Forget Midnight

Challenge Information

Project: apache-commons-compress

Type: delta

Harnesses: 16

Vulnerabilities: 1

GitHub • Challenge Download • Challenge Diff

AFC Challenge Performance

Number of Unique Vulnerabilities Discovered: #

Number of Teams with Scoring PoVs: 5

Number of Teams with Scoring Patches: 5

Number of Teams with Scoring Bundles: 3

Total Points Scored for this Challenge: 47.10133985288676

What design decisions were considered for this challenge?

Standalone delta challenge, continues the ladder for zip slips.

Why this set of vulnerabilities?

Standalone delta for simplicity. This challenge models a new feature pull request.

Delta vs Full and why?

Delta is required to avoid conflicts with other zip slip challenges.

Challenge Harnesses

ArchiverArFuzzer
ArchiverArjFuzzer
ArchiverCpioFuzzer
ArchiverDumpFuzzer
ArchiverTarStreamFuzzer
ArchiverZipStreamFuzzer
CompressorBZip2Fuzzer
CompressorDeflate64Fuzzer
CompressorGzipFuzzer
CompressorLZ4Fuzzer
CompressorSnappyFuzzer
CompressorZFuzzer
CompressSevenZFuzzer
CompressTarFuzzer
CompressZipFuzzer
ExpanderFuzzer

Challenge Vulnerabilities

zip slip from unicode normalization

Vulnerability Information

Author: Tim Allison

Harness: ExpanderFuzzer

CWE Classification: CWE-35 , CWE-22 , CWE-29

What functions and functionality is relevant?

Zip slip vulnerability in the Expander that relies on Unicode codepoints that when normalized enable zip slip (“..” and “/”).

Why is this vulnerable?

This is vulnerable because the check for zip slip happens before the path normalization.

Is this a replay and/or is inspired by anything?

Not inspired by anything, but it does sit in a ladder of zip slip challenges.

What makes it interesting?

Fixing this should be straightforward. The challenge here is to create the proof-of-vulnerability, which requires fairly esoteric “knowledge” about which unicode codepoints normalize to “..” or “/”.

Additional details

NOTE This will only work when the locale is “UTF-8”. More generally, though, POSIX causes some test failures in “off the shelf” commons-compress – so a locale of UTF-8 is not a stretch.