Challenge Information - NRFIN_00061

Commonly known as: Rejistar


Rounds Enabled

25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41

Details

Original Versions

Known Vulnerabilities

  • CWE-122 - Heap-based Buffer Overflow
  • CWE-125 - Out-of-bounds Read
  • CWE-170 - Improper Null Termination
  • CWE-193 - Off-by-one Error
  • CWE-787 - Out-of-bounds Write
  • CWE-788 - Access of Memory Location After End of Buffer
  • CWEs are listed as indicated by the challenge author.

Deployed patches

Deployed IDS rules

Author Information

"Jason Rogers" info@narfindustries.com

DARPA performer group

Narf Industries (NRFIN)

Description

Secure Registers Inc. is releasing their automated credential registration service, REJISTAR. Recent breaches have demonstrated the impact of stolen credentials. Only through regular and immediate re-credentialing can this impact be reduced. Unfortunately, most credential registration is performed manually, which is slow and error-prone.

Not any more. With REJISTAR an end point can automatically register or re-register any credential, including certificates and tokens. Now when a vulnerability in a secure communication protocol exposes the integrity of your credentials, immediate re-credentialing a real possibility.

Feature List

  • Certificates -- Enroll a new certificate with user-defined expiration -- Re-enroll an expiring certificate -- Revoke a certificate -- Request the current Certificate Revocation List

  • Tokens -- Request a new token -- Refresh an expiring token -- Revoke a token

Vulnerability 1

The vulnerability in this CB is a off-by-one error where the amount of memory malloc'ed by the service to store the body of the request is 1 char shorter than what is zero'ed out following the malloc call.

The malloc implementation in this CB divides a page into chunks of equal size depending the type of run, e.g. a 4-byte run. Each run includes a bitmap that keeps track of which chunks are allocated and freed in the currently available page. The page containing the bitmap is allocated right before the first page in the run. Therefore, an overflow in the last chunk in the first page of the run can overwrite the bitmap.

By using the aforementioned off-by-one error to zero out the 1 more byte than what was allocated, the first byte of the bitmap is zero'ed out. The result is that the next 2^8 allocated chunks in the run will be the chunks that have already been allocated.

In this CB, the name and function pointer of each service is stored in a 16-byte chunk. By overwriting the bitmap for the 16-byte run, a Service structure can be overwritten to cause a Type 1 vulnerability.

Generic class of vulnerability

Off-by-one Heap-based buffer overflow

CWE classification

CWE-193: Off-by-one Error CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write CWE-788: Access of Memory Location After End of Buffer

Challenges

  1. The off-by-one error should be easily be detected, but understanding how zero'ing out a single byte impacts the allocation of chunks in a non-standard malloc implementation will be difficult.

  2. Successful exploitation will require determination of how input impacts the allocation of chunks of specific sizes in order to allocate the specific chunk at the specific control flow point that will be used to overwrite the Service structure.

  3. The CB requires each message to be authenticated. A user/pass can only be used to request a new token. A token can be used to request tokens and certificates. Certificates can only be used to access certificate services. Also, certificates are "poorly" signed. This should eliminate blind fuzzing that doesn't satisfy the constraints of the authentication subsystem to reach different control paths, including ones needed to exploit vulnerabilities.

Difficulty

  • Discovering is easy
  • Proving is hard
  • Patching is easy

Vulnerability 2

The vulnerability in this CB is a off-by-one error in the sendToken function where the amount of memory malloc'ed by the service to store the body of the request is 1 char shorter than what is needed to store a null-terminated string. This results in an improper null termination. When a new token is sent back, the flag is allocated in a 64-byte chunk after the buffer for the new token is allocated. If the new token string is exactly 64-bytes, the flag will be appended to the buffer that is sent to the requestor.

Generic class of vulnerability

Improper Null Termination Off-by-one Error Out-of-bounds Read

CWE classification

CWE-170: Improper Null Termination CWE-193: Off-by-one Error CWE-125: Out-of-bounds Read

Challenges

  1. The off-by-one error should be easily be detected, but understanding how long the token needs to be to be allocated in the chunk preceeding the token could be a challenge.

  2. Successful exploitation will require determine how input impacts the size of the token returned, such that the flag is leaked.

  3. The CB requires each message to be authenticated. A valid username and password will be needed to reach the sendToken function.

