | |
| 42 | ForAllSecure | DeepRed | Failed POV through defenses | POV | Watch | |
| 42 | ForAllSecure | Disekt | Failed POV through defenses | POV | Watch | |
| 42 | ForAllSecure | Shellphish | Failed POV through defenses | POV | Watch | |
| 42 | ForAllSecure | TECHx | Failed POV through defenses | POV | Watch |
Curated by Lunge Technology, LLC. Questions or comments? Send us email