Challenge Information - NRFIN_00051

Commonly known as: CAT


Rounds Enabled

40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54

Details

Original Versions

Known Vulnerabilities

  • CWE-129 - Improper Validation of Array Index
  • CWE-20 - Improper Input Validation
  • CWE-201 - Information Exposure Through Sent Data
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

"Narf Industries" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

Confident Authentication Terminal (CAT) provides real time RAM access for remote auditors. CAT is a client for a fictional CAT protocol designed for use in regulation-heavy industries, such as the gaming industry, where regulatory bodies need to be able to query RAM contents on demand.

Feature List:

CAT provides legitimate mechanisms to (R)ead and (W)rite most of the virtual address space, but is not supposed to provide a means to introduce and cause execution of externally provided instructions. In other words, there are many ways to cause a SIGSEGV, but few ways to do anything useful with it.

Notably, direct (R)eads to the FLAG page, which simulates protected proprietary information are disallowed.

Vulnerability 1

This CB, the CAT client, allows for (W)rites to its .data segment. This is not specified by the CAT protocol and is, in fact, an implementation error. This allowance is the basis of the vulnerability. Patched variants disallow such access and send an error response.

Absent the ability to (W)rite to the .data segment, it should become infeasible to redirect control flow to unintended locations.

Generic class of vulnerability

Improper input validation Improper validation of array index Information Exposure Through Sent Data

CWE classification

CWE-20: Improper input validation CWE-129: Improper validation of array index CWE-201: Information Exposure Through Sent Data

Challenges

  • While exploiting an arbitrary R/W is expected to be simple, patching an arbitrry R/W that's included by design is a difficult task. It likely requires inferrence of what the intended behavior should be. This intent can be inferred from pollers (which never attempt (W)rite to the .data segment).
  • One of the protocol handlers is a 65536 case switch statement that returns a random 4B value per case. This functionality is verified for inclusion by pollers. This large switch statement causes IDA Pro to punt during some component of disassembly and Hex-Rays decompilation is likely infeasible for any realistic amount of allocated RAM. That being said, the vulnerability does not reside in this massive function, so this code can remain untouched. It will be difficult to reason about this code for any competitor that is leveraging IDA Pro.
  • Pollers verify the (R)eadability of the expected .text section. This may complicate some defensive ASLR strategies. If competitors choose to move e(X)ecutable code from its original location, the original location must still be (R)eadable.

Difficulty

  • Discovering is easy
  • Proving Type 1 is easy/medium; Type 2 is medium
  • Patching is hard