Difficulty

  • Discovering is easy
  • Proving is medium
  • Patching is easy

POV Information

Round Source Destination Result POV Analysis Video
26 CSDS CodeJitsu Failed POV POV Watch
26 CSDS DeepRed Failed POV POV Watch
26 CSDS Disekt Failed POV POV Watch
26 CSDS ForAllSecure Failed POV POV Watch
26 CSDS Shellphish Failed POV POV Watch
26 CSDS TECHx Failed POV POV Watch
26 DeepRed CodeJitsu Failed POV POV Watch
26 DeepRed CSDS Failed POV POV Watch
26 DeepRed Disekt Failed POV POV Watch
26 DeepRed ForAllSecure Failed POV POV Watch
26 DeepRed Shellphish Failed POV POV Watch
26 DeepRed TECHx Failed POV POV Watch
26 ForAllSecure CodeJitsu Failed POV POV Watch
26 ForAllSecure CSDS Failed POV POV Watch
26 ForAllSecure DeepRed Failed POV POV Watch
26 ForAllSecure Disekt Failed POV POV Watch
26 ForAllSecure Shellphish Failed POV POV Watch
26 ForAllSecure TECHx Failed POV POV Watch
27 CodeJitsu Disekt Failed POV through defenses POV Watch
27 CSDS CodeJitsu Failed POV POV Watch
27 CSDS DeepRed Failed POV POV Watch
27 CSDS Disekt Failed POV through defenses POV Watch
27 CSDS ForAllSecure Failed POV POV Watch
27 CSDS Shellphish Failed POV POV Watch
27 DeepRed CodeJitsu Failed POV POV Watch
27 DeepRed CSDS Failed POV POV Watch
27 DeepRed Disekt Failed POV through defenses POV Watch
27 DeepRed ForAllSecure Failed POV POV Watch
27 DeepRed Shellphish Failed POV POV Watch
27 ForAllSecure CodeJitsu Failed POV POV Watch
27 ForAllSecure CSDS Failed POV POV Watch
27 ForAllSecure DeepRed Failed POV POV Watch
27 ForAllSecure Disekt Failed POV through defenses POV Watch
27 ForAllSecure Shellphish Failed POV POV Watch
28 CodeJitsu Shellphish Failed POV through defenses POV Watch
28 CSDS CodeJitsu Failed POV POV Watch
28 CSDS DeepRed Failed POV POV Watch
28 CSDS Disekt Failed POV through defenses POV Watch
28 CSDS ForAllSecure Failed POV POV Watch
28 CSDS Shellphish Failed POV through defenses POV Watch
28 CSDS TECHx Failed POV through defenses POV Watch
28 DeepRed CodeJitsu Failed POV POV Watch
28 DeepRed CSDS Failed POV POV Watch
28 DeepRed Disekt Failed POV through defenses POV Watch
28 DeepRed ForAllSecure Failed POV POV Watch
28 DeepRed Shellphish Failed POV through defenses POV Watch
28 DeepRed TECHx Failed POV through defenses POV Watch
28 ForAllSecure CodeJitsu Failed POV POV Watch
28 ForAllSecure CSDS Failed POV POV Watch
28 ForAllSecure DeepRed Failed POV POV Watch
28 ForAllSecure Disekt Failed POV through defenses POV Watch
28 ForAllSecure Shellphish Failed POV through defenses POV Watch
28 ForAllSecure TECHx Failed POV through defenses POV Watch
29 CSDS CodeJitsu Failed POV POV Watch
29 CSDS DeepRed Failed POV POV Watch
29 CSDS Disekt Failed POV through defenses POV Watch
29 CSDS ForAllSecure Failed POV POV Watch
29 CSDS Shellphish Failed POV through defenses POV Watch
29 CSDS TECHx Failed POV through defenses POV Watch
29 DeepRed CodeJitsu Failed POV POV Watch
29 DeepRed CSDS Failed POV POV Watch
29 DeepRed Disekt Failed POV through defenses POV Watch
29 DeepRed ForAllSecure Failed POV POV Watch
29 DeepRed Shellphish Failed POV through defenses POV Watch
29 DeepRed TECHx Failed POV through defenses POV Watch
29 ForAllSecure CodeJitsu Failed POV POV Watch
29 ForAllSecure CSDS Failed POV POV Watch
29 ForAllSecure DeepRed Failed POV POV Watch
29 ForAllSecure Disekt Failed POV through defenses POV Watch
29 ForAllSecure Shellphish Failed POV through defenses POV Watch
29 ForAllSecure TECHx Failed POV through defenses POV Watch
30 CSDS CodeJitsu Failed POV POV Watch
30 CSDS DeepRed Failed POV POV Watch
30 CSDS Disekt Failed POV through defenses POV Watch
30 CSDS ForAllSecure Failed POV POV Watch
30 CSDS Shellphish Failed POV through defenses POV Watch
30 CSDS TECHx Failed POV through defenses POV Watch
30 DeepRed CodeJitsu Failed POV POV Watch
