Qualifier Challenge - KPRCA_00043


Original Versions

Known Vulnerabilities

  • CWE-121 - Stack-based Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 3.7
  • Lekkertech: 2.67
  • CSDS: 2.37
  • DeepRed: 2.16
  • FuzzBOMB: 1.08
  • TECHx: 0.93
  • CodeJitsu: 0.75
  • Cyberjujitsu: 0.48
  • Shellphish: 0.31
  • Disekt: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Cyberjujitsu - CB1
  • ForAllSecure - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • Cyberjujitsu: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • Lekkertech: 66.7% - CB1
  • DeepRed: 33.3% - CB1
  • FuzzBOMB: 16.7% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description

Bloomy Sunday is a safety feature that filters any blacklisted depressing words in submitted lyrics. To make it more responsive, it implements a bloom filter to quickly test if the word is not in the blacklist, in which case, doesn't get banned.

Feature List

Features

  • Submit lyrics
  • Check against the filter (automatic)
  • View lyrics

Protocol

  • User-interactive interface

Vulnerability

  • The input is read in a line at a time, which is splitted into multiple words.
  • Each word is checked against the filter.
  • When the word is not found by the filter, the word is passed and copied over to the final lyrics buffer. The length is validated to ensure there's no buffer overflow.
  • In case the word is found by the filter, it needs to be tested with the real blacklist table since it could be a false-positive.
  • When the word exists in the table, the submission process is immediately aborted, and reports an error/warning.
  • When the word does not exist in the table (aka. false-positive), the word is copied over to the final lyrics buffer. However, the length check is omitted in this path -- leading to a stack-based buffer overflow.
  • Also, there is an one-byte overwrite bug that will cause a segmetation fault.

Generic class of vulnerability

Stack-based Buffer Overflow

CWE classification

CWE-121: Stack-based Buffer Overflow

Challenges

  • Competitors need to generate a word that is not in the blacklist table, yet is flagged by the bloom filter (it's using 3 hash functions), such that appending the word will result in a buffer overflow.

Curated by Lunge Technology, LLC. Questions or comments? Send us email