Qualifier Challenge - KPRCA_00021


Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWE-415 - Double Free
  • CWE-908 - Use of Uninitialized Resource
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 2.6
  • Lekkertech: 2.6
  • Disekt: 1.98
  • Shellphish: 1.76
  • CSDS: 1.18
  • DeepRed: 1.1
  • CodeJitsu: 0.73
  • TrailofBits: 0.49
  • TECHx: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • TECHx: 80.0% - CB1
  • Disekt: 60.0% - CB1
  • ForAllSecure: 60.0% - CB1
  • Lekkertech: 60.0% - CB1
  • Shellphish: 60.0% - CB1
  • DeepRed: 20.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description

KTY (read as Kitty) is a JSON-like text-based data-interchange format that provides more amazing data types than JSON does. While KTY does not support unicode, it has a special type called 'cat' because cats are awesome. This program parses KTY data and prints a nicely formatted output. It even has a hidden feature for Nyan-lovers.

Feature List

The service provides three (and one hidden) menus:

  • Import KTY
  • Pretty print KTY
  • Quit
  • (Hidden) Nyan

Nyan menu prints nyan cat ascii art only if the currently imported KTY has 3 or more instances of cat-type values.

Supported types are:

  • string
  • number
  • object
  • array
  • boolean (true/false)
  • null
  • cat (=^.^=)

Vulnerability

Nyan function will print the ascii art along with the text, which can be specified with a field in KTY object. Specifically, the program will look for nyan_says key that is a string type as its value. The bug is that it will copy each instance of nyan_says string into a stack buffer with a static size, allowing an attacker to perform a stack overflow.

When given a string that doesn't result in a valid type, the item object is uninitiailzied, which causes a double-free to happen later.

Generic class of vulnerability

Stack Buffer Overlfow Double Free Uninitialized Memory

CWE classification

Stack-based Buffer Overflow (CWE-121) Double Free (CWE-415) Use of Uninitialized Resource (CWE-908)

Challenges

This CB tests if the competitors can reason about the triggering condition for the vulnerable function as well as the vulnerability itself. Lots of data structure are involved and most importantly, the program makes use of union inside of the KTY item struct for the flexible data representation.


Curated by Lunge Technology, LLC. Questions or comments? Send us email