30 DeepRed CSDS Failed POV POV Watch
30 DeepRed Disekt Failed POV through defenses POV Watch
30 DeepRed ForAllSecure Failed POV POV Watch
30 DeepRed Shellphish Failed POV through defenses POV Watch
30 DeepRed TECHx Failed POV through defenses POV Watch
30 ForAllSecure CodeJitsu Failed POV POV Watch
30 ForAllSecure CSDS Failed POV POV Watch
30 ForAllSecure DeepRed Failed POV POV Watch
30 ForAllSecure Disekt Failed POV through defenses POV Watch
30 ForAllSecure Shellphish Failed POV through defenses POV Watch
30 ForAllSecure TECHx Failed POV through defenses POV Watch
31 CSDS CodeJitsu Failed POV POV Watch
31 CSDS DeepRed Failed POV POV Watch
31 CSDS Disekt Failed POV through defenses POV Watch
31 CSDS ForAllSecure Failed POV POV Watch
31 CSDS Shellphish Failed POV through defenses POV Watch
31 CSDS TECHx Failed POV through defenses POV Watch
31 DeepRed CodeJitsu Failed POV POV Watch
31 DeepRed CSDS Failed POV POV Watch
31 DeepRed Disekt Failed POV through defenses POV Watch
31 DeepRed ForAllSecure Failed POV POV Watch
31 DeepRed Shellphish Failed POV through defenses POV Watch
31 DeepRed TECHx Failed POV through defenses POV Watch
31 ForAllSecure CodeJitsu Failed POV POV Watch
31 ForAllSecure CSDS Failed POV POV Watch
31 ForAllSecure DeepRed Failed POV POV Watch
31 ForAllSecure Disekt Failed POV through defenses POV Watch
31 ForAllSecure Shellphish Failed POV through defenses POV Watch
31 ForAllSecure TECHx Failed POV through defenses POV Watch
32 CodeJitsu DeepRed Failed POV through defenses POV Watch
32 CSDS CodeJitsu Failed POV POV Watch
32 CSDS DeepRed Failed POV through defenses POV Watch
32 CSDS Disekt Failed POV through defenses POV Watch
32 CSDS ForAllSecure Failed POV POV Watch
32 CSDS Shellphish Failed POV through defenses POV Watch
32 CSDS TECHx Failed POV through defenses POV Watch
32 DeepRed CodeJitsu Failed POV POV Watch
32 DeepRed CSDS Failed POV POV Watch
32 DeepRed Disekt Failed POV through defenses POV Watch
32 DeepRed ForAllSecure Failed POV POV Watch
32 DeepRed Shellphish Failed POV through defenses POV Watch
32 DeepRed TECHx Failed POV through defenses POV Watch
32 ForAllSecure CodeJitsu Failed POV POV Watch
32 ForAllSecure CSDS Failed POV POV Watch
32 ForAllSecure DeepRed Failed POV through defenses POV Watch
32 ForAllSecure Disekt Failed POV through defenses POV Watch
32 ForAllSecure Shellphish Failed POV through defenses POV Watch
32 ForAllSecure TECHx Failed POV through defenses POV Watch
33 CSDS CodeJitsu Failed POV through defenses POV Watch
33 CSDS DeepRed Failed POV through defenses POV Watch
33 CSDS Disekt Failed POV through defenses POV Watch
33 CSDS ForAllSecure Failed POV POV Watch
33 CSDS Shellphish Failed POV through defenses POV Watch
33 CSDS TECHx Failed POV through defenses POV Watch
33 DeepRed CodeJitsu Failed POV through defenses POV Watch
33 DeepRed CSDS Failed POV POV Watch
33 DeepRed Disekt Failed POV through defenses POV Watch
33 DeepRed ForAllSecure Failed POV POV Watch
33 DeepRed Shellphish Failed POV through defenses POV Watch
33 DeepRed TECHx Failed POV through defenses POV Watch
33 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
33 ForAllSecure CSDS Failed POV POV Watch
33 ForAllSecure DeepRed Failed POV through defenses POV Watch
33 ForAllSecure Disekt Failed POV through defenses POV Watch
33 ForAllSecure Shellphish Failed POV through defenses POV Watch
33 ForAllSecure TECHx Failed POV through defenses POV Watch
34 CSDS CodeJitsu Failed POV through defenses POV Watch
34 CSDS DeepRed Failed POV through defenses POV Watch
34 CSDS Disekt Failed POV through defenses POV Watch
34 CSDS ForAllSecure Failed POV POV Watch
34 CSDS Shellphish Failed POV through defenses POV Watch
34 CSDS TECHx Failed POV through defenses POV Watch
34 DeepRed CodeJitsu Failed POV through defenses POV Watch
