Challenge Information - NRFIN_00053

Commonly known as: One_Vote


Rounds Enabled

31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45

Details

Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-121 - Stack-based Buffer Overflow
  • CWE-134 - Use of Externally-Controlled Format String
  • CWE-201 - Information Exposure Through Sent Data
  • CWE-787 - Out-of-bounds Write
  • CWE-788 - Access of Memory Location After End of Buffer
  • CWE-806 - Buffer Access Using Size of Source Buffer
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

None

Author Information

"Nick Davis" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description:

Institutionally-sponsored popularity contests are common events in the lives of American adolescents. In response to the roar of demanding parents, we've developed One Vote to optimally support the needs of these myriad institutions.

One Vote will guarantee that: only the most popular adolescent wins the contest, an individual's vote can never be seen by other voters, an individual's vote can never be associated with their name, and each potential voter can only vote one time (although they can change their vote as many times as they want while voting is open).

Feature List:

  • Admin -- Create Election: create election manager's credentials, define election name, opt to (dis/en)able write-in candidates, define number of winning candidate(s), and max number of total candidates. -- Open Voting: election manager can start voting period. -- Close Voting: election manager can end voting period.

  • Voting -- Login: voters or election manager can login to access functions requiring authorization. -- Register Voter: enter first and last name and get voter ID number. -- Vote: enter voter ID and last name and make voting choice. If already voted, can change choice. -- Add Candidate: add a new candidate to the election.

  • Results -- Election status: list number of voters, number of votes, number of candidates -- Voting Results: list winning candidate(s) along with vote count in order from highest to lowest vote count. -- Voter Turnout: list number of votes, number of voters, names of all voters -- Candidate Summary: list number of candidates, names of all candidates with vote counts.

Vulnerability 1

When a voter submits a vote, they get a voting receipt that contains a confirmation number. In the unpatched version, that confirmation number is the voter's ID xor'd with the first 4 bytes of the flag page. The function get_next_vote_id() contains this vulnerability.

Generic Class of Vulnerability

Information Leakage

CWE Classification

CWE-201: Information Exposure Through Sent Data

Challenges

  • Reaching this vulnerability will require the CRS to generate input that will successfully progress through several pre-requisite steps. They have to create the election, add a candidate, add a voter, open the election while logged in as the election manager, and finally vote while logged in as a voter.
  • The login process requires the CRS to both use previously entered information generated by the CRS along with information sent by the CB in response to an earlier command.
  • There are only a few commands that are valid and those commands are only accepted depending on the current state and in several cases, if the login process has been completed. This means the CRS will need to keep track of state.

Difficulty

  • Discovering is easy
  • Proving is medium
  • Fixing is easy

Vulnerability 2

When a voter submits a vote, a vote record is created that contains the voters information as well as the candidates information. The vote record is stored in a hash table where the key is the concatenation of the first and last name of the voter. The key is created using snprintf and a format string that will combine the first and last name, separated by a space, into a single string. In the unpatched version, the format string was accidentally omitted from the call to snprintf, so the voter's first name is used as the format string. This is in election.c:create_and_insert_vote().

Generic Class of Vulnerability

Buffer Overflow Uncontrolled Format String

CWE Classification

CWE-120 Buffer Copy without Checking Size of Input CWE-121 Stack-based Buffer Overflow CWE-134 Uncontrolled Format String CWE-787 Out-of-bounds Write CWE-788 Access of Memory Location After End of Buffer CWE-806 Buffer Access Using Size of Source Buffer

Challenges

  • Reaching this vulnerability will require the CRS to generate input that will successfully progress through several pre-requisite steps. They have to create the election, add a candidate, add a voter, open the election while logged in as the election manager, and finally vote while logged in as a voter.
  • The login process requires the CRS to both use previously entered information generated by the CRS along with information sent by the CB in response to an earlier command.
  • There are only a few commands that are valid and those commands are only accepted depending on the current state and in several cases, if the login process has been completed. This means the CRS will need to keep track of state.
  • The data that triggers the vulnerability is entered in the function to register a voter. This is usually in a different state and not closely related to the point at which that voter places a vote. The CRS will have to track the relationship between the new voter's first and last name and this vulnerability. The CRS will have to learn: that the first name needs to be a format string, which collection of format chars to include in the format string, and how many chars to include in the last name. There are a large number of combinations of format chars and string lengths that will cause the CB to crash, but only a small number of combinations that will trigger a POV.