POV Information

Round Source Destination Result POV Analysis Video
41 CSDS CodeJitsu Failed POV POV Watch
41 CSDS DeepRed Failed POV POV Watch
41 CSDS Disekt Failed POV POV Watch
41 CSDS ForAllSecure Failed POV POV Watch
41 CSDS Shellphish Failed POV POV Watch
41 CSDS TECHx Failed POV POV Watch
41 DeepRed CodeJitsu Failed POV POV Watch
41 DeepRed CSDS Failed POV POV Watch
41 DeepRed Disekt Failed POV POV Watch
41 DeepRed ForAllSecure Failed POV POV Watch
41 DeepRed Shellphish Failed POV POV Watch
41 DeepRed TECHx Failed POV POV Watch
42 CSDS CodeJitsu Failed POV POV Watch
42 CSDS DeepRed Failed POV POV Watch
42 CSDS Disekt Failed POV POV Watch
42 CSDS ForAllSecure Failed POV POV Watch
42 CSDS Shellphish Failed POV POV Watch
42 CSDS TECHx Failed POV POV Watch
42 DeepRed CodeJitsu Failed POV POV Watch
42 DeepRed CSDS Failed POV POV Watch
42 DeepRed Disekt Failed POV POV Watch
42 DeepRed ForAllSecure Failed POV POV Watch
42 DeepRed Shellphish Failed POV POV Watch
42 DeepRed TECHx Failed POV POV Watch
43 CodeJitsu Shellphish Failed POV through defenses POV Watch
43 CSDS CodeJitsu Failed POV POV Watch
43 CSDS DeepRed Failed POV POV Watch
43 CSDS Disekt Failed POV POV Watch
43 CSDS ForAllSecure Failed POV POV Watch
43 CSDS Shellphish Failed POV through defenses POV Watch
43 CSDS TECHx Failed POV POV Watch
43 DeepRed CodeJitsu Failed POV POV Watch
43 DeepRed CSDS Failed POV POV Watch
43 DeepRed Disekt Failed POV POV Watch
43 DeepRed ForAllSecure Failed POV POV Watch
43 DeepRed Shellphish Failed POV through defenses POV Watch
43 DeepRed TECHx Failed POV POV Watch
44 CSDS CodeJitsu Failed POV POV Watch
44 CSDS DeepRed Failed POV POV Watch
44 CSDS Disekt Failed POV POV Watch
44 CSDS ForAllSecure Failed POV POV Watch
44 CSDS Shellphish Failed POV through defenses POV Watch
44 CSDS TECHx Failed POV POV Watch
44 DeepRed CodeJitsu Failed POV POV Watch
44 DeepRed CSDS Failed POV POV Watch
44 DeepRed Disekt Failed POV POV Watch
44 DeepRed ForAllSecure Failed POV POV Watch
44 DeepRed Shellphish Failed POV through defenses POV Watch
44 DeepRed TECHx Failed POV POV Watch
45 CSDS CodeJitsu Failed POV POV Watch
45 CSDS DeepRed Failed POV POV Watch
45 CSDS Disekt Failed POV POV Watch
45 CSDS ForAllSecure Failed POV POV Watch
45 CSDS Shellphish Failed POV through defenses POV Watch
45 CSDS TECHx Failed POV POV Watch
45 DeepRed CodeJitsu Failed POV POV Watch
45 DeepRed CSDS Failed POV POV Watch
45 DeepRed Disekt Failed POV POV Watch
45 DeepRed ForAllSecure Failed POV POV Watch
45 DeepRed Shellphish Failed POV through defenses POV Watch
45 DeepRed TECHx Failed POV POV Watch
46 CSDS CodeJitsu Failed POV POV Watch
46 CSDS DeepRed Failed POV POV Watch
46 CSDS Disekt Failed POV POV Watch
46 CSDS ForAllSecure Failed POV POV Watch
46 CSDS Shellphish Failed POV through defenses POV Watch
46 CSDS TECHx Failed POV POV Watch
46 DeepRed CodeJitsu Failed POV POV Watch
46 DeepRed CSDS Failed POV POV Watch
46 DeepRed Disekt Failed POV POV Watch
46 DeepRed ForAllSecure Failed POV POV Watch
46 DeepRed Shellphish Failed POV through defenses POV Watch
46 DeepRed TECHx Failed POV POV Watch
47 CSDS CodeJitsu Failed POV POV Watch
47 CSDS DeepRed Failed POV POV Watch
47 CSDS Disekt Failed POV POV Watch
47 CSDS ForAllSecure Failed POV POV Watch
47 CSDS Shellphish Failed POV through defenses POV Watch
47 CSDS TECHx Failed POV POV Watch
47 DeepRed CodeJitsu Failed POV POV Watch
47 DeepRed CSDS Failed POV POV Watch
47 DeepRed Disekt Failed POV POV Watch
47 DeepRed ForAllSecure Failed POV POV Watch
47 DeepRed Shellphish Failed POV through defenses POV Watch
47 DeepRed TECHx Failed POV POV Watch
