Analyzing and Reproducing the EOS Out-of-Bound Write Vulnerability in nodeos
Today, Qihoo 360 posted in its blog about an out-of-bound access vulnerability in nodeos, a part of EOSIO software package. This vulnerability can be exploited to trigger an RCE (Remote-Code-Execution) attack [1]. Considering the severity of the vulnerability and the timing of upcoming EOS mainnet launch, researchers at PeckShield immediately looked into the nodeos codebase and successfully reproduced the bug by crafting a malicious smart contract to crash the vanilla EOS client as mentioned in the blog.
Let’s start from a quick recap of the vulnerability. We show in Figure 1 the related WASM contract handler. As highlighted in the figure, there is an out-of-bound write in line 78 because the offset local variable is extracted from the untrusted contract binary (line 75).
You may notice that there’s an assert() in line 76. With the assert(), the loop in line 77-79 would not access the table vector beyond its size (module->table.initial). However, as indicated in the commit log of the bugfix (Figure 2), the assert() works in debug mode only, NOT in release mode.
It explains why the bugfix simply changes assert() to FC_ASSERT() and the problem is solved. After understanding the internals of the vulnerability, we successfully reproduced the crash mentioned in [1] by crafting a malicious smart contract namedmalice_eos_contract.cpp.
We use the following command to compile the contract into the WAST format:
eosiocpp -o malice_eos_contract.wast malice_eos_contract.cpp
Next, we trigger the out-of-bound write by intentionally modifying offset with a pretty large value, or essentially -1 in our exploit (Figure 3).
In Figure 4, we can see that the nodeos process crashes at the instantiate_module()function as mentioned in [1] by receiving a SIGSEGV signal, which demonstrates the feasibility of the malicious contract.
References
- [1] Qihoo 360: EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds, May