Difficulty

  • Discovering is easy
  • Proving is medium
  • Fixing is easy

POV Information

Round Source Destination Result POV Analysis Video
32 CSDS CodeJitsu Failed POV POV Watch
32 CSDS DeepRed Failed POV POV Watch
32 CSDS Disekt Failed POV POV Watch
32 CSDS ForAllSecure Failed POV POV Watch
32 CSDS Shellphish Failed POV POV Watch
32 CSDS TECHx Failed POV POV Watch
32 DeepRed CodeJitsu Failed POV POV Watch
32 DeepRed CSDS Failed POV POV Watch
32 DeepRed Disekt Failed POV POV Watch
32 DeepRed ForAllSecure Failed POV POV Watch
32 DeepRed Shellphish Failed POV POV Watch
32 DeepRed TECHx Failed POV POV Watch
33 CSDS CodeJitsu Failed POV POV Watch
33 CSDS DeepRed Failed POV POV Watch
33 CSDS Disekt Failed POV POV Watch
33 CSDS ForAllSecure Failed POV POV Watch
33 CSDS Shellphish Failed POV POV Watch
33 CSDS TECHx Failed POV POV Watch
33 DeepRed CodeJitsu Failed POV POV Watch
33 DeepRed CSDS Failed POV POV Watch
33 DeepRed Disekt Failed POV POV Watch
33 DeepRed ForAllSecure Failed POV POV Watch
33 DeepRed Shellphish Failed POV POV Watch
33 DeepRed TECHx Failed POV POV Watch
33 ForAllSecure CodeJitsu Failed POV POV Watch
33 ForAllSecure CSDS Failed POV POV Watch
33 ForAllSecure DeepRed Failed POV POV Watch
33 ForAllSecure Disekt Failed POV POV Watch
33 ForAllSecure Shellphish Failed POV POV Watch
33 ForAllSecure TECHx Failed POV POV Watch
34 CodeJitsu Shellphish Failed POV through defenses POV Watch
34 CSDS CodeJitsu Failed POV POV Watch
34 CSDS DeepRed Failed POV POV Watch
34 CSDS Disekt Failed POV POV Watch
34 CSDS ForAllSecure Failed POV POV Watch
34 CSDS Shellphish Failed POV through defenses POV Watch
34 CSDS TECHx Failed POV POV Watch
34 DeepRed CodeJitsu Failed POV POV Watch
34 DeepRed CSDS Failed POV POV Watch
34 DeepRed Disekt Failed POV POV Watch
34 DeepRed ForAllSecure Failed POV POV Watch
34 DeepRed Shellphish Failed POV through defenses POV Watch
34 DeepRed TECHx Failed POV POV Watch
34 ForAllSecure CodeJitsu Failed POV POV Watch
34 ForAllSecure CSDS Failed POV POV Watch
34 ForAllSecure DeepRed Failed POV POV Watch
34 ForAllSecure Disekt Failed POV POV Watch
34 ForAllSecure Shellphish Failed POV through defenses POV Watch
34 ForAllSecure TECHx Failed POV POV Watch
35 CSDS CodeJitsu Failed POV POV Watch
35 CSDS DeepRed Failed POV POV Watch
35 CSDS Disekt Failed POV POV Watch
35 CSDS ForAllSecure Failed POV POV Watch
35 CSDS Shellphish Failed POV through defenses POV Watch
35 CSDS TECHx Failed POV POV Watch
35 DeepRed CodeJitsu Failed POV POV Watch
35 DeepRed CSDS Failed POV POV Watch
35 DeepRed Disekt Failed POV POV Watch
35 DeepRed ForAllSecure Failed POV POV Watch
35 DeepRed Shellphish Failed POV through defenses POV Watch
35 DeepRed TECHx Failed POV POV Watch