34 DeepRed CSDS Failed POV POV Watch
34 DeepRed Disekt Failed POV through defenses POV Watch
34 DeepRed ForAllSecure Failed POV POV Watch
34 DeepRed Shellphish Failed POV through defenses POV Watch
34 DeepRed TECHx Failed POV through defenses POV Watch
34 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
34 ForAllSecure CSDS Failed POV POV Watch
34 ForAllSecure DeepRed Failed POV through defenses POV Watch
34 ForAllSecure Disekt Failed POV through defenses POV Watch
34 ForAllSecure Shellphish Failed POV through defenses POV Watch
34 ForAllSecure TECHx Failed POV through defenses POV Watch
35 CSDS CodeJitsu Failed POV through defenses POV Watch
35 CSDS DeepRed Failed POV through defenses POV Watch
35 CSDS Disekt Failed POV through defenses POV Watch
35 CSDS ForAllSecure Failed POV POV Watch
35 CSDS Shellphish Failed POV through defenses POV Watch
35 CSDS TECHx Failed POV through defenses POV Watch
35 DeepRed CodeJitsu Failed POV through defenses POV Watch
35 DeepRed CSDS Failed POV POV Watch
35 DeepRed Disekt Failed POV through defenses POV Watch
35 DeepRed ForAllSecure Failed POV POV Watch
35 DeepRed Shellphish Failed POV through defenses POV Watch
35 DeepRed TECHx Failed POV through defenses POV Watch
35 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
35 ForAllSecure CSDS Failed POV POV Watch
35 ForAllSecure DeepRed Failed POV through defenses POV Watch
35 ForAllSecure Disekt Failed POV through defenses POV Watch
35 ForAllSecure Shellphish Failed POV through defenses POV Watch
35 ForAllSecure TECHx Failed POV through defenses POV Watch
36 CSDS CodeJitsu Failed POV through defenses POV Watch
36 CSDS DeepRed Failed POV through defenses POV Watch
36 CSDS Disekt Failed POV through defenses POV Watch
36 CSDS ForAllSecure Failed POV POV Watch
36 CSDS Shellphish Failed POV through defenses POV Watch
36 CSDS TECHx Failed POV through defenses POV Watch
36 DeepRed CodeJitsu Failed POV through defenses POV Watch
36 DeepRed CSDS Failed POV POV Watch
36 DeepRed Disekt Failed POV through defenses POV Watch
36 DeepRed ForAllSecure Failed POV POV Watch
36 DeepRed Shellphish Failed POV through defenses POV Watch
36 DeepRed TECHx Failed POV through defenses POV Watch
36 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
36 ForAllSecure CSDS Failed POV POV Watch
36 ForAllSecure DeepRed Failed POV through defenses POV Watch
36 ForAllSecure Disekt Failed POV through defenses POV Watch
36 ForAllSecure Shellphish Failed POV through defenses POV Watch
36 ForAllSecure TECHx Failed POV through defenses POV Watch
37 CSDS CodeJitsu Failed POV through defenses POV Watch
37 CSDS DeepRed Failed POV through defenses POV Watch
37 CSDS Disekt Failed POV through defenses POV Watch
37 CSDS ForAllSecure Failed POV POV Watch
37 CSDS Shellphish Failed POV through defenses POV Watch
37 CSDS TECHx Failed POV through defenses POV Watch
37 DeepRed CodeJitsu Failed POV through defenses POV Watch
37 DeepRed CSDS Failed POV POV Watch
37 DeepRed Disekt Failed POV through defenses POV Watch
37 DeepRed ForAllSecure Failed POV POV Watch
37 DeepRed Shellphish Failed POV through defenses POV Watch
37 DeepRed TECHx Failed POV through defenses POV Watch
37 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
37 ForAllSecure CSDS Failed POV POV Watch
37 ForAllSecure DeepRed Failed POV through defenses POV Watch
37 ForAllSecure Disekt Failed POV through defenses POV Watch
37 ForAllSecure Shellphish Failed POV through defenses POV Watch
37 ForAllSecure TECHx Failed POV through defenses POV Watch
38 CSDS CodeJitsu Failed POV through defenses POV Watch
38 CSDS DeepRed Failed POV through defenses POV Watch
38 CSDS Disekt Failed POV through defenses POV Watch
38 CSDS ForAllSecure Failed POV POV Watch
38 CSDS Shellphish Failed POV through defenses POV Watch
