Qualifier Challenge - NRFIN_00011

Original Versions


  • CodeJitsu: 0.0
  • Disekt: 0.0
  • ForAllSecure: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • DeepRed - CB1
  • ForAllSecure - CB1
  • FuzzBOMB - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Narf Industries" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)


The megalomaniacal mice are at it again. This time, the plan is to develop mind-controlling cheese. And who doesn't like cheese.

While this may sound like a simple enough task, it turns out the manufacture of mind-controlling cheese requires the ability to fold proteins in a precise manner. The problem is, such folding computations require a lot of compute power.

The mice have a solution: build a botnet!

Feature List

The CB requests an HTML-like index page from the CRS. The CRS responds to this request with a document that links to further resources necessary to render the complete document. These further resources are specified as paths. If certain constraints on the paths are satisfied, a vulnerable path canonicalization function is called.


This CB is inspired by MS08-067 - a stack-based buffer overflow "proven vulnerable" in the wild by the Conficker worm. The vulnerability is caused by an improperly guarded call to wcscat() in the Server Service daemon on Microsoft Windows platforms during path canonicalization routines. Exploitation involved the repeated cat'ing of attacker-provided data into a statically-sized buffer.

In contrast to Conficker's method of "vulnerability proving", this CB acts as a client and requests HTML-like data from the CRS, more closely emulating something like Internet Explorer than Server Service.

This CB is intended to be relatively simple to "prove vulnerable".

CWE classification

120: Buffer Overflow 121: Stack-Based Buffer Overflow


  • Reasoning about strings that are terminated with something other than NULLs.
  • Seemingly-correct security checks are in place. The challenge will be to find that the security checks are inadequate, which demands reasoning across calls to strncat().
  • Satisfying the constraints necessary to hit the vulnerable code, including size checks and string matches against expected traffic.

Curated by Lunge Technology, LLC. Questions or comments? Send us email