Arch Assembly Delta
Challenge Information
Project: apache-poi
Type: delta
Harnesses: 17
Vulnerabilities: 2
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 4
Number of Teams with Scoring Patches: 0
Number of Teams with Scoring Bundles: 0
Total Points Scored for this Challenge: 9.664544948751653
What design decisions were considered for this challenge?
These two vulnerabilities are closely linked within the codebase and represent two bugs within a single new feature.
Why this set of vulnerabilities?
This challenge includes two unrelated types of vulnerabilities in one new feature pull request.
Delta vs Full and why?
Models new feature pull request. There are plenty of other challenges in the Apache POI full scan.
Challenge Harnesses
- EncryptDecryptFuzzer
- POIHMEFFuzzer
- POIHSLFFuzzer
- POIHWPFFuzzer
- POIVisioFuzzer
- POIXWPFFuzzer
- POIFuzzer
- POIHPBFFuzzer
- POIHSMFFuzzer
- POIOldExcelFuzzer
- POIXSLFFuzzer
- XLSX2CSVFuzzer
- POIHDGFFuzzer
- POIHPSFFuzzer
- POIHSSFFuzzer
- POIPOIFSDumpFuzzer
- POIXSSFFuzzer
Challenge Vulnerabilities
SSRF in extended properties
Vulnerability Information
Author: Tim Allison
Harness: POIXSSFFuzzer
CWE Classification: CWE-918
What functions and functionality is relevant?
This delta adds functionality for extracting extended properties from an XLSX file.
Why is this vulnerable?
SSRF when reading extended properties via the Streaming XSSF reader.
Is this a replay and/or is inspired by anything?
Not a replay.
What makes it interesting?
It should be fairly challenging to generate a POV. The vulnerability should be easy to find with static analysis but not with fuzzing.
Regex StackOverflow
Vulnerability Information
Author: Tim Allison
Harness: POIXSSFFuzzer
CWE Classification: CWE-121 , CWE-20
What functions and functionality is relevant?
This delta adds functionality for extracting extended properties from an XLSX file.
Why is this vulnerable?
Regex StackOverflow DoS in extended properties reader for XLSX.
Is this a replay and/or is inspired by anything?
Not a replay. This is a variant of other regex DoS challenges in the competition.
What makes it interesting?
It may be challenging to find the vulnerability, and it should be fairly challenging to generate a POV.