Vulnerability Disclosure: USCC CyberQuests 2013

USCC runs computer security challenges throughout the year to find qualified students for their Cyber Security Camps. The most important test is held in April — the last challenge before summer camps.

The April 2013 Cyber Quest consisted of 30 multiple choice questions based on analysis of a pcap file containing evidence of an attack. The best score wins, if there is a tie then the fastest time wins. This was one of the easier challenges throughout the year — 65 participants got perfect scores. The challenge then became a race.

To submit the test quickly, I wrote a JavaScript command that would select the correct answers and submit the test. My approach required loading the quiz and then running the script. I scored a time of 8 seconds. Some challengers wrote very cool scripts to start and submit the test in less than a second!

To write my script I recorded the HTML value parameter for each radio-button and checkbox of the correct answers. While recording the values I discovered a pattern revealing all the correct choices!

Below is an example of the HTML for a radio button from one of the answer to the test:

The value parameter is the problem. For each question there are 3 or 4 choices, each with a value that is unique to the entire quiz. Of the possible answers for each question, the correct answer is always the answer with the lowest value among the possible choices for that question.

For one question on the test there were two answers. For this question, the correct answers were the checkboxes with the two lowest values among the possible choices.

The radio button of every correct answer on the test had a value that was 1 more than a multiple of 4.

Despite not having an explicit bug bounty program USCC payed a reasonable bounty.

ARP Cache Poisoning Defense

Last summer I attended the US Cyber Challenge Conference in Virginia. I was in the hotel room getting ready for a week of exciting security courses. The WiFi was unbearably slow but I attributed that to the masses of other conference goers downloading OS images needed for the morning classes.

The morning class was Packet Crafting with Scapy, a powerful packet manipulation tool for Python. I was refreshing my Wireshark skills for the morning class and noticed something odd — there was a flood of constant ARP traffic. Someone was poisoning my ARP cache and intercepting all of my web traffic. This was my first up-close and personal introduction to ARP Poisoning.

That experience inspired me to write a personal ARP Defense script. The script monitors a computer’s ARP table and notifies the user when an Attack is detected. The script can be found here. Additional information on ARP Poisoning can be found at