Challenge Information - CROMU_00084

Commonly known as: Thermal_Controller_v3


Rounds Enabled

41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55

Details

Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

"James Connor" jymbo@cromulence.com

DARPA performer group

Cromulence LLC (CROMU)

Description

This is a software re-implementation of Thermal controller software and simulation, a heating element controller such as would be used in commercial oven, BBQ smoker, or other industrial control device.

Feature List

The thermal controller is much more capable than the typical controller found in consumer level appliances such as stoves. Although it does contain static modes such a maintaining a set temperature, it also supports up to 10 temperature sensors, a smoke sensor, and a 10 step programmable thermal profile. The different program steps can be based on temperature triggers from any of the configured temperature probes, or can dwell at a fixed temperature for a programmed length of time. An ideal use of this controller would be in a competition BBQ smoker where different kinds of meat require finely tuned adjustments to temperature during the smoking process to result in proper breakdown of connective tissue, maintenance of moinsture, and control of the smoke generation. The controller was designed to be remotely operated using a separate "app" on a mobile device, and implements a binary protocol for this purprose. The controller was designed to be robust and rigorously checks that remote commands correctly configure the device.

Vulnerability

A vulnerability exists when the history list is populated with too many entries and can cause a buffer overflow of the send buffer. The last 8-bytes of the sent information for a simulate command contains the ambient temperature and the last set temperature for the thermal controller. It is possible to arbitrarily control the set temperature by sending a program list with a negative value for type. Due to an incorrect check (a signed/unsigned error) allows arbitrary set temperatures to be written by avoiding the temperature range checks. Next it is possible to write an arbitrary ambient temperature, again, due to an incorrect comparison checked of signed data (failing to validate negative numbers). This ultimately results in the ability to overflow the send buffer (which is allocated on the stack) with two arbitrary 4-byte values that results in a type-1 POV when the return address for the get_command function is overwritten.

Generic class of vulnerability

Vulnerability 1 of 1: Stack buffer overflow

CWE classification

Vulnerability 1 of 1: CWE-121 Stack-based Buffer Overflow

Challenges

Authors Subjective Challenge Difficulty: Discovering: Medium Proving: Medium Fixing: Easy

This vulnerability is considered to be on the harder side of proving due to the conditions that are needed to properly trigger a type-1 vulnerability. Due to its nature fixing the vulnerability is a trivial as it involves fixing the type checks to unsigned values. There may be some difficulty for the CRS in discovering all of the initial conditions needed to trigger and prove the vulnerability in this service.


