Active N-Day and past bug

Challenge Information

Project: lcms

Type: full

Harnesses: 15

Vulnerabilities: 2


GitHubChallenge Download

AFC Challenge Performance

Number of Unique Vulnerabilities Discovered: #

Number of Teams with Scoring PoVs: 5

Number of Teams with Scoring Patches: 3

Number of Teams with Scoring Bundles: 3


Total Points Scored for this Challenge: 40.14644394166622

What design decisions were considered for this challenge?

This challenge is a full scan challenge. The challenge includes one vulnerability present in upstream, lcms-001. It also re-introduces one vulnerability from the past, lcms-002.

This challenge will exhibit a correct SARIF report for lcms-001. This makes particular sense for this vuln as it is an actively exploitable vulnerability in the wild.

Why this set of vulnerabilities?

We decided to throw the entire Little CMS project all at once, since there were only two vulns developed for it.

Delta vs Full and why?

Due to the nature of lcms-001 we decided to stage this as a full challenge. There is no delta to it since it exists in upstream.

Challenge Harnesses

  • cmsIT8_load_fuzzer
  • cms_cgats_fuzzer
  • cms_cie_cam02_fuzzer
  • cms_devicelink_fuzzer
  • cms_dict_fuzzer
  • cms_gdb_fuzzer
  • cms_md5_fuzzer
  • cms_overwrite_transform_fuzzer
  • cms_postscript_fuzzer
  • cms_profile_fuzzer
  • cms_transform_all_fuzzer
  • cms_transform_extended_fuzzer
  • cms_transform_fuzzer
  • cms_universal_transform_fuzzer
  • cms_virtual_profile_fuzzer

Challenge Sarif Broadcast

Target .aixcc/vulns/lcms-001/vuln.yaml

Sarif is correct

PLACEHOLDER FOR SARIF

Challenge Vulnerabilities