Qualifier Challenge - KPRCA_00038

Original Versions

Known Vulnerabilities

  • CWE-134 - Use of Externally-Controlled Format String
  • CWE-476 - NULL Pointer Dereference
  • CWE-674 - Uncontrolled Recursion
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 2.86
  • Lekkertech: 2.22
  • DeepRed: 0.23
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • ForAllSecure: 88.9% - CB1
  • TECHx: 88.9% - CB1
  • TrailofBits: 66.7% - CB1
  • DeepRed: 55.6% - CB1
  • Lekkertech: 22.2% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)


This service implements a scripting language that is designed for processing text files. The script is executed on every record, where every line in the text file is processed as an independent record. Every record is then parsed into fields automatically according to the current script state.

Feature List

The only input to the script is the current record. Parsing of the record can be controlled via field seperator and record seperator variables. Output can be either a print statement or a printf with a script provided format string.

The expressions support variable assignment, arithmetic and logical operators, and regular expression matching. The regular expression support is implemented using a variation of the Thompson NFA algorithm, so its run-time is O(nm) as opposed to competing algorithms that have an exponential run-time.


The first vulnerability, eprintf.c:81, is a classic printf vulnerability where an attacker can control a format string. The arguments to printf are script variables and there is inadequate verification of the type of the script variables. This allows an attacker to control a char pointer resulting in a memory leak or crash by providing the #c format with a number argument. Additionally, an attacker could leak a pointer by providing the #x format with a string argument.

The secord vulnerability is stack overflow via uncontrolled recursion in regexp_parse. By constructing a large expression with many unterminated open parentheses, the attacker can cause a crash via stack overflow with a small input.

The third vulnerability is a NULL pointer dereference in do_print when get_field returns NULL. This situation can occur when the length of field0 would be greater than 4096 bytes when appending the fields together.

The fourth vulnerability is a NULL pointer dereference in simplify when the input node is NULL. This can occur when the input string to regexp_init is empty.

The fifth vulnerability is a NULL pointer dereference in eval_expression when the input expression is NULL. This can occur if an operator is missing an argument or a for loop is missing a post-condition expression.

The sixth vulnerability is a NULL pointer dereference in parse_statements when the program contains an empty code scope with a statement before and after it. This causes a NULL pointer to be inserted into the linked list of statements.

Generic class of vulnerability

Arbitrary format string Stack overflow

CWE classification

CWE-134: Uncontrolled Format Sting CWE-476: NULL Pointer Dereference CWE-674: Uncontrolled Recursion


This challenge set implements a non-trivial scripting language; which is comparable to modern programs which usually include scripting languages. The scripting language is not as complex as JavaScript, but it is expected that the techniques to fuzz JavaScript interpreters would also be effective for this challenge set. Automatic patching of the vulnerabilities will be a significant challenge.

Curated by Lunge Technology, LLC. Questions or comments? Send us email