Challenge Information - NRFIN_00044

Commonly known as: Checkmate


Rounds Enabled

54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68

Details

Original Versions

Known Vulnerabilities

  • CWE-134 - Use of Externally-Controlled Format String
  • CWE-20 - Improper Input Validation
  • CWE-201 - Information Exposure Through Sent Data
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

"Maxwell Koo" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

A simple chess game featuring a state-of-the-art text interface and local multiplayer support, enabling players to make moves using human-readable standard algebraic notation to play a game of chess.

Feature List

This service will allow two players to play a game of chess

  • Displays game state based on current player
  • Parses input in standard algebraic notation
  • Handles move validation
  • Tracks captures
  • Tracks check, checkmate, stalemate
  • Handles castling
  • Handles pawn promotion
  • Handles en passant
  • Future support for AI players planned

Vulnerability 1

This service leaks data from the flag page. The stub "AI" code initializes a structure on the stack with 4 bytes from the flag page as a sort of random seed. As players input moves, they are validated with a parser and against the current game state, but overlong moves are not thrown out once parsing has completed. Upon successful validataion of the move, the move is printed out to the user prior to displaying the updated board state. This print statement uses a user-controllable format string to perform this operation. A user who is able to craft a format string which passes the parser and subsequent move validation can leak bytes from the stack, leading to the disclosure of the flag value.

Generic class of vulnerability

Improper input validation Uncontrolled format string Information exposure through sent data

CWE classification

CWE-20 Improper input validation CWE-134 Uncontrolled format string CWE-201 Information exposure through sent data

Challenges

  • The vulnerability can be discovered by a CRS which performs taint tracking and is able to identify and reason about unsafe functions such as printf. This is made slightly more difficult by this CB by passing in the string read from user input into a complicated parsing and validation function which mixes the value with components of game state, however the tainted value itself is passed directly to printf in the unpatched version.
  • Proving the vulnerability requires the ability to craft an input string which contains format specifiers and also represents a valid move to both the parser and to the move validator which considers the current state of the game. Modeling the behavior of variable argument functions such as printf is required, as is taint tracking from the flag page, to identify the presence of tainted bytes left on the stack and the potential to leak them with a crafted format string.
  • Fixing the vulnerability is easy, if it can be identified. A transformation to convert printfs with user-controlled format strings to one without should be possible.