38 CSDS TECHx Failed POV through defenses POV Watch
38 DeepRed CodeJitsu Failed POV through defenses POV Watch
38 DeepRed CSDS Failed POV POV Watch
38 DeepRed Disekt Failed POV through defenses POV Watch
38 DeepRed ForAllSecure Failed POV POV Watch
38 DeepRed Shellphish Failed POV through defenses POV Watch
38 DeepRed TECHx Failed POV through defenses POV Watch
38 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
38 ForAllSecure CSDS Failed POV POV Watch
38 ForAllSecure DeepRed Failed POV through defenses POV Watch
38 ForAllSecure Disekt Failed POV through defenses POV Watch
38 ForAllSecure Shellphish Failed POV through defenses POV Watch
38 ForAllSecure TECHx Failed POV through defenses POV Watch
39 CSDS CodeJitsu Failed POV through defenses POV Watch
39 CSDS DeepRed Failed POV through defenses POV Watch
39 CSDS Disekt Failed POV through defenses POV Watch
39 CSDS ForAllSecure Failed POV POV Watch
39 CSDS Shellphish Failed POV through defenses POV Watch
39 CSDS TECHx Failed POV through defenses POV Watch
39 DeepRed CodeJitsu Failed POV through defenses POV Watch
39 DeepRed CSDS Failed POV POV Watch
39 DeepRed Disekt Failed POV through defenses POV Watch
39 DeepRed ForAllSecure Failed POV POV Watch
39 DeepRed Shellphish Failed POV through defenses POV Watch
39 DeepRed TECHx Failed POV through defenses POV Watch
39 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
39 ForAllSecure CSDS Failed POV POV Watch
39 ForAllSecure DeepRed Failed POV through defenses POV Watch
39 ForAllSecure Disekt Failed POV through defenses POV Watch
39 ForAllSecure Shellphish Failed POV through defenses POV Watch
39 ForAllSecure TECHx Failed POV through defenses POV Watch
40 CodeJitsu DeepRed Failed POV through defenses POV Watch
40 CSDS CodeJitsu Failed POV through defenses POV Watch
40 CSDS DeepRed Failed POV through defenses POV Watch
40 CSDS Disekt Failed POV through defenses POV Watch
40 CSDS ForAllSecure Failed POV POV Watch
40 CSDS Shellphish Failed POV through defenses POV Watch
40 CSDS TECHx Failed POV through defenses POV Watch
40 DeepRed CodeJitsu Failed POV through defenses POV Watch
40 DeepRed CSDS Failed POV POV Watch
40 DeepRed Disekt Failed POV through defenses POV Watch
40 DeepRed ForAllSecure Failed POV POV Watch
40 DeepRed Shellphish Failed POV through defenses POV Watch
40 DeepRed TECHx Failed POV through defenses POV Watch
40 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
40 ForAllSecure CSDS Failed POV POV Watch
40 ForAllSecure DeepRed Failed POV through defenses POV Watch
40 ForAllSecure Disekt Failed POV through defenses POV Watch
40 ForAllSecure Shellphish Failed POV through defenses POV Watch
40 ForAllSecure TECHx Failed POV through defenses POV Watch
41 CSDS CodeJitsu Failed POV through defenses POV Watch
41 CSDS DeepRed Failed POV through defenses POV Watch
41 CSDS Disekt Failed POV through defenses POV Watch
41 CSDS ForAllSecure Failed POV POV Watch
41 CSDS Shellphish Failed POV through defenses POV Watch
41 CSDS TECHx Failed POV through defenses POV Watch
41 DeepRed CodeJitsu Failed POV through defenses POV Watch
41 DeepRed CSDS Failed POV POV Watch
41 DeepRed Disekt Failed POV through defenses POV Watch
41 DeepRed ForAllSecure Failed POV POV Watch
41 DeepRed Shellphish Failed POV through defenses POV Watch
41 DeepRed TECHx Failed POV through defenses POV Watch
41 ForAllSecure CodeJitsu Failed POV through defenses POV Watch
41 ForAllSecure CSDS Failed POV POV Watch
41 ForAllSecure DeepRed Failed POV through defenses POV Watch
41 ForAllSecure Disekt Failed POV through defenses POV Watch
41 ForAllSecure Shellphish Failed POV through defenses POV Watch
41 ForAllSecure TECHx Failed POV through defenses POV Watch

Curated by Lunge Technology, LLC. Questions or comments? Send us email