35 ForAllSecure CodeJitsu Failed POV POV Watch
35 ForAllSecure CSDS Failed POV POV Watch
35 ForAllSecure DeepRed Failed POV POV Watch
35 ForAllSecure Disekt Failed POV POV Watch
35 ForAllSecure Shellphish Failed POV through defenses POV Watch
35 ForAllSecure TECHx Failed POV POV Watch
36 CSDS CodeJitsu Failed POV POV Watch
36 CSDS DeepRed Failed POV POV Watch
36 CSDS Disekt Failed POV POV Watch
36 CSDS ForAllSecure Failed POV POV Watch
36 CSDS Shellphish Failed POV through defenses POV Watch
36 CSDS TECHx Failed POV POV Watch
36 DeepRed CodeJitsu Failed POV POV Watch
36 DeepRed CSDS Failed POV POV Watch
36 DeepRed Disekt Failed POV POV Watch
36 DeepRed ForAllSecure Failed POV POV Watch
36 DeepRed Shellphish Failed POV through defenses POV Watch
36 DeepRed TECHx Failed POV POV Watch
36 ForAllSecure CodeJitsu Failed POV POV Watch
36 ForAllSecure CSDS Failed POV POV Watch
36 ForAllSecure DeepRed Failed POV POV Watch
36 ForAllSecure Disekt Failed POV POV Watch
36 ForAllSecure Shellphish Failed POV through defenses POV Watch
36 ForAllSecure TECHx Failed POV POV Watch
37 CSDS CodeJitsu Failed POV POV Watch
37 CSDS DeepRed Failed POV POV Watch
37 CSDS Disekt Failed POV POV Watch
37 CSDS ForAllSecure Failed POV POV Watch
37 CSDS Shellphish Failed POV through defenses POV Watch
37 CSDS TECHx Failed POV POV Watch
37 DeepRed CodeJitsu Failed POV POV Watch
37 DeepRed CSDS Failed POV POV Watch
37 DeepRed Disekt Failed POV POV Watch
37 DeepRed ForAllSecure Failed POV POV Watch
37 DeepRed Shellphish Failed POV through defenses POV Watch
37 DeepRed TECHx Failed POV POV Watch
37 ForAllSecure CodeJitsu Failed POV POV Watch
37 ForAllSecure CSDS Failed POV POV Watch
37 ForAllSecure DeepRed Failed POV POV Watch
37 ForAllSecure Disekt Failed POV POV Watch
37 ForAllSecure Shellphish Failed POV through defenses POV Watch
37 ForAllSecure TECHx Failed POV POV Watch
38 CSDS CodeJitsu Failed POV POV Watch
38 CSDS DeepRed Failed POV POV Watch
38 CSDS Disekt Failed POV POV Watch
38 CSDS ForAllSecure Failed POV POV Watch
38 CSDS Shellphish Failed POV through defenses POV Watch
38 CSDS TECHx Failed POV POV Watch
38 DeepRed CodeJitsu Failed POV POV Watch
38 DeepRed CSDS Failed POV POV Watch
38 DeepRed Disekt Failed POV POV Watch
38 DeepRed ForAllSecure Failed POV POV Watch
38 DeepRed Shellphish Failed POV through defenses POV Watch
38 DeepRed TECHx Failed POV POV Watch
38 ForAllSecure CodeJitsu Failed POV POV Watch
38 ForAllSecure CSDS Failed POV POV Watch
38 ForAllSecure DeepRed Failed POV POV Watch
38 ForAllSecure Disekt Failed POV POV Watch
38 ForAllSecure Shellphish Failed POV through defenses POV Watch
38 ForAllSecure TECHx Failed POV POV Watch
39 CSDS CodeJitsu Failed POV POV Watch
