Rounds Enabled

50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64

Details

• POV Information

Original Versions

• Original Build: CB1
• Author-supplied patches: CB1
• Author-supplied POVs: POV1
• Browse Source

Known Vulnerabilities

• CWE-786 - Access of Memory Location Before Start of Buffer
CWEs are listed as indicated by the challenge author.

Deployed patches

• Round 54 : Shellphish - CB1 (disassembly)
• Round 57 : Shellphish - CB1 (disassembly)

Deployed IDS rules

None

DARPA performer group

Kaprica Security (KPRCA)

Description

A C++ rule-based malware detection engine, with heuristics to handle different file formats. Utilizes an emulator to unpack malware before apply rules.

Feature List

Malware engine rules can be updated at run-time. Detection algorithm is fast: speed is not affected by number of rules. Emulator supports 19 common instructions with up to 64KB of stack space and 1GB of heap space. Malware is sandboxed so that it cannot modify memory outside of its stack and heap. Heuristics for both executables and bitmaps.

Vulnerability

Vuln 1

In Emulator::in_stack (emulator.h:37), the service fails to ensure that the shadow stack pointer is in-bounds. This allows the attacker to read and write from memory that they shouldn't be able to, such as the C stack. An attacker can overwrite a return address to gain EIP control and then use a gadget to have a complete type-1 exploit.

Generic class of vulnerability

Memory Corruption

CWE classification

CWE-786: Access of Memory Location Before Start of Buffer

Challenges

• The challenge encountered when proving is how to control both EIP and another register without causing a premature crash. Using a gadget is likely essential. A type 2 is more difficult and would probably require a call to Interface::send_response.

• Discovery with fuzzing should be possible but the required input size is non-trivial. Mutation fuzzing is likely the easiest method to discover the vulnerability.

