Qualifier Challenge - NRFIN_00029

Original Versions

Known Vulnerabilities

  • CWE-176 - Improper Handling of Unicode Encoding
  • CWE-20 - Improper Input Validation
  • CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • CWE-822 - Untrusted Pointer Dereference
  • CWEs are listed as indicated by the challenge author.


  • CSDS: 0.75
  • DeepRed: 0.16
  • CodeJitsu: 0.0
  • Disekt: 0.0
  • ForAllSecure: 0.0
  • Lekkertech: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • DeepRed - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Lekkertech - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • TrailofBits: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • DeepRed: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

Author Information

"Maxwell Koo" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)


I'm so UTF-8, you so UTF-late. This is a network-enabled file server, which keeps all user files in memory for blazing-quick access. The API exposes a public dropbox folder, while preventing access to the protected admin area. The filesystem is UTF-8 aware, allowing arbitrary unicode filenames of a fixed length.

Commands take the form of a 4-byte command identifier, followed by optional arguments. Commands may produce output, but will always end in a 4-byte success code, 0 on success or -1 on failure.

Feature List

The following features are available: - Read file, accepts a filename and returns the contents of that file - Write file, accepts a filename and a size, writes the contents to a file - List files, lists all files in the dropbox folder


The UTF-8 decoding function does not properly handle overlong encodings, so it is possible to defeat the input validation protecting the admin area and write to files in that area. Files in the admin area contain a user-controlled pointer value, which allows arbitrary write access to a large portion of the process' address space.

Generic class of vulnerability

Improper handling of unicode encoding

CWE classification

CWE-20 Improper input validation CWE-22 Improper limitation of a pathname to a restricted directory CWE-176 Improper handling of unicode encoding CWE-822 Untrusted pointer dereference


This CB is designed to test the ability for a CRS to comprehend complex string functions and stateful processes spanning multiple invocations of a function. UTF-8 is a complex variable-width encoding with many possible invalid byte sequences. The decoder implemented in this CB handles this by running each character through a state machine, invoking a function on each byte which records its state into a output variable and its return code. Reasoning over separate invocations of the decoder function is necessary in order to determine an input which will lead to triggering the vulnerability. This CB is inspired by several real-world path traversal and unicode vulnerabilities, including CVE-2000-0884 in Microsoft IIS.

Curated by Lunge Technology, LLC. Questions or comments? Send us email