Qualifier Challenge - NRFIN_00014

Original Versions

Known Vulnerabilities

  • CWE-476 - NULL Pointer Dereference
  • CWEs are listed as indicated by the challenge author.


  • ForAllSecure: 2.67
  • Lekkertech: 2.67
  • Shellphish: 2.67
  • TECHx: 2.33
  • DeepRed: 2.33
  • Disekt: 0.25
  • CodeJitsu: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 66.7% - CB1
  • ForAllSecure: 66.7% - CB1
  • Lekkertech: 66.7% - CB1
  • Shellphish: 66.7% - CB1
  • TECHx: 33.3% - CB1
  • DeepRed: 33.3% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

Narf Industries info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)


Multipass is a new, magical, way to pay for all of life's necessities. Simply swipe and go for gas, food, vending machines, and at conbinis!

Feature List

The following transactions are available: - Make purchase (use multi-pass card to make a purchase from a vendor) - Refund purchase (use multi-pass card to refund a previous purchase) - Balance inquiry (use multi-pass card to query its balance) - List transaction history (use multi-pass card to query the list of recent transactions) - Issue new Multi-Pass (request a new multi-pass card) - Add funds to Multi-Pass (use multi-pass card to add funds to the balance)


This multipass daemon has a few internal structures to track if a transaction is open/closed. Upon finalizing a transaction its open flag should be set to zero. The vulnerable version, however, decrements the is_open flag (account.c:205) such that it rolls over to +128 (char var). This offset is used directly as an ERRNO. The NULL dereference is not triggered immediately, the system waits until it has to generate an error message packet (multipass.c:generate_error). In the error generation process, the ERRNO is used as an offset into a table of char * pointers (multipass.h:104). The index is out of bounds in this array of char pointers and causes a null dereference.

Another simpler NULL dereference involves invoking refund operation against a non-refundable transaction. Specifically, all AUTH requests are logged to the MULTIPASS history. AUTH transaction histories do not contain a data section. One of the first steps in the refund operation is to lookup a transaction by ID and dereference the data section. Dereferencing the null data section of an AUTH transaction leads to another NULL pointer dereference.

Generic class of vulnerability

Integer underflow followed by NULL dereference.

Plain null dereference.

CWE classification

NULL Pointer Dereference CWE-476


  • The release poller does not include any information about how to generate error messages.
  • The CRS requires taint tracking across a static variable which is touched in a fair amount of the program, this might be optimized away by some competitors.
  • The release poller is not indicative of the protocol allowing multiple FINS.

Curated by Lunge Technology, LLC. Questions or comments? Send us email