Qualifier Challenge - KPRCA_00023


Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-122 - Heap-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 0.29
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description:

This CB emulates an online job application form. An applicant moves through several pages of grouped questions (Candiate Info, Education, Address, etc etc) and is forced to enter each question on the form before continuing to the next page. The pages are seqential and, once completed, can be revisited using the "prev" command. Completed pages can have indivial questions updated with new answers or an applicant can simply review his or her answers.

Once the form is completed the user can "submit" the form by exiting, or "discard" by using ctrl-c. The two are functionally equivalent, but we would hate to feel like someone didn't have a chance to throw their application away.

The code attempts to model a web interface. Each input has a textfield, a buffer to hold the response, and a verification function that makes sure the input is valid.

Feature List

And applicant can enter input when asked a question, or navigate accross the application with the following commands:

All commands begin with '' and may be entered at any time during the CB prev \n); next \n); update [id] **help **exit

Vulnerability

When an entry is updated with the **update function a compare is made using strncmp between the existing entry data and the data the entry is to be updated with. If this check passes, the new data is copied over the old data using strcpy. The logical flaw is that the length argument to strncmp is the length of the old data, not the new data. Since entries are stored on the heap, if the newer data is significantly bigger than the old data, a heap based buffer overflow can occur.

CWE classification

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-122: Heap-based Buffer Overflow

Challenges

This problem requires competitors to be able to pass all the data validation checks to get to the vulnerable update function. If then requires them to reason about associated with scommon issues tring manipulation functions and issues associated with unbounded copies to data on the heap.


Curated by Lunge Technology, LLC. Questions or comments? Send us email