Original Versions

• Author-supplied POVs: POV1
• Browse Source
POVs in CQE must follow the POV markup specification.

Known Vulnerabilities

• CWE-416 - Use After Free
CWEs are listed as indicated by the challenge author.

Scores

• ForAllSecure: 4.0
• Shellphish: 3.55
• Disekt: 3.05
• CSDS: 0.66
• CodeJitsu: 0.0
• TECHx: 0.0
• FuzzBOMB: 0.0
• TrailofBits: 0.0
The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

• CodeJitsu - CB1
• CSDS - CB1
• Disekt - CB1
• ForAllSecure - CB1
• Shellphish - CB1

Proved a POV in reference challenge

• CodeJitsu - POV
• Disekt - POV
• ForAllSecure - POV
• Shellphish - POV
POVs in CQE must follow the POV markup specification.

Defense against reference POVs

• ForAllSecure: 100.0% - CB1
• CodeJitsu: 100.0% - CB1
• Shellphish: 100.0% - CB1
• Disekt: 100.0% - CB1
• CSDS: 100.0% - CB1

No submission

• Eighth Place Team
• Eleventh Place Team
• Fifth Place Team - Finalist
• First Place Team - Finalist
• Fourth Place Team - Finalist
• Ninth Place Team
• Second Place Team - Finalist
• Seventh Place Team - Finalist
• Sixth Place Team - Finalist
• Tenth Place Team
• Third Place Team - Finalist
• Thirteenth Place Team
• Twelfth Place Team

All Submissions

• Submission 1
• Submission 2
• Submission 3
• Submission 4
• Submission 5
• Submission 6
• Submission 7
• Submission 8

DARPA performer group

Kaprica Security (KPRCA)

Description

Simple shell-like file management system.

Feature List

``` list [file ..] - Lists files and directories.

create - Creates a file.

open - Opens a file.

close - Closes an open file.

close_all - Closes all open files.

read [pos] [len] - Reads a file.

modify [pos] - Modifies a file.

delete - Deletes a file.

mkdir - Creates a directory.

rmdir - Deletes a directory.

chdir - Changes the working directory.

quit - Quits the program.

help [command] - Displays the help message. ```

Vulnerability

• When deleting a file, the file object pointer is not removed from the list that keeps track of currently opened files.
• This yields a dangling pointer when a file is deleted while it's opened.
• By allocating similar-sized buffer by writing into another file, it is possible to take over the memory for the dangling pointer -- allowing Use-After-Free condition.
• Arbitrary code execution can be achieved by triggering a virtual function in the file object after carefully setting up the payload.

Generic class of vulnerability

Use After Free

CWE classification

CWE-416: Use After Free

Challenges

• C++