"Narf Industries" info@narfindustries.com
Narf Industries (NRFIN)
Remember: the Cloud is really just someone else's computer. Why bog down your own computer when you can use someone else's?
Inspired by LANGSEC, the CLOUDCOMPUTE platform offers arbitrary arithmetic computation in a regular expression language! By limiting the protocol to the regular domain, it becomes possible to write verifiable recognizers for the language, not that we verified our own.
CLOUDCOMPUTE offers up to 20 distinct arithmetic sessions for all 20 of your arithmetic needs!
Each session has backing memory that contains (1) BASE_ADDR (explained later), (2) an opcode buffer (of varying length), (3) a scratch buffer (256 bytes). CLOUDCOMPUTE interprets the bytecode in the opcode buffer and works off memory addressed in part by BASE_ADDR and offsets listed in the opcodes. Under normal conditions, this will cause writes to memory in the session's scratch buffer, which is returned at the end of a session instance. Under exploitative conditions, these writes will be directed elsewhere.
^ session N's limit - (3 + N + 256) ^ -1 byte from the end of session N-1's space ...
^ allocate() limit - (3 + N + 256) ^ top of the allocate() region
Memory notes: - As the number of sessions grows, the session memory space grows toward lower addresses. - Opcode buffer sizes are established during session negotiation and are denoted as N in the above.
Sessions are created and used thusly: - CRS -> CB: 4B MAGIC_NEW_SESSION - CRS <- CB: 4B (generated) session ID - CRS -> CB: 4B session ID | 2B session SZ - CRS -> CB: 4B session ID | opcodes (of length session->sz) - CRS <- CB: 4B session ID | scratch area (of length SCRATCH_SZ)
Existing sessions are interacted with thusly: - CRS -> CB: 4B (existing) session ID - CRS <- CB: 4B (reflected) session ID - CRS -> CB: 4B session ID | opcodes (of length session->sz) - CRS <- CB: 4B session ID | scratch area (of length SCRATCH_SZ)
During session creation / exercise, opcodes are sent to CLOUDCOMPUTE and are written into the corresponding session's opcode buffer. These opcodes are the portion of the protocol designed to be LANGSEC-compliant (it's a regular language).
The opcode "spec": form: [operation][\x00][' '][offset][' '][immediate] smpl: ADD\x00 \xAA \xBB - will add \xBB to the byte in the session's scratch buffer at offset \xAA
Operations: "NUL": offset = \x00 "SET": offset = immediate "ADD": offset += immediate "SUB": offset -= immediate "MUL": offset *= immediate "DIV": offset /= immediate "SHR": offset >>= immediate "SHR": offset <<= immediate
Operation notes: - Over/underflows are not handled in any special manner. - If the immediate to a DIV instruction is 0, offset is assigned \xAA. - The SHR & SHL instructions are limited to a maximum of an 8 bit shift. Anything more results in offset = \x00 to avoid ambiguity among architectures. - The absolute address of the arithmetic instruction is calculated with the current session's BASE_ADDR, the size of the opcode buffer and the offset encoded in the operation. BASE_ADDR is a 3 byte value that's supposed to (and is assumed to always) hold the most significant 3 bytes of the scratch base address. This field is critical to the vulnerability included in this CB. If an attacker is able to control a session's BASE_ADDR field, the attacker can use CLOUDCOMPUTE functionality to perform arbitrary computation on arbitrary memory.
When done computing, CLOUDCOMPUTE will send the scratch buffer back to the client. The address of the scratch buffer is computed with BASE_ADDR, meaning control of BASE_ADDR confers the ability to leak the flag page. The scratch buffer is what is verified by the pollers.
Despite the opcode protocol being LANGSEC compliant, there exists a vulnerability during session establishment / exercise.
Each step in session negotiation involves sending the session ID. If the session ID is changed mid-session, CLOUDCOMPUTE becomes confused and copies opcodes into an opcode buffer with wrong session's size. If this wrong size is larger than the target opcode buffer, a buffer overflow will occur. Because sessions are immediately adjacent in memory, this overflow confers the ability to control the adjacent session's BASE_ADDR.
As noted before, control of a session's BASE_ADDR allows the attacker to author both Type 1 and Type 2 PoVs. - Type 1: Control of BASE_ADDR confuses the location of the scratch buffer and therefore which memory is affected by opcodes. The attacker can use, e.g. the "SET" opcode to write arbitrary bytes over arbitrary memory, allowing for code execution. - Type 2: Confusion of the scratch buffer location means the wrong memory is returned during the final step of the protocol. An attacker can control BASE_ADDR to point to the flag page and wait for the CB to send back 256 bytes of the page during the final protocol step.
CWE-122: Heap-based Buffer Overflow CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-843 doesn't perfectly fit. The vulnerability will confuse two different sessions, but they are technically the same "type". I am not aware of a better CWE identifier for this.
| Round | Source | Destination | Result | POV | Analysis | Video |
|---|---|---|---|---|---|---|
| 45 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 45 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 45 | CSDS | Disekt | Failed POV | POV | Watch | |
| 45 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 45 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 45 | CSDS | TECHx | Failed POV | POV | Watch | |
| 45 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 45 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 45 | DeepRed | Disekt | Failed POV | POV | Watch | |
| 45 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 45 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 45 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 46 | CodeJitsu | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 46 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 46 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 46 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 46 | CSDS | TECHx | Failed POV | POV | Watch | |
| 46 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 46 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 46 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 46 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 46 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 46 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 47 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 47 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 47 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 47 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 47 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 47 | CSDS | TECHx | Failed POV | POV | Watch | |
| 47 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 47 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 47 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 47 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 47 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 47 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 48 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 48 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 48 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 48 | CSDS | Shellphish | Failed POV | POV | Watch | |
| 48 | CSDS | TECHx | Failed POV | POV | Watch | |
| 48 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 48 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 48 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 48 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 48 | DeepRed | Shellphish | Failed POV | POV | Watch | |
| 48 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 49 | CodeJitsu | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 49 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 49 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 49 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | CSDS | TECHx | Failed POV | POV | Watch | |
| 49 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 49 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 49 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 49 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 49 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 50 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 50 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 50 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 50 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 50 | CSDS | TECHx | Failed POV | POV | Watch | |
| 50 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 50 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 50 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 50 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 50 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 51 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 51 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 51 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 51 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | CSDS | TECHx | Failed POV | POV | Watch | |
| 51 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 51 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 51 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 51 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 51 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 52 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 52 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 52 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 52 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | CSDS | TECHx | Failed POV | POV | Watch | |
| 52 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 52 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 52 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 52 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 52 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 53 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 53 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 53 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 53 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | CSDS | TECHx | Failed POV | POV | Watch | |
| 53 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 53 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 53 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 53 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 53 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 54 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 54 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 54 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 54 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 54 | CSDS | TECHx | Failed POV | POV | Watch | |
| 54 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 54 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 54 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 54 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 54 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 55 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 55 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 55 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 55 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 55 | CSDS | TECHx | Failed POV | POV | Watch | |
| 55 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 55 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 55 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 55 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 55 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 56 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 56 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 56 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 56 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 56 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 56 | CSDS | TECHx | Failed POV | POV | Watch | |
| 56 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 56 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 56 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 56 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 56 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 56 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 57 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 57 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 57 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 57 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 57 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 57 | CSDS | TECHx | Failed POV | POV | Watch | |
| 57 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 57 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 57 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 57 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 57 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 57 | DeepRed | TECHx | Failed POV | POV | Watch | |
| 58 | CSDS | CodeJitsu | Failed POV | POV | Watch | |
| 58 | CSDS | DeepRed | Failed POV | POV | Watch | |
| 58 | CSDS | Disekt | Failed POV through defenses | POV | Watch | |
| 58 | CSDS | ForAllSecure | Failed POV | POV | Watch | |
| 58 | CSDS | Shellphish | Failed POV through defenses | POV | Watch | |
| 58 | CSDS | TECHx | Failed POV | POV | Watch | |
| 58 | DeepRed | CodeJitsu | Failed POV | POV | Watch | |
| 58 | DeepRed | CSDS | Failed POV | POV | Watch | |
| 58 | DeepRed | Disekt | Failed POV through defenses | POV | Watch | |
| 58 | DeepRed | ForAllSecure | Failed POV | POV | Watch | |
| 58 | DeepRed | Shellphish | Failed POV through defenses | POV | Watch | |
| 58 | DeepRed | TECHx | Failed POV | POV | Watch |
Curated by Lunge Technology, LLC. Questions or comments? Send us email