Qualifier Challenge - YAN01_00007

Original Versions

Known Vulnerabilities

  • CWE-476 - NULL Pointer Dereference
  • CWE-824 - Access of Uninitialized Pointer
  • CWEs are listed as indicated by the challenge author.


  • CodeJitsu: 4.0
  • ForAllSecure: 4.0
  • Shellphish: 4.0
  • Disekt: 3.32
  • TECHx: 2.0
  • CSDS: 0.33
  • TrailofBits: 0.08
  • Lekkertech: 0.0
  • FuzzBOMB: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • Shellphish - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • ForAllSecure: 100.0% - CB1
  • TECHx: 100.0% - CB1
  • Shellphish: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions


This service is supposed to be a simple service where a user can login to the service and and then add, delete and print out the list of currently stored passwords. The strange thing about this service is that the passwords must all be 3rd power diophantine equations in the form of secret1^3 + secret2^3 + secret3^3 = stored-secret^3.

This CB is meant to be a harder version of YAN01_00008, but is also provided to help CRS authors to test their solver integration. What makes this CB more difficult than the other is that, the uint32 numbers are converted into 256bit large ints before addition and multiplication takes place. This and the fact that numbers are entered as ascii decimal numbers and then converted into uint32_t also obfuscates the process.


There is a null pointer dereference vulnerability. The vulnerability arises from the fact that some numbers d have more than one solution to a^3 + b^3 + c^3 = d^3, but the CB itself only initializes the function pointers for one set of solutions. In this way, finding the alternative solution will result in a null pointer derefernece. This falls under CWE-824: Access of Uninitialized Pointer and CWE-476: Null Pointer Derefernece.


The CB itself doesn't actually check to make sure that the passwords stored in the database satisfy the constraint mentioned in the description.

Curated by Lunge Technology, LLC. Questions or comments? Send us email