Qualifier Challenge - KPRCA_00031

Original Versions

Known Vulnerabilities

  • CWE-122 - Heap-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 0.41
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)


This service implements a fictitious chat channel on the Enslavednode chat server. There are two bots in the channel named "case" and "molly". They are both markov chain bots that chat in the channel when the user enters text. They only respond a certain percentage of the time and since they are markov bots their responses are purely based off the input of the user and a small initial corpus of text that is fed into the system upon initialization. Case generates a response whenever the user enters text. This response is always sent to molly who uses it to build her markov chain and it is occasionally sent back to the user. Molly's generated text is only sent back to the user with some probability.

Feature List

The bots implement a set of separate bot functions that can be activated if the input they are sent triggers them. They are listed below:

  • case:

    • /hello - Responds with a kind greeting to the user.
    • /rev - Reverses the users input string
    • /howsmart - Gives a metric on the bots "intelligence".
  • molly:

    • /pont - Pontificates about the topic at hand.

The user can also quit with the /part command.


The vulnerability for this service is in the /pont command for molly. She constructs a response and initialiez a new string with the response before returning it to the user. The string constructor however does not check the size of the string it is copying into itself at initialization. This results in a heap overflow.

Generic class of vulnerability

Heap-based Buffer Overflow

CWE classification

CWE-122: Heap-based Buffer Overflow


The vulnerability in this service is simple enough, but is guarded behind a fairly complex layer of logic. I.e. the markov chain text generation. An attacker must be able to corrently insert text into the system that will result in a vulnerability triggering emission for the /pont command. This will require a fairly decent dataflow analysis system.

Curated by Lunge Technology, LLC. Questions or comments? Send us email