Difficulty

  • Discovering is medium
  • Proving is medium
  • Fixing is easy

POV Information

Round Source Destination Result POV Analysis Video
55 CSDS CodeJitsu Failed POV POV Watch
55 CSDS DeepRed Failed POV POV Watch
55 CSDS Disekt Failed POV POV Watch
55 CSDS ForAllSecure Failed POV POV Watch
55 CSDS Shellphish Failed POV POV Watch
55 CSDS TECHx Failed POV POV Watch
55 DeepRed CodeJitsu Failed POV POV Watch
55 DeepRed CSDS Failed POV POV Watch
55 DeepRed Disekt Failed POV POV Watch
55 DeepRed ForAllSecure Failed POV POV Watch
55 DeepRed Shellphish Failed POV POV Watch
55 DeepRed TECHx Failed POV POV Watch
56 CSDS CodeJitsu Failed POV POV Watch
56 CSDS DeepRed Failed POV POV Watch
56 CSDS Disekt Failed POV POV Watch
56 CSDS ForAllSecure Failed POV POV Watch
56 CSDS Shellphish Failed POV POV Watch
56 CSDS TECHx Failed POV POV Watch
56 DeepRed CodeJitsu Failed POV POV Watch
56 DeepRed CSDS Failed POV POV Watch
56 DeepRed Disekt Failed POV POV Watch
56 DeepRed ForAllSecure Failed POV POV Watch
56 DeepRed Shellphish Failed POV POV Watch
56 DeepRed TECHx Failed POV POV Watch
57 CSDS CodeJitsu Failed POV POV Watch
57 CSDS DeepRed Failed POV POV Watch
57 CSDS Disekt Failed POV POV Watch
57 CSDS ForAllSecure Failed POV POV Watch
57 CSDS Shellphish Failed POV POV Watch
57 CSDS TECHx Failed POV POV Watch
57 DeepRed CodeJitsu Failed POV POV Watch
57 DeepRed CSDS Failed POV POV Watch
57 DeepRed Disekt Failed POV POV Watch
57 DeepRed ForAllSecure Failed POV POV Watch
57 DeepRed Shellphish Failed POV POV Watch
57 DeepRed TECHx Failed POV POV Watch
58 CodeJitsu Shellphish Failed POV through defenses POV Watch
58 CSDS CodeJitsu Failed POV POV Watch
58 CSDS DeepRed Failed POV POV Watch
58 CSDS Disekt Failed POV POV Watch
58 CSDS ForAllSecure Failed POV POV Watch
58 CSDS Shellphish Failed POV through defenses POV Watch
58 CSDS TECHx Failed POV POV Watch
58 DeepRed CodeJitsu Failed POV POV Watch
58 DeepRed CSDS Failed POV POV Watch
58 DeepRed Disekt Failed POV POV Watch
58 DeepRed ForAllSecure Failed POV POV Watch
58 DeepRed Shellphish Failed POV through defenses POV Watch
58 DeepRed TECHx Failed POV POV Watch
59 CSDS CodeJitsu Failed POV POV Watch
59 CSDS DeepRed Failed POV POV Watch
59 CSDS Disekt Failed POV POV Watch
59 CSDS ForAllSecure Failed POV POV Watch
59 CSDS Shellphish Failed POV through defenses POV Watch
59 CSDS TECHx Failed POV POV Watch
59 DeepRed CodeJitsu Failed POV POV Watch
59 DeepRed CSDS Failed POV POV Watch
59 DeepRed Disekt Failed POV POV Watch
59 DeepRed ForAllSecure Failed POV POV Watch
59 DeepRed Shellphish Failed POV through defenses POV Watch
59 DeepRed TECHx Failed POV POV Watch
60 CSDS CodeJitsu Failed POV POV Watch
60 CSDS DeepRed Failed POV POV Watch
60 CSDS Disekt Failed POV POV Watch
60 CSDS ForAllSecure Failed POV POV Watch
60 CSDS Shellphish Failed POV through defenses POV Watch
60 CSDS TECHx Failed POV POV Watch
60 DeepRed CodeJitsu Failed POV POV Watch
60 DeepRed CSDS Failed POV POV Watch
60 DeepRed Disekt Failed POV POV Watch
60 DeepRed ForAllSecure Failed POV POV Watch
60 DeepRed Shellphish Failed POV through defenses POV Watch
60 DeepRed TECHx Failed POV POV Watch
61 CSDS CodeJitsu Failed POV POV Watch
61 CSDS DeepRed Failed POV POV Watch
61 CSDS Disekt Failed POV POV Watch
61 CSDS ForAllSecure Failed POV POV Watch
61 CSDS Shellphish Failed POV through defenses POV Watch
61 CSDS TECHx Failed POV POV Watch
61 DeepRed CodeJitsu Failed POV POV Watch
61 DeepRed CSDS Failed POV POV Watch
61 DeepRed Disekt Failed POV POV Watch
61 DeepRed ForAllSecure Failed POV POV Watch
61 DeepRed Shellphish Failed POV through defenses POV Watch
