Qualifier Challenge - KPRCA_00037


Original Versions

Known Vulnerabilities

  • CWE-190 - Integer Overflow or Wraparound
  • CWE-839 - Numeric Range Comparison Without Minimum Check
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 4.0
  • Shellphish: 1.93
  • CSDS: 1.65
  • CodeJitsu: 1.24
  • TrailofBits: 0.05
  • Disekt: 0.03
  • TECHx: 0.0
  • FuzzBOMB: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • FuzzBOMB: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description

This service prints out the section and symbol information for a given CGC exectuable.

Feature List

Features

  • Parses and validates CGC executables
  • Displays section info (name, type, address, offset, and size)
  • Displays symbol info (name, value, size, type, and bind)
  • Output format is similar to what readcgcef utility outputs
  • It's a lot less strict about the actual contents, however.

Protocol

  • Input: Raw bytes that represent the CGC executable file, prepended by its size in bytes.
  • Output: Text display showing information about the file (sections and symbols).

Vulnerability

  • The parser does not correctly validate the value of index to the section headers when calculating the offset to the section header data.
  • The idx value can be negative passing the check of idx < shnum in cgcf.c:125.
  • Also, there's an integer overflow bug which can be caused by supplying large (yet valid) field values.
  • This may yield an access violation on invalid memory, given a carefully crafted input.

Generic class of vulnerability

Insufficient range check Integer Overflow

CWE classification

CWE-839: Numeric Range Comparison Without Minimum Check CWE-190: Integer Overflow or Wraparound

Challenges

  • Lots of mutable fields that can affect the state of the parsing
  • Sometimes mutating one field is not enough to trigger the bug due to other checks. In such case, multiple fields must be carefully manipulated in order to trigger the bug.

Curated by Lunge Technology, LLC. Questions or comments? Send us email