39 CSDS DeepRed Failed POV POV Watch
39 CSDS Disekt Failed POV POV Watch
39 CSDS ForAllSecure Failed POV POV Watch
39 CSDS Shellphish Failed POV through defenses POV Watch
39 CSDS TECHx Failed POV POV Watch
39 DeepRed CodeJitsu Failed POV POV Watch
39 DeepRed CSDS Failed POV POV Watch
39 DeepRed Disekt Failed POV POV Watch
39 DeepRed ForAllSecure Failed POV POV Watch
39 DeepRed Shellphish Failed POV through defenses POV Watch
39 DeepRed TECHx Failed POV POV Watch
39 ForAllSecure CodeJitsu Failed POV POV Watch
39 ForAllSecure CSDS Failed POV POV Watch
39 ForAllSecure DeepRed Failed POV POV Watch
39 ForAllSecure Disekt Failed POV POV Watch
39 ForAllSecure Shellphish Failed POV through defenses POV Watch
39 ForAllSecure TECHx Failed POV POV Watch
40 CSDS CodeJitsu Failed POV POV Watch
40 CSDS DeepRed Failed POV POV Watch
40 CSDS Disekt Failed POV POV Watch
40 CSDS ForAllSecure Failed POV POV Watch
40 CSDS Shellphish Failed POV through defenses POV Watch
40 CSDS TECHx Failed POV POV Watch
40 DeepRed CodeJitsu Failed POV POV Watch
40 DeepRed CSDS Failed POV POV Watch
40 DeepRed Disekt Failed POV POV Watch
40 DeepRed ForAllSecure Failed POV POV Watch
40 DeepRed Shellphish Failed POV through defenses POV Watch
40 DeepRed TECHx Failed POV POV Watch
40 ForAllSecure CodeJitsu Failed POV POV Watch
40 ForAllSecure CSDS Failed POV POV Watch
40 ForAllSecure DeepRed Failed POV POV Watch
40 ForAllSecure Disekt Failed POV POV Watch
40 ForAllSecure Shellphish Failed POV through defenses POV Watch
40 ForAllSecure TECHx Failed POV POV Watch
41 CSDS CodeJitsu Failed POV POV Watch
41 CSDS DeepRed Failed POV POV Watch
41 CSDS Disekt Failed POV POV Watch
41 CSDS ForAllSecure Failed POV POV Watch
41 CSDS Shellphish Failed POV through defenses POV Watch
41 CSDS TECHx Failed POV POV Watch
41 DeepRed CodeJitsu Failed POV POV Watch
41 DeepRed CSDS Failed POV POV Watch
41 DeepRed Disekt Failed POV POV Watch
41 DeepRed ForAllSecure Failed POV POV Watch
41 DeepRed Shellphish Failed POV through defenses POV Watch
41 DeepRed TECHx Failed POV POV Watch
41 ForAllSecure CodeJitsu Failed POV POV Watch
41 ForAllSecure CSDS Failed POV POV Watch
41 ForAllSecure DeepRed Failed POV POV Watch
41 ForAllSecure Disekt Failed POV POV Watch
41 ForAllSecure Shellphish Failed POV through defenses POV Watch
41 ForAllSecure TECHx Failed POV POV Watch
42 CSDS CodeJitsu Failed POV POV Watch
42 CSDS DeepRed Failed POV POV Watch
42 CSDS Disekt Failed POV POV Watch
42 CSDS ForAllSecure Failed POV POV Watch
42 CSDS Shellphish Failed POV through defenses POV Watch
42 CSDS TECHx Failed POV POV Watch
42 DeepRed CodeJitsu Failed POV POV Watch
42 DeepRed CSDS Failed POV POV Watch
42 DeepRed Disekt Failed POV POV Watch
42 DeepRed ForAllSecure Failed POV POV Watch
