Qualifier Challenge - KPRCA_00022


Original Versions

Known Vulnerabilities

  • CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWEs are listed as indicated by the challenge author.

Scores

  • ForAllSecure: 3.55
  • Disekt: 0.08
  • CodeJitsu: 0.0
  • Lekkertech: 0.0
  • TECHx: 0.0
  • Shellphish: 0.0
  • CSDS: 0.0
  • FuzzBOMB: 0.0
  • TrailofBits: 0.0
  • DeepRed: 0.0
  • The maximum score for each challenge in CQE is 4, following the CQE Scoring Document.

Passed consensus evaluation

  • CodeJitsu - CB1
  • CSDS - CB1
  • Disekt - CB1
  • ForAllSecure - CB1
  • TECHx - CB1
  • TrailofBits - CB1

Proved a POV in reference challenge

Defense against reference POVs

  • ForAllSecure: 100.0% - CB1
  • CodeJitsu: 100.0% - CB1
  • Disekt: 100.0% - CB1
  • CSDS: 100.0% - CB1
  • TrailofBits: 100.0% - CB1

No submission

  • Eighth Place Team
  • Eleventh Place Team
  • Fifth Place Team - Finalist
  • First Place Team - Finalist
  • Fourth Place Team - Finalist
  • Ninth Place Team
  • Second Place Team - Finalist
  • Seventh Place Team - Finalist
  • Sixth Place Team - Finalist
  • Tenth Place Team
  • Third Place Team - Finalist
  • Thirteenth Place Team
  • Twelfth Place Team

All Submissions

DARPA performer group

Kaprica Security (KPRCA)

Description:

This CB emulates an online job application form. An applicant moves through several pages of grouped questions (Candiate Info, Education, Address, etc etc) and is forced to enter each question on the form before continuing to the next page. The pages are seqential and, once completed, can be revisited using the "prev" command. Completed pages can have indivial questions updated with new answers or an applicant can simply review his or her answers.

Once the form is completed the user can "submit" the form by exiting, or "discard" by using ctrl-c. The two are functionally equivalent, but we would hate to feel like someone didn't have a chance to throw their application away.

The code attempts to model a web interface. Each input has a textfield, a buffer to hold the response, and a verification function that makes sure the input is valid.

Feature List

And applicant can enter input when asked a question, or navigate accross the application with the following commands:

All commands begin with '' and may be entered at any time during the CB prev \n); next \n); update [id] **help **exit

Vulnerability

Certain questions have predefined allowed responses. For example when asking an applicant to enter a Suffix for his or her name, valid options include "Jr, Sr, III" etc etc. For entering address information, 2 letter postal codes are used for states "AK, VA, IA" etc etc. The function that verifies these choices has a bug where it doesn't compare the length of the two strings, but instead compares the user inputted string against a valid choice. Because it never checks the user's inputted string you can overflow the buffer by entering the appropriate string and then appending whatever input you want to overflow. Ex: JrAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA will be accepted as a valid input in the vulnerable version.

CWE classification

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Challenges

This problem is meant to allow competitors to test their capabilities to systematically check bounding contraints and determine vulnerable input a little smarter than just utilizing random fuzzing, but instead utizling the static strings available in the binary.


Curated by Lunge Technology, LLC. Questions or comments? Send us email