Chall-Manager Zip Bomb Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in Chall-Manager, a platform-agnostic system that starts Challenges on Demand for players. The issue arises when the system decodes scenario zip archives, as it does not check the size of the extracted content. This oversight can lead to the exploitation of zip bombs, causing excessive resource consumption. The vulnerability can be exploited by anyone, without the need for authentication or authorization. Although it is recommended to deploy Chall-Manager deep within the infrastructure to prevent user access, this vulnerability could still be exploited under certain conditions.

Impact

Exploitation of this vulnerability can cause a denial-of-service condition, where the system becomes overwhelmed and unavailable due to excessive resource consumption from processing a zip bomb.

Reproduction

To reproduce this vulnerability, upload a zip archive designed as a zip bomb, which exponentially increases in size when decompressed, to the Chall-Manager scenario decoding process. The system's lack of size verification will allow the zip bomb to be fully decompressed, leading to resource exhaustion.

Remediation

Users can update to Chall-Manager version 0.1.4, which includes the patch for this vulnerability.