"Steve Wood" swood@cromulence.com
Cromulence LLC (CROMU)
This service implements a command line shell-like interface to an underlying filesystem--providing highlevel commands that encapsulate the lower level API calls of the filesystem.
The filesystem supports "regular" files, and files mapped to a malloc'ed memory region. Commands are provided to create these files, read and write to them, copy them, and finally to erase them. In addition, the filesystem supports file ownership and "others" permissions so that access to individual files can be restricted or shared as the file owner desires. When started, the shell presents with a login prompt that uses data from the magic page for authentication information. However, the shell does allow for "guest" access using a built-in account with hardcoded credentials.
The filesystem allocates one "block" of space to a file directory. As the block size is decided when the filesystem is initialized, the maximum number of directory entries is variable and is calculated during the initialization. In one calculation used to calculate the maximum number of files, the programmer forgets to subtract static overhead data from the total before dividing by the size of a directory entry, resulting in an off-by-one error on the maximum count. If this maximum number of files is created, the last one will overflow into the next block of storage space--overwriting up to 8 bytes of data there.
Off By One
CWE-193 Off By One
For the initial startup condition of this service, the block that can be overwritten is already allocated to a file created during initialization of the system. The block overwritten is essentially its "i-node" block, which has a list of the blocks containing the files data. Overwriting this data will most likely result in a crash and the read of some other service memory area, but not the magic page. Any attempt to write to this file will cause the file to be truncated to zero length first, clearing and releasing this corrupt block.
To successfully exploit this vulnerability, the exiting file using that block must be deleted and a file of the memory mapped type must be created first. For this file type, these overwritten block does not contain pointers to other blocks containing data, but instead holds the pointer and length of the memory malloc'ed for this file. By manipulating the filename used in the final file creation that overflows the directory, the pointer in this block can be overwritten to point to the magic page. The amount of program understanding required to successfully exploit this vulnerability makes this one difficult.
Finding Vulnerability 1: easy
Proving Vulnerability 1: hard
Fixing Vulnerability 1: easy
| Round | Source | Destination | Result | POV | Analysis | Video |
|---|---|---|---|---|---|---|
| 40 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 40 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 40 | CSDS | Disekt | Failed POV | POV | Watch | |
| 40 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 40 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 40 | CSDS | TECHx | Failed POV | POV | Watch | |
| 40 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 40 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 40 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 40 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 40 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 40 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 41 | CodeJitsu | Disekt | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 41 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 41 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 41 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 41 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 41 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 41 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 41 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 41 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 41 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 42 | CodeJitsu | Shellphish | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 42 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 42 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 42 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 42 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 42 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 42 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 42 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 42 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 43 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 43 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 43 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 43 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 43 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 43 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 43 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 43 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 43 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 43 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 43 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 43 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 44 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 44 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 44 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 44 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 44 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 44 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 44 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 44 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 44 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 44 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 44 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 44 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 45 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 45 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 45 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 45 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 45 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 45 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 45 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 45 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 45 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 45 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 45 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 45 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 46 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 46 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 46 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 46 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 46 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 46 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 46 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 46 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 47 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 47 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 47 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 47 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 47 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 47 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 47 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 47 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 47 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 47 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 47 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 47 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 48 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 48 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 48 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 48 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 48 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 48 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 49 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 49 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 49 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 49 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 49 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 49 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 50 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 50 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 50 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 50 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 50 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 50 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 51 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 51 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 51 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 51 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 51 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 51 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 52 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 52 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 52 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 52 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 52 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 52 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | TECHx | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 53 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 53 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 53 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | TECHx | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 53 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 53 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 53 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | TECHx | Failed POV through defenses | POV | Watch |
Curated by Lunge Technology, LLC. Questions or comments? Send us email