Original Versions

• Author-supplied POVs: POV1, POV2, POV3
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-125 - Out-of-bounds Read
CWEs are listed as indicated by the challenge author.

Scores

• Disekt: 3.29
• Lekkertech: 2.67
• ForAllSecure: 2.33
• Shellphish: 2.33
• CodeJitsu: 1.49
• CSDS: 1.42
• TECHx: 0.0
• FuzzBOMB: 0.0
• TrailofBits: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• Disekt - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

• CodeJitsu - POV
• Disekt - POV
• ForAllSecure - POV
• Lekkertech - POV
• Shellphish - POV
• TrailofBits - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• CSDS: 100.0% - CB1
• TrailofBits: 100.0% - CB1
• Lekkertech: 66.7% - CB1
• TECHx: 66.7% - CB1
• ForAllSecure: 33.3% - CB1
• Shellphish: 33.3% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9
• Submission 10

DARPA performer group

Kaprica Security (KPRCA)

Description:

This service implements a parser and pretty printer for a Type-Length-Value protocol known as ASL6. ASL6 is commonly used amongst retro online-chat enthusiasts who desire an easy to exchange basic information about themselves to eachother such as age,gender,or geographic location.

Feature List

This service simply reads a ASL6 element up to 32KB in size and pretty prints its contents back the the user. It is able to handle a variety of complex datetypes such as time and object identifiers.

Vulnerability

This service's vulnerability lies in the print_oid function. This function parsers and prints the OID element type according to the format defined in the ASL6 protocol. The function both fails to do a required bounds check on the index into the array containing the OID data after it is updated and to correctly pass an upper bounds on a slice into the data to a corresponding helper function. These flaws in conjuction result in an out of bounds read.

Generic class of vulnerability

Out-of-bounds Read

CWE classification

CWE-125: Out-of-bounds Read

Challenges

The challanges introducted to competitors in this service are a slightly complicated protocol which the competitors must adhere to in order to progress through the states of the servic, a variety of integrity checks inherent to the encoding scheme to which they also must adhere.