Qualifier Challenge - KPRCA_00008


Original Versions

Known Vulnerabilities

  • CWE-787 - Out-of-bounds Write
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 2.0
  • TECHx: 1.37
  • CSDS: 0.2
  • FuzzBOMB: 0.14
  • DeepRed: 0.04
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • Shellphish: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • FuzzBOMB: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Andrew Wesie" andrew.wesie@kapricasecurity.com

DARPA performer group

Kaprica Security (KPRCA)

Description:

This service implements a storage device over a USB-like network protocol. Basic functionality is implemented including read, write, and query size. The protocol implements functionality to eventually support hosting multiple devices on one server.

Feature List

Protocol based on proven technology used everyday by millions of people. Storage device emulates a 128 blocks with a 512-byte block size. This gives the user an impressive 64KB (!) of disk space. Large enough to hold one picture (maybe?). Privacy guaranteed because your data will never be stored on disk, and is lost as soon as you disconnect.

Vulnerability

Buffer overflow in the WRITE command allows an attacker to overflow the memory buffer and overwrite the function pointers in the usb_t structure. The memcpy_fast function, used by the WRITE command, assumes that the length of a data packet will be greater than zero, which leads to a 16-byte overflow. If the length is set to zero, then the block address can be set to NUM_BLOCKS, which is the end of the memory buffer. This gives 16-byte overwrite of the data after the memory buffer, which is the usb_t structure.

Generic class of vulnerability

Buffer Overflow

CWE classification

CWE-787: Out-of-bounds Write

Challenges

The commands are wrapped in two structures, which increases the depth needed to get to the exploitable function. Additionally, the instructions that result in the overflow use SSE registers, which must be supported by the analysis platform. In order to get to the point where commands can be sent, the devlist command must be sent, the devid extracted, and then sent as part of the import command. Lastly, the use of function pointers may make control flow more difficult to analyze.


Curated by Lunge Technology, LLC. Questions or comments? Send us email