Qualifier Challenge - KPRCA_00009

Original Versions

Known Vulnerabilities

  • CWE-170 - Improper Null Termination
  • CWEs are listed as indicated by the challenge author.


  • Shellphish: 2.77
  • Disekt: 1.78
  • CSDS: 1.0
  • CodeJitsu: 0.7
  • TrailofBits: 0.45
  • ForAllSecure: 0.19
  • TECHx: 0.0
  • FuzzBOMB: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • ForAllSecure - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Andrew Wesie" andrew.wesie@kapricasecurity.com

DARPA performer group

Kaprica Security (KPRCA)


This service implements an emulator of a game system. The user sends a cartridge data which is run by the emulator. The user can send commands to simulate input controls or to quit the emulator. Several times per second the emulator will send the current screen of the game system to the user as ASCII art.

Feature List

The emulator supports basic I/O, interrupts, timers, and many types of instructions. The emulated ISA is a variation of the Z80, which features variable-length instructions, 8-bit and 16-bit registers, and a 16-bit address space. Capabilities include a 1 MIPS (million instructions per second) CPU, 32KB of ROM, 8KB of RAM, and 8 digital inputs.


The vulnerability is present in the cartridge loading functionality. Every cartridge has a header which includes a title field. The emulator iterates over the title field until it hits a non-uppercase character, and copying the characters unless it is passed the end of the title buffer. However, after the loop, it adds a NULL-byte which may be past the end of the buffer if the original title field was not properly terminated.

With this vulnerability, an attacker is able to set a byte of the bg pointer to zero, which will result in a segmentation fault on access. Additionally, the attacker has some control of which bytes get written to the bg memory, though this is not necessary to prove vulnerability.

Generic class of vulnerability

Buffer Overflow

CWE classification

CWE-170: Improper Null Termination


Analysis of this service will face challenges with state-space explosion due to the size of the input and the multiple effects of each byte.

In order to increase the probability of a solution, the vulnerability can be triggered by modifying only the bytes in the cartridge header. Additionally, the vulnerability occurs before the main loop and allows for setting an arbitrary byte of a pointer to zero, which may help narrow the search space for a solution.

Curated by Lunge Technology, LLC. Questions or comments? Send us email