Malicious test with command execution and ffi is enabled
(Although this is not inside the scope, this is included in the final report of Santa's List)
ffi is enabled but there is no tests that needs it, except a malicious one that execute command. If the command is not touch
but something else, it can execute command as the user running the test, if it is something like a reverse shell the system running the test will be compromised
If the command is not touch
but something else, it can execute command as the user running the test, if it is something like a reverse shell the system running the test will be compromised
Manual review
Remove the malicious test and disable ffi
The contest is live. Earn rewards by submitting a finding.
This is your time to appeal against judgements on your submissions.
Appeals are being carefully reviewed by our judges.