Difficulty

• Discovery: medium
• Proving: medium
• Patching: medium

Round	Source	Destination	Result	POV	Analysis	Video
51	CSDS	CodeJitsu	Failed POV	POV
51	CSDS	DeepRed	Failed POV	POV
51	CSDS	Disekt	Failed POV	POV
51	CSDS	ForAllSecure	Failed POV	POV
51	CSDS	Shellphish	Failed POV	POV
51	CSDS	TECHx	Failed POV	POV
51	DeepRed	CodeJitsu	Failed POV	POV
51	DeepRed	CSDS	Failed POV	POV
51	DeepRed	Disekt	Failed POV	POV
51	DeepRed	ForAllSecure	Failed POV	POV
51	DeepRed	Shellphish	Failed POV	POV
51	DeepRed	TECHx	Failed POV	POV
52	CSDS	CodeJitsu	Failed POV	POV
52	CSDS	DeepRed	Failed POV	POV
52	CSDS	Disekt	Failed POV	POV
52	CSDS	ForAllSecure	Failed POV	POV
52	CSDS	Shellphish	Failed POV	POV
52	CSDS	TECHx	Failed POV	POV
52	DeepRed	CodeJitsu	Failed POV	POV
52	DeepRed	CSDS	Failed POV	POV
52	DeepRed	Disekt	Failed POV	POV
52	DeepRed	ForAllSecure	Failed POV	POV
52	DeepRed	Shellphish	Failed POV	POV
52	DeepRed	TECHx	Failed POV	POV
53	CSDS	CodeJitsu	Failed POV	POV
53	CSDS	DeepRed	Failed POV	POV
53	CSDS	Disekt	Failed POV	POV
53	CSDS	ForAllSecure	Failed POV	POV
53	CSDS	Shellphish	Failed POV	POV
53	CSDS	TECHx	Failed POV	POV
53	DeepRed	CodeJitsu	Failed POV	POV
53	DeepRed	CSDS	Failed POV	POV
53	DeepRed	Disekt	Failed POV	POV
53	DeepRed	ForAllSecure	Failed POV	POV
53	DeepRed	Shellphish	Failed POV	POV
53	DeepRed	TECHx	Failed POV	POV
54	CodeJitsu	Shellphish	Failed POV through defenses	POV
54	CSDS	CodeJitsu	Failed POV	POV
54	CSDS	DeepRed	Failed POV	POV
54	CSDS	Disekt	Failed POV	POV
54	CSDS	ForAllSecure	Failed POV	POV
54	CSDS	Shellphish	Failed POV through defenses	POV
54	CSDS	TECHx	Failed POV	POV
54	DeepRed	CodeJitsu	Failed POV	POV
54	DeepRed	CSDS	Failed POV	POV
54	DeepRed	Disekt	Failed POV	POV
54	DeepRed	ForAllSecure	Failed POV	POV
54	DeepRed	Shellphish	Failed POV through defenses	POV
54	DeepRed	TECHx	Failed POV	POV
55	CSDS	CodeJitsu	Failed POV	POV
55	CSDS	DeepRed	Failed POV	POV
55	CSDS	Disekt	Failed POV	POV
55	CSDS	ForAllSecure	Failed POV	POV
55	CSDS	Shellphish	Failed POV through defenses	POV
55	CSDS	TECHx	Failed POV	POV
55	DeepRed	CodeJitsu	Failed POV	POV
55	DeepRed	CSDS	Failed POV	POV
55	DeepRed	Disekt	Failed POV	POV
55	DeepRed	ForAllSecure	Failed POV	POV
55	DeepRed	Shellphish	Failed POV through defenses	POV
55	DeepRed	TECHx	Failed POV	POV
56	CSDS	CodeJitsu	Failed POV	POV
56	CSDS	DeepRed	Failed POV	POV
56	CSDS	Disekt	Failed POV	POV
56	CSDS	ForAllSecure	Failed POV	POV
56	CSDS	Shellphish	Failed POV through defenses	POV
56	CSDS	TECHx	Failed POV	POV
56	DeepRed	CodeJitsu	Failed POV	POV
56	DeepRed	CSDS	Failed POV	POV
56	DeepRed	Disekt	Failed POV	POV
56	DeepRed	ForAllSecure	Failed POV	POV
56	DeepRed	Shellphish	Failed POV through defenses	POV
56	DeepRed	TECHx	Failed POV	POV
57	CodeJitsu	Shellphish	Failed POV	POV
57	CSDS	CodeJitsu	Failed POV	POV
57	CSDS	DeepRed	Failed POV	POV
57	CSDS	Disekt	Failed POV	POV
57	CSDS	ForAllSecure	Failed POV	POV
57	CSDS	Shellphish	Failed POV	POV
57	CSDS	TECHx	Failed POV	POV
57	DeepRed	CodeJitsu	Failed POV	POV
57	DeepRed	CSDS	Failed POV	POV
57	DeepRed	Disekt	Failed POV	POV
57	DeepRed	ForAllSecure	Failed POV	POV
57	DeepRed	Shellphish	Failed POV	POV
57	DeepRed	TECHx	Failed POV	POV
58	CSDS	CodeJitsu	Failed POV	POV
58	CSDS	DeepRed	Failed POV	POV
58	CSDS	Disekt	Failed POV	POV
58	CSDS	ForAllSecure	Failed POV	POV
58	CSDS	Shellphish	Failed POV	POV
58	CSDS	TECHx	Failed POV	POV
58	DeepRed	CodeJitsu	Failed POV	POV
58	DeepRed	CSDS	Failed POV	POV
58	DeepRed	Disekt	Failed POV	POV
58	DeepRed	ForAllSecure	Failed POV	POV
58	DeepRed	Shellphish	Failed POV	POV
58	DeepRed	TECHx	Failed POV	POV
59	CSDS	CodeJitsu	Failed POV	POV
59	CSDS	DeepRed	Failed POV	POV
59	CSDS	Disekt	Failed POV	POV
59	CSDS	ForAllSecure	Failed POV	POV
59	CSDS	Shellphish	Failed POV	POV
59	CSDS	TECHx	Failed POV	POV
59	DeepRed	CodeJitsu	Failed POV	POV
59	DeepRed	CSDS	Failed POV	POV
59	DeepRed	Disekt	Failed POV	POV
59	DeepRed	ForAllSecure	Failed POV	POV
59	DeepRed	Shellphish	Failed POV	POV
59	DeepRed	TECHx	Failed POV	POV
60	CSDS	CodeJitsu	Failed POV	POV
60	CSDS	DeepRed	Failed POV	POV
60	CSDS	Disekt	Failed POV	POV
60	CSDS	ForAllSecure	Failed POV	POV
60	CSDS	Shellphish	Failed POV	POV
60	CSDS	TECHx	Failed POV	POV
60	DeepRed	CodeJitsu	Failed POV	POV
60	DeepRed	CSDS	Failed POV	POV
60	DeepRed	Disekt	Failed POV	POV
60	DeepRed	ForAllSecure	Failed POV	POV
60	DeepRed	Shellphish	Failed POV	POV
60	DeepRed	TECHx	Failed POV	POV
61	CSDS	CodeJitsu	Failed POV	POV
61	CSDS	DeepRed	Failed POV	POV
61	CSDS	Disekt	Failed POV	POV
61	CSDS	ForAllSecure	Failed POV	POV
61	CSDS	Shellphish	Failed POV	POV
61	CSDS	TECHx	Failed POV	POV
61	DeepRed	CodeJitsu	Failed POV	POV
61	DeepRed	CSDS	Failed POV	POV
61	DeepRed	Disekt	Failed POV	POV
61	DeepRed	ForAllSecure	Failed POV	POV
61	DeepRed	Shellphish	Failed POV	POV
61	DeepRed	TECHx	Failed POV	POV
62	CSDS	CodeJitsu	Failed POV	POV
62	CSDS	DeepRed	Failed POV	POV
62	CSDS	Disekt	Failed POV	POV
62	CSDS	ForAllSecure	Failed POV	POV
62	CSDS	Shellphish	Failed POV	POV
62	CSDS	TECHx	Failed POV	POV
62	DeepRed	CodeJitsu	Failed POV	POV
62	DeepRed	CSDS	Failed POV	POV
62	DeepRed	Disekt	Failed POV	POV
62	DeepRed	ForAllSecure	Failed POV	POV
62	DeepRed	Shellphish	Failed POV	POV
62	DeepRed	TECHx	Failed POV	POV
63	CSDS	CodeJitsu	Failed POV	POV
63	CSDS	DeepRed	Failed POV	POV
63	CSDS	Disekt	Failed POV	POV
63	CSDS	ForAllSecure	Failed POV	POV
63	CSDS	Shellphish	Failed POV	POV
63	CSDS	TECHx	Failed POV	POV
63	DeepRed	CodeJitsu	Failed POV	POV
63	DeepRed	CSDS	Failed POV	POV
63	DeepRed	Disekt	Failed POV	POV
63	DeepRed	ForAllSecure	Failed POV	POV
63	DeepRed	Shellphish	Failed POV	POV
63	DeepRed	TECHx	Failed POV	POV
64	CSDS	CodeJitsu	Failed POV	POV
64	CSDS	DeepRed	Failed POV	POV
64	CSDS	Disekt	Failed POV	POV
64	CSDS	ForAllSecure	Failed POV	POV
64	CSDS	Shellphish	Failed POV	POV
64	CSDS	TECHx	Failed POV	POV
64	DeepRed	CodeJitsu	Failed POV	POV
64	DeepRed	CSDS	Failed POV	POV
64	DeepRed	Disekt	Failed POV	POV
64	DeepRed	ForAllSecure	Failed POV	POV
64	DeepRed	Shellphish	Failed POV	POV
64	DeepRed	TECHx	Failed POV	POV