42 DeepRed Shellphish Failed POV through defenses POV Watch
42 DeepRed TECHx Failed POV POV Watch
42 ForAllSecure CodeJitsu Failed POV POV Watch
42 ForAllSecure CSDS Failed POV POV Watch
42 ForAllSecure DeepRed Failed POV POV Watch
42 ForAllSecure Disekt Failed POV POV Watch
42 ForAllSecure Shellphish Failed POV through defenses POV Watch
42 ForAllSecure TECHx Failed POV POV Watch
43 CodeJitsu Shellphish Failed POV POV Watch
43 CSDS CodeJitsu Failed POV POV Watch
43 CSDS DeepRed Failed POV POV Watch
43 CSDS Disekt Failed POV POV Watch
43 CSDS ForAllSecure Failed POV POV Watch
43 CSDS Shellphish Failed POV POV Watch
43 CSDS TECHx Failed POV POV Watch
43 DeepRed CodeJitsu Failed POV POV Watch
43 DeepRed CSDS Failed POV POV Watch
43 DeepRed Disekt Failed POV POV Watch
43 DeepRed ForAllSecure Failed POV POV Watch
43 DeepRed Shellphish Failed POV POV Watch
43 DeepRed TECHx Failed POV POV Watch
43 ForAllSecure CodeJitsu Failed POV POV Watch
43 ForAllSecure CSDS Failed POV POV Watch
43 ForAllSecure DeepRed Failed POV POV Watch
43 ForAllSecure Disekt Failed POV POV Watch
43 ForAllSecure Shellphish Failed POV POV Watch
43 ForAllSecure TECHx Failed POV POV Watch
44 CSDS CodeJitsu Failed POV POV Watch
44 CSDS DeepRed Failed POV POV Watch
44 CSDS Disekt Failed POV POV Watch
44 CSDS ForAllSecure Failed POV POV Watch
44 CSDS Shellphish Failed POV POV Watch
44 CSDS TECHx Failed POV POV Watch
44 DeepRed CodeJitsu Failed POV POV Watch
44 DeepRed CSDS Failed POV POV Watch
44 DeepRed Disekt Failed POV POV Watch
44 DeepRed ForAllSecure Failed POV POV Watch
44 DeepRed Shellphish Failed POV POV Watch
44 DeepRed TECHx Failed POV POV Watch
44 ForAllSecure CodeJitsu Failed POV POV Watch
44 ForAllSecure CSDS Failed POV POV Watch
44 ForAllSecure DeepRed Failed POV POV Watch
44 ForAllSecure Disekt Failed POV POV Watch
44 ForAllSecure Shellphish Failed POV POV Watch
44 ForAllSecure TECHx Failed POV POV Watch
45 CSDS CodeJitsu Failed POV POV Watch
45 CSDS DeepRed Failed POV POV Watch
45 CSDS Disekt Failed POV POV Watch
45 CSDS ForAllSecure Failed POV POV Watch
45 CSDS Shellphish Failed POV POV Watch
45 CSDS TECHx Failed POV POV Watch
45 DeepRed CodeJitsu Failed POV POV Watch
45 DeepRed CSDS Failed POV POV Watch
45 DeepRed Disekt Failed POV POV Watch
45 DeepRed ForAllSecure Failed POV POV Watch
45 DeepRed Shellphish Failed POV POV Watch
45 DeepRed TECHx Failed POV POV Watch
45 ForAllSecure CodeJitsu Failed POV POV Watch
45 ForAllSecure CSDS Failed POV POV Watch
45 ForAllSecure DeepRed Failed POV POV Watch
45 ForAllSecure Disekt Failed POV POV Watch
45 ForAllSecure Shellphish Failed POV POV Watch
45 ForAllSecure TECHx Failed POV POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email