Original Versions

• Author-supplied POVs: POV1, POV2
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-122 - Heap-based Buffer Overflow
CWEs are listed as indicated by the challenge author.

Scores

• DeepRed: 2.0
• ForAllSecure: 1.65
• CSDS: 1.03
• CodeJitsu: 0.87
• TECHx: 0.56
• Disekt: 0.14
• TrailofBits: 0.08
• Shellphish: 0.0
• FuzzBOMB: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• DeepRed - CB1
• Disekt - CB1
• ForAllSecure - CB1
• FuzzBOMB - CB1
• Shellphish - CB1
• TECHx - CB1
• TrailofBits - CB1

Proved a POV in reference challenge

POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• CodeJitsu: 100.0% - CB1
• Disekt: 100.0% - CB1
• ForAllSecure: 100.0% - CB1
• CSDS: 100.0% - CB1
• DeepRed: 100.0% - CB1
• TECHx: 50.0% - CB1
• TrailofBits: 50.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8
• Submission 9

DARPA performer group

Kaprica Security (KPRCA)

Description

Sad Face Template Engine provides a tempalte rendering service, where a user defines variables with values and submits a templated text to be rendered. The default tag identifier is :(...):

Feature List

Features

• Define variables
• Add new variables
• Undefine variables
• View variables
• Submit templated text
• Render text

There are 4 supported types for a variable: String, Integer, Float, and Bool.

Template engine understands 3 tag types:

• Variable
• :(name):
• Conditional Section
• :(@is_valid):Rendered only when is_valid is true!:(/is_valid):
• Comment
• :(#sad comment):

Protocol

• User-interactive interface (aka menu selection)

Vulnerability

• There are 2 exploitable bugs in sadface_render function.
• When the engine renders a given template, it fails to check for a buffer overflow.
• Specifically, when copying normal/static text from the input, the total length isn't checked to see that it will lead to a heap-based buffer overflow.
• When handling variable substitution, it also suffers the problem where the total length isn't validated against the maximum buffer size, leading to a heap-based buffer overflow.

Generic class of vulnerability

Heap-based Buffer Overflow

CWE classification

CWE-122: Heap-based Buffer Overflow

Challenges

• Input is not directly used to generate the output. One must realize that, by carefully crafting the variables, it is possible to manimpulate the output to an exploitable condition.