Qualifier Challenge - KPRCA_00024

Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWE-252 - Unchecked Return Value
  • CWEs are listed as indicated by the challenge author.


  • CodeJitsu: 0.79
  • ForAllSecure: 0.64
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

Proved a POV in reference challenge

Defense against reference POVs

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Andrew Wesie" andrew.wesie@kapricasecurity.com

DARPA performer group

Kaprica Security (KPRCA)


This service implements a simple commerce site that allows users to buy and sell products. The service utilizes a database service that serves as the backend. The protocol between the two servers is a form of RPC. The RPC code was mostly generated automatically from a specification file.

Feature List

The basic features are: list products, buy a product, and sell a new product. A product has an inventory count and a price. Products are identified by their name which is a standard null-terminated string. The backend database is based on a self-balancing binary search tree, which guarantees good performance.


The vulnerability is triggered in the list products functionality (cb_1/src/main.c:58). The output is buffered into a stack buffer of fixed length (4096 bytes) and the length is not checked. This allows for arbitrary control of the contents of the stack, except for null bytes and line terminator bytes.

The second vulnerability is lack of verification of the return value of _checked_calloc; this results in the same memory being used by multiple objects.

Generic class of vulnerability

Stack-based Buffer Overflow

CWE classification

CWE-121: Stack-based Buffer Overflow CWE-252: Unchecked Return Value


The primary challenge is following the data flow between the two services. In order to crash the frontend service, you must first load enough data into the backend. It is probably a lot easier to solve this challenge with a fuzzer, because the protocol is not complicated and reasoning about the flow of data may be difficult. In order to make this more fair, only one sample poll is released to the challengers.

Curated by Lunge Technology, LLC. Questions or comments? Send us email