61 DeepRed TECHx Failed POV POV Watch
62 CSDS CodeJitsu Failed POV POV Watch
62 CSDS DeepRed Failed POV POV Watch
62 CSDS Disekt Failed POV POV Watch
62 CSDS ForAllSecure Failed POV POV Watch
62 CSDS Shellphish Failed POV through defenses POV Watch
62 CSDS TECHx Failed POV POV Watch
62 DeepRed CodeJitsu Failed POV POV Watch
62 DeepRed CSDS Failed POV POV Watch
62 DeepRed Disekt Failed POV POV Watch
62 DeepRed ForAllSecure Failed POV POV Watch
62 DeepRed Shellphish Failed POV through defenses POV Watch
62 DeepRed TECHx Failed POV POV Watch
63 CSDS CodeJitsu Failed POV POV Watch
63 CSDS DeepRed Failed POV POV Watch
63 CSDS Disekt Failed POV POV Watch
63 CSDS ForAllSecure Failed POV POV Watch
63 CSDS Shellphish Failed POV through defenses POV Watch
63 CSDS TECHx Failed POV POV Watch
63 DeepRed CodeJitsu Failed POV POV Watch
63 DeepRed CSDS Failed POV POV Watch
63 DeepRed Disekt Failed POV POV Watch
63 DeepRed ForAllSecure Failed POV POV Watch
63 DeepRed Shellphish Failed POV through defenses POV Watch
63 DeepRed TECHx Failed POV POV Watch
64 CSDS CodeJitsu Failed POV POV Watch
64 CSDS DeepRed Failed POV POV Watch
64 CSDS Disekt Failed POV POV Watch
64 CSDS ForAllSecure Failed POV POV Watch
64 CSDS Shellphish Failed POV through defenses POV Watch
64 CSDS TECHx Failed POV POV Watch
64 DeepRed CodeJitsu Failed POV POV Watch
64 DeepRed CSDS Failed POV POV Watch
64 DeepRed Disekt Failed POV POV Watch
64 DeepRed ForAllSecure Failed POV POV Watch
64 DeepRed Shellphish Failed POV through defenses POV Watch
64 DeepRed TECHx Failed POV POV Watch
65 CSDS CodeJitsu Failed POV POV Watch
65 CSDS DeepRed Failed POV POV Watch
65 CSDS Disekt Failed POV POV Watch
65 CSDS ForAllSecure Failed POV POV Watch
65 CSDS Shellphish Failed POV through defenses POV Watch
65 CSDS TECHx Failed POV POV Watch
65 DeepRed CodeJitsu Failed POV POV Watch
65 DeepRed CSDS Failed POV POV Watch
65 DeepRed Disekt Failed POV POV Watch
65 DeepRed ForAllSecure Failed POV POV Watch
65 DeepRed Shellphish Failed POV through defenses POV Watch
65 DeepRed TECHx Failed POV POV Watch
66 CSDS CodeJitsu Failed POV POV Watch
66 CSDS DeepRed Failed POV POV Watch
66 CSDS Disekt Failed POV POV Watch
66 CSDS ForAllSecure Failed POV POV Watch
66 CSDS Shellphish Failed POV through defenses POV Watch
66 CSDS TECHx Failed POV POV Watch
66 DeepRed CodeJitsu Failed POV POV Watch
66 DeepRed CSDS Failed POV POV Watch
66 DeepRed Disekt Failed POV POV Watch
66 DeepRed ForAllSecure Failed POV POV Watch
66 DeepRed Shellphish Failed POV through defenses POV Watch
66 DeepRed TECHx Failed POV POV Watch
67 CSDS CodeJitsu Failed POV POV Watch
67 CSDS DeepRed Failed POV POV Watch
67 CSDS Disekt Failed POV POV Watch
67 CSDS ForAllSecure Failed POV POV Watch
67 CSDS Shellphish Failed POV through defenses POV Watch
67 CSDS TECHx Failed POV POV Watch
67 DeepRed CodeJitsu Failed POV POV Watch
67 DeepRed CSDS Failed POV POV Watch
67 DeepRed Disekt Failed POV POV Watch
67 DeepRed ForAllSecure Failed POV POV Watch
67 DeepRed Shellphish Failed POV through defenses POV Watch
67 DeepRed TECHx Failed POV POV Watch
68 CSDS CodeJitsu Failed POV POV Watch
68 CSDS DeepRed Failed POV POV Watch
68 CSDS Disekt Failed POV POV Watch
68 CSDS ForAllSecure Failed POV POV Watch
68 CSDS Shellphish Failed POV through defenses POV Watch
68 CSDS TECHx Failed POV POV Watch
68 DeepRed CodeJitsu Failed POV POV Watch
68 DeepRed CSDS Failed POV POV Watch
68 DeepRed Disekt Failed POV POV Watch
68 DeepRed ForAllSecure Failed POV POV Watch
68 DeepRed Shellphish Failed POV through defenses POV Watch
68 DeepRed TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email