POV Information

Round Source Destination Result POV Analysis Video
42 CSDS DeepRed Failed POV POV Watch
42 CSDS Disekt Failed POV POV Watch
42 CSDS ForAllSecure Failed POV POV Watch
42 CSDS Shellphish Failed POV POV Watch
42 CSDS TECHx Failed POV POV Watch
42 DeepRed CodeJitsu Failed POV POV Watch
42 DeepRed CSDS Failed POV POV Watch
42 DeepRed Disekt Failed POV POV Watch
42 DeepRed ForAllSecure Failed POV POV Watch
42 DeepRed Shellphish Failed POV POV Watch
42 DeepRed TECHx Failed POV POV Watch
43 CSDS CodeJitsu Failed POV POV Watch
43 CSDS DeepRed Failed POV POV Watch
43 CSDS Disekt Failed POV POV Watch
43 CSDS ForAllSecure Failed POV POV Watch
43 CSDS Shellphish Failed POV POV Watch
43 CSDS TECHx Failed POV POV Watch
43 DeepRed CodeJitsu Failed POV POV Watch
43 DeepRed CSDS Failed POV POV Watch
43 DeepRed Disekt Failed POV POV Watch
43 DeepRed ForAllSecure Failed POV POV Watch
43 DeepRed Shellphish Failed POV POV Watch
43 DeepRed TECHx Failed POV POV Watch
44 CodeJitsu Shellphish Failed POV through defenses POV Watch
44 CSDS CodeJitsu Failed POV POV Watch
44 CSDS DeepRed Failed POV POV Watch
44 CSDS Disekt Failed POV POV Watch
44 CSDS ForAllSecure Failed POV POV Watch
44 CSDS Shellphish Failed POV through defenses POV Watch
44 CSDS TECHx Failed POV POV Watch
44 DeepRed CodeJitsu Failed POV POV Watch
44 DeepRed CSDS Failed POV POV Watch
44 DeepRed Disekt Failed POV POV Watch
44 DeepRed ForAllSecure Failed POV POV Watch
44 DeepRed Shellphish Failed POV through defenses POV Watch
44 DeepRed TECHx Failed POV POV Watch
45 CSDS CodeJitsu Failed POV POV Watch
45 CSDS DeepRed Failed POV POV Watch
45 CSDS Disekt Failed POV POV Watch
45 CSDS ForAllSecure Failed POV POV Watch
45 CSDS Shellphish Failed POV through defenses POV Watch
45 CSDS TECHx Failed POV POV Watch
45 DeepRed CodeJitsu Failed POV POV Watch
45 DeepRed CSDS Failed POV POV Watch
45 DeepRed Disekt Failed POV POV Watch
45 DeepRed ForAllSecure Failed POV POV Watch
45 DeepRed Shellphish Failed POV through defenses POV Watch
45 DeepRed TECHx Failed POV POV Watch
46 CodeJitsu Disekt Failed POV through defenses POV Watch
46 CSDS CodeJitsu Failed POV POV Watch
46 CSDS DeepRed Failed POV POV Watch
46 CSDS Disekt Failed POV through defenses POV Watch
46 CSDS ForAllSecure Failed POV POV Watch
46 CSDS Shellphish Failed POV through defenses POV Watch
46 CSDS TECHx Failed POV POV Watch
46 DeepRed CodeJitsu Failed POV POV Watch
46 DeepRed CSDS Failed POV POV Watch
46 DeepRed Disekt Failed POV through defenses POV Watch
46 DeepRed ForAllSecure Failed POV POV Watch
46 DeepRed Shellphish Failed POV through defenses POV Watch
46 DeepRed TECHx Failed POV POV Watch
47 CSDS CodeJitsu Failed POV POV Watch
47 CSDS DeepRed Failed POV POV Watch
47 CSDS Disekt Failed POV through defenses POV Watch
47 CSDS ForAllSecure Failed POV POV Watch
47 CSDS Shellphish Failed POV through defenses POV Watch
47 CSDS TECHx Failed POV POV Watch
47 DeepRed CodeJitsu Failed POV POV Watch
47 DeepRed CSDS Failed POV POV Watch
47 DeepRed Disekt Failed POV through defenses POV Watch
47 DeepRed ForAllSecure Failed POV POV Watch
47 DeepRed Shellphish Failed POV through defenses POV Watch
47 DeepRed TECHx Failed POV POV Watch
48 CSDS CodeJitsu Failed POV POV Watch
48 CSDS DeepRed Failed POV POV Watch
48 CSDS Disekt Failed POV through defenses POV Watch
48 CSDS ForAllSecure Failed POV POV Watch
48 CSDS Shellphish Failed POV through defenses POV Watch
48 CSDS TECHx Failed POV POV Watch
48 DeepRed CodeJitsu Failed POV POV Watch
48 DeepRed CSDS Failed POV POV Watch
48 DeepRed Disekt Failed POV through defenses POV Watch
48 DeepRed ForAllSecure Failed POV POV Watch
48 DeepRed Shellphish Failed POV through defenses POV Watch
48 DeepRed TECHx Failed POV POV Watch
49 CSDS CodeJitsu Failed POV POV Watch
49 CSDS DeepRed Failed POV POV Watch
49 CSDS Disekt Failed POV through defenses POV Watch
49 CSDS ForAllSecure Failed POV POV Watch
49 CSDS Shellphish Failed POV through defenses POV Watch
49 CSDS TECHx Failed POV POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV through defenses POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV through defenses POV Watch
49 DeepRed TECHx Failed POV POV Watch
50 CSDS CodeJitsu Failed POV POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV through defenses POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV through defenses POV Watch
50 CSDS TECHx Failed POV POV Watch
50 DeepRed CodeJitsu Failed POV POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV through defenses POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV through defenses POV Watch
50 DeepRed TECHx Failed POV POV Watch
51 CSDS CodeJitsu Failed POV POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV through defenses POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV through defenses POV Watch
51 CSDS TECHx Failed POV POV Watch
51 DeepRed CodeJitsu Failed POV POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV through defenses POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV through defenses POV Watch
51 DeepRed TECHx Failed POV POV Watch
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV through defenses POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV through defenses POV Watch
52 CSDS TECHx Failed POV POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV through defenses POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV through defenses POV Watch
52 DeepRed TECHx Failed POV POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV through defenses POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV through defenses POV Watch
53 CSDS TECHx Failed POV POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV through defenses POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV through defenses POV Watch
53 DeepRed TECHx Failed POV POV Watch
54 CSDS CodeJitsu Failed POV POV Watch
54 CSDS DeepRed Failed POV POV Watch
54 CSDS Disekt Failed POV through defenses POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV through defenses POV Watch
54 CSDS TECHx Failed POV POV Watch
54 DeepRed CodeJitsu Failed POV POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV through defenses POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV through defenses POV Watch
54 DeepRed TECHx Failed POV POV Watch
55 CSDS CodeJitsu Failed POV POV Watch
55 CSDS DeepRed Failed POV POV Watch
55 CSDS Disekt Failed POV through defenses POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV through defenses POV Watch
55 CSDS TECHx Failed POV POV Watch
55 DeepRed CodeJitsu Failed POV POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV through defenses POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV through defenses POV Watch
55 DeepRed TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email