Qualifier Challenge - NRFIN_00008


Original Versions

Known Vulnerabilities

  • CWE-680 - Integer Overflow to Buffer Overflow
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 0.93
  • CSDS: 0.75
  • DeepRed: 0.59
  • TrailofBits: 0.14
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • TrailofBits: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Ben Schmidt" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

RLEStream (pronounced "reallystream") is a video streaming service for the modern shell, committed to delivering quality content in a horribly inefficient way.

Feature List

We here at RLEStream are dedicated to securely storing and delivering your favorite videos to a shell near you! Using our patent-pending compression and content protection technology, RLE (Rick's Lulzy Encoding), we are able to provide lightning fast access and superior content protection that our competitors just can't provide.

With our service, you can: 1.) Upload your ASCII videos straight to our super cloud! 2.) Watch your videos right in your shell! 3.) Manage all your videos conveniently from netcat! 4.) Share videos with your friends by giving them your personal access key!

With RLEStream, you're always a tty away from all your video files! Just download our client and get streaming!

Vulnerability

Integer overflow when uploading extremely compressed data, leading to heap corruption. These types of vulnerabilities are quite common in real-world compression libraries, and continue to be a problem today (see CVE-2014-4607 - 11).

To trigger the overflow, competitor PoV's must both add an overly compressed video and then play it with the proper key, causing it to actually be decompressed.

All uploaded videos are expected to be run-length encoded, xored with a static key (0x42), with a very simple checksum of the run-length encoded data pre-xor. This checksum, along with restrictive length requirements, should prevent attempts at blind fuzzing.

The overflow occurs when the resulting number of bytes from the decoding process is greater than 2^24 bytes, causing an overflow of the dlen variable, which is defined as a 24 bit bitfield. Only inputs that have a compression ratio of at least ~127:1 will both trigger the overflow and be small enough to pass a prior length check.

Generic class of vulnerability

Integer Overflow Buffer Overflow

CWE classification

CWE-680: Integer Overflow to Buffer Overflow

Challenges

  • Understanding the transforms necessary to successfully generate correct, highly compressed data. This requires the successful computation of a simple checksum, understanding and using a simple xor encoder, and proper generation of run-length encoded data.
  • Utilizing primitive operations in decompression routine repeatedly to trigger overflow.
  • Detecting integer overflow vulnerabilities, specificially one in a 3 byte bitfield.
  • Breaking our excellent DRM.

Curated by Lunge Technology, LLC. Questions or comments? Send us email