Qualifier Challenge - KPRCA_00053

Original Versions

Known Vulnerabilities

  • CWE-704 - Incorrect Type Conversion or Cast
  • CWE-783 - Operator Precedence Logic Error
  • CWEs are listed as indicated by the challenge author.


  • CSDS: 1.0
  • TECHx: 0.67
  • CodeJitsu: 0.54
  • ForAllSecure: 0.47
  • TrailofBits: 0.36
  • DeepRed: 0.26
  • Disekt: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • DeepRed: 100.0% - CB1
  • Disekt: 50.0% - CB1
  • TECHx: 50.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)


This program is a small blogging site. It allows users to create content, add friends, and like posts. Once a user has accumlulated enough friends, and likes, he or she is upgraded to a full user and may upload files to the blog post.

Feature List

Unregistered users may: 1. Register 2. Log in 3. View a user's posts 4. View a user's profile 5. Quit

And once registered a user can add content, friends, or remove his or her content. 1. Add new blog post 2. Delete blog post 3. Update profile 4. Add a friend 5. View my friends 6. Unfriend someone 7. View my posts 8. View my profile 9. View a user's posts 10. View a user's profi 11. Log out.


The vulnerability is triggered by assigning a file to an extension that doesn't match the magic number. The AsciiArtFile uses multiple inheritance, and by type casting it as a PictureFile it's possible to overwrite the second inherited class' vtable.

The second vulnerability is due to a order of operations error. It's possible to overwrite a byte during the input text function. The buffer size has a max of 4096 bytes, but can accept up to 4097.

Generic class of vulnerability

Buffer Overflow Incorrect Type Conversion

CWE classification

Operator Precedence Logic Error (CWE-783) Incorrect Type Conversion or Cast (CWE-704)


The goal of this program is to have challengers test their system against code using polymorphism. Understanding how C++ sets up polymophic classes will be important in finding this vulnerability.

The buffer overflow is meant to test how large a team's input testing scales. In order for this bug to be triggered it requires a buffer of exactly 4097 bytes to be sent 20+ times.

Curated by Lunge Technology, LLC. Questions or comments? Send us email