debbie@cromulence.com
Cromulence LLC (CROMU)
This challenge set contains 3 binaries that closely mimic the behavior of three services: fingerd, sendmail, and rsh and an additional 'front door' binary that provides access to the others. These services were involved in the propagation of the original Internet Worm written by Robert Morris. The fingerd service was vulnerable to a simple stack buffer overflow, originally caused by use of the gets() function. The sendmail service was vulnerable to a logic bug that existed in debug mode which allowed the shell interpreter to be the recipient of the message. The rsh service was inherently vulnerable by using a naive trust model and is vulnerable to password brute force attacks.
The services in this challenge set are lookupd, inspired by fingerd, mailsender, inspired by sendmail, and ish, inspired by rsh. Each contains similar functionality to the original services and the same original bugs.
This is a multi binary challenge set. The first binary acts as the front door, handling the initial connection and directing input to one of three services (lookupd, mailsender, and ish).
Lookupd is a lookup service that provides name and contact info for users. This service is randomly populated with fake user data on startup. It allows querying for a particular user or listing all users on the system.
ISH is an internet shell service. It requires a login and password and implements a dummy shell with a limited command set. It contains one set of static credentials and then generates random additional credentials on startup.
Mailsender is a mail server. It allows listing known addresses, dumping mail queues, reading messages, and posting new messages.
The vulnerability in lookupd is equivalent to a gets() call. This function reads input from the user onto the stack with no bounds checking. This allows a very straightforward buffer overflow. It should be easy to find, easy to prove, and easy to patch.
The vulnerability in ISH contains two elements. One is the existence of static credentials that would allow the CRS to login and execute commands. The second is that one of the shell commands allows arbitrary reads from memory, thus enabling a memory leak (type 2 POV). The CRS could eliminate this vulnerability by either deactivating the compromised account credentials or preventing the shell command from accessing the sensitive memory region. This bug should be easy to find, easy to prove, and easy to patch.
The vulnerability in mailsender is patterned after CVE-1999-0095 which allowed a remote user to access the root shell through a debug command. In this case if the CRS connects to mailsender using the -d flag and submits a message with the correct recipient, it can access a command shell that allows arbitrary read of memory. This vulnerability can be patched by either deactivating the -d debug mode or by restricting the shell from accessing the sensitive memory region. It should be easy to find, easy to prove, and easy to patch.
The lookupd vulnerability is a stack buffer overflow. The ISH vulnerability is a logic bug leading to an arbitrary memory read. The mailsender vulnerability is also a logic bug leading to an arbitrary memory read.
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-798 Hard Coded Credentials CWE-215 Information Exposure Through Debug Information
These vulnerabilities are patterned after very basic and outdated vulnerabilities so they should be straightforward to find, prove, and patch. One potential complicating matter is that there are four binaries in this system and some communication travels between them rather than directly to/from the user. Since most challenge sets are not designed in this manner it may prove difficult for some analysis systems.
| Round | Source | Destination | Result | POV | Analysis | Video |
|---|---|---|---|---|---|---|
| 47 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 47 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 47 | CSDS | Disekt | Failed POV | POV | Watch | |
| 47 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 47 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 47 | CSDS | TECHx | Failed POV | POV | Watch | |
| 47 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 47 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 47 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 47 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 47 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 47 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 48 | CodeJitsu | Disekt | Failed POV through defenses | POV | ||
| 48 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 48 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 48 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 48 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 48 | CSDS | TECHx | Failed POV | POV | Watch | |
| 48 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 48 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 48 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 48 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 48 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 49 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 49 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 49 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 49 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 49 | CSDS | TECHx | Failed POV | POV | Watch | |
| 49 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 49 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 49 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 49 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 49 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 50 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 50 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 50 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 50 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 50 | CSDS | TECHx | Failed POV | POV | Watch | |
| 50 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 50 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 50 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 50 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 50 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 51 | CodeJitsu | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 51 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 51 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 51 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | TECHx | Failed POV | POV | Watch | |
| 51 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 51 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 51 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 51 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 52 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 52 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 52 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 52 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | TECHx | Failed POV | POV | Watch | |
| 52 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 52 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 52 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 52 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 53 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 53 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 53 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 53 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | TECHx | Failed POV | POV | Watch | |
| 53 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 53 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 53 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 53 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 54 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 54 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 54 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 54 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | TECHx | Failed POV | POV | Watch | |
| 54 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 54 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 54 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 54 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 55 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 55 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 55 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 55 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | TECHx | Failed POV | POV | Watch | |
| 55 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 55 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 55 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 55 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 56 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 56 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 56 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 56 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 56 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 56 | CSDS | TECHx | Failed POV | POV | Watch | |
| 56 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 56 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 56 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 56 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 56 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 56 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 57 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 57 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 57 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 57 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 57 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 57 | CSDS | TECHx | Failed POV | POV | Watch | |
| 57 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 57 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 57 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 57 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 57 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 57 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 58 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 58 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 58 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 58 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 58 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 58 | CSDS | TECHx | Failed POV | POV | Watch | |
| 58 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 58 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 58 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 58 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 58 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 58 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 59 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 59 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 59 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 59 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 59 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 59 | CSDS | TECHx | Failed POV | POV | Watch | |
| 59 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 59 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 59 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 59 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 59 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 59 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 60 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 60 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 60 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 60 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 60 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 60 | CSDS | TECHx | Failed POV | POV | Watch | |
| 60 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 60 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 60 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 60 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 60 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 60 | DeepRed | TECHx | Failed POV | POV | Watch |
Curated by Lunge Technology, LLC. Questions or comments? Send us email