Strategic Identity
Challenge Information
Project: pdfbox
Type: delta
Harnesses: 6
Vulnerabilities: 1
AFC Challenge Performance
Number of Unique Vulnerabilities Discovered: #
Number of Teams with Scoring PoVs: 5
Number of Teams with Scoring Patches: 2
Number of Teams with Scoring Bundles: 1
Total Points Scored for this Challenge: 25.433350322318695
What design decisions were considered for this challenge?
This vulnerability is isolated from the full repo scan because it closely resembles a new feature pull request.
Why this set of vulnerabilities?
This vulnerability models a realistic new feature pull request scenario, making it a natural fit for a standalone delta challenge.
Delta vs Full and why?
Delta, because the vulnerability models a new feature pull request.
Challenge Harnesses
- DomXfaParserFuzzer
- DomXmpParserFuzzer
- PDFExtractTextFuzzer
- PDFOCRFuzzer
- PDFStreamParserFuzzer
- PDFWriteReadFuzzer
Challenge Vulnerabilities
PDF command injection
Vulnerability Information
Author: Tim Allison
Harness: PDFOCRFuzzer
CWE Classification: CWE-77 , CWE-28
What functions and functionality is relevant?
This adds a new feature of an integration with tesseract.
Why is this vulnerable?
Users are able to set the path for the tesseract executable via a custom metadata field in the PDF file. This opens up a command injection vulnerability.
Is this a replay and/or is inspired by anything?
Not a replay. This was inspired by early work in Tika, where preventing users from changing the path of executables when running tika-server was a key security concern.
What makes it interesting?
The unit tests require that the user is able to modify the path for tesseract. The good patch needs to check that the tesseract executable is called, and not some other executable. The good patch can’t simply turn off the functionality.
Additional details
This harness requires image processing, which carries a risk of OOM vulnerabilities in Java. That is a known consideration for this challenge.