Original Versions

• Author-supplied POVs: POV1, POV2, POV3, POV4
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-190 - Integer Overflow or Wraparound
• CWE-839 - Numeric Range Comparison Without Minimum Check
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 4.0
• Shellphish: 1.93
• CSDS: 1.65
• CodeJitsu: 1.24
• TrailofBits: 0.05
• Disekt: 0.03
• TECHx: 0.0
• FuzzBOMB: 0.0
• DeepRed: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• Disekt - CB1
• ForAllSecure - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

• CodeJitsu - POV
• ForAllSecure - POV
• FuzzBOMB - POV
• Shellphish - POV
• TrailofBits - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• ForAllSecure: 100.0% - CB1
• Shellphish: 100.0% - CB1
• CSDS: 100.0% - CB1
• FuzzBOMB: 100.0% - CB1
• TrailofBits: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

DARPA performer group

Kaprica Security (KPRCA)

Description

This service prints out the section and symbol information for a given CGC exectuable.

Feature List

Features

• Parses and validates CGC executables
• Displays section info (name, type, address, offset, and size)
• Displays symbol info (name, value, size, type, and bind)
• Output format is similar to what readcgcef utility outputs
• It's a lot less strict about the actual contents, however.

Protocol

• Input: Raw bytes that represent the CGC executable file, prepended by its size in bytes.
• Output: Text display showing information about the file (sections and symbols).

Vulnerability

• The parser does not correctly validate the value of index to the section headers when calculating the offset to the section header data.
• The idx value can be negative passing the check of idx < shnum in cgcf.c:125.
• Also, there's an integer overflow bug which can be caused by supplying large (yet valid) field values.
• This may yield an access violation on invalid memory, given a carefully crafted input.

Generic class of vulnerability

Insufficient range check Integer Overflow

CWE classification

CWE-839: Numeric Range Comparison Without Minimum Check CWE-190: Integer Overflow or Wraparound

Challenges

• Lots of mutable fields that can affect the state of the parsing
• Sometimes mutating one field is not enough to trigger the bug due to other checks. In such case, multiple fields must be carefully manipulated in order to trigger the bug.