48 CSDS CodeJitsu Failed POV POV Watch
48 CSDS DeepRed Failed POV POV Watch
48 CSDS Disekt Failed POV POV Watch
48 CSDS ForAllSecure Failed POV POV Watch
48 CSDS Shellphish Failed POV through defenses POV Watch
48 CSDS TECHx Failed POV POV Watch
48 DeepRed CodeJitsu Failed POV POV Watch
48 DeepRed CSDS Failed POV POV Watch
48 DeepRed Disekt Failed POV POV Watch
48 DeepRed ForAllSecure Failed POV POV Watch
48 DeepRed Shellphish Failed POV through defenses POV Watch
48 DeepRed TECHx Failed POV POV Watch
49 CSDS CodeJitsu Failed POV POV Watch
49 CSDS DeepRed Failed POV POV Watch
49 CSDS Disekt Failed POV POV Watch
49 CSDS ForAllSecure Failed POV POV Watch
49 CSDS Shellphish Failed POV through defenses POV Watch
49 CSDS TECHx Failed POV POV Watch
49 DeepRed CodeJitsu Failed POV POV Watch
49 DeepRed CSDS Failed POV POV Watch
49 DeepRed Disekt Failed POV POV Watch
49 DeepRed ForAllSecure Failed POV POV Watch
49 DeepRed Shellphish Failed POV through defenses POV Watch
49 DeepRed TECHx Failed POV POV Watch
50 CSDS CodeJitsu Failed POV POV Watch
50 CSDS DeepRed Failed POV POV Watch
50 CSDS Disekt Failed POV POV Watch
50 CSDS ForAllSecure Failed POV POV Watch
50 CSDS Shellphish Failed POV through defenses POV Watch
50 CSDS TECHx Failed POV POV Watch
50 DeepRed CodeJitsu Failed POV POV Watch
50 DeepRed CSDS Failed POV POV Watch
50 DeepRed Disekt Failed POV POV Watch
50 DeepRed ForAllSecure Failed POV POV Watch
50 DeepRed Shellphish Failed POV through defenses POV Watch
50 DeepRed TECHx Failed POV POV Watch
51 CSDS CodeJitsu Failed POV POV Watch
51 CSDS DeepRed Failed POV POV Watch
51 CSDS Disekt Failed POV POV Watch
51 CSDS ForAllSecure Failed POV POV Watch
51 CSDS Shellphish Failed POV through defenses POV Watch
51 CSDS TECHx Failed POV POV Watch
51 DeepRed CodeJitsu Failed POV POV Watch
51 DeepRed CSDS Failed POV POV Watch
51 DeepRed Disekt Failed POV POV Watch
51 DeepRed ForAllSecure Failed POV POV Watch
51 DeepRed Shellphish Failed POV through defenses POV Watch
51 DeepRed TECHx Failed POV POV Watch
52 CSDS CodeJitsu Failed POV POV Watch
52 CSDS DeepRed Failed POV POV Watch
52 CSDS Disekt Failed POV POV Watch
52 CSDS ForAllSecure Failed POV POV Watch
52 CSDS Shellphish Failed POV through defenses POV Watch
52 CSDS TECHx Failed POV POV Watch
52 DeepRed CodeJitsu Failed POV POV Watch
52 DeepRed CSDS Failed POV POV Watch
52 DeepRed Disekt Failed POV POV Watch
52 DeepRed ForAllSecure Failed POV POV Watch
52 DeepRed Shellphish Failed POV through defenses POV Watch
52 DeepRed TECHx Failed POV POV Watch
53 CSDS CodeJitsu Failed POV POV Watch
53 CSDS DeepRed Failed POV POV Watch
53 CSDS Disekt Failed POV POV Watch
53 CSDS ForAllSecure Failed POV POV Watch
53 CSDS Shellphish Failed POV through defenses POV Watch
53 CSDS TECHx Failed POV POV Watch
53 DeepRed CodeJitsu Failed POV POV Watch
53 DeepRed CSDS Failed POV POV Watch
53 DeepRed Disekt Failed POV POV Watch
53 DeepRed ForAllSecure Failed POV POV Watch
53 DeepRed Shellphish Failed POV through defenses POV Watch
53 DeepRed TECHx Failed POV POV Watch
54 CSDS CodeJitsu Failed POV POV Watch
54 CSDS DeepRed Failed POV POV Watch
54 CSDS Disekt Failed POV POV Watch
54 CSDS ForAllSecure Failed POV POV Watch
54 CSDS Shellphish Failed POV through defenses POV Watch
54 CSDS TECHx Failed POV POV Watch
54 DeepRed CodeJitsu Failed POV POV Watch
54 DeepRed CSDS Failed POV POV Watch
54 DeepRed Disekt Failed POV POV Watch
54 DeepRed ForAllSecure Failed POV POV Watch
54 DeepRed Shellphish Failed POV through defenses POV Watch
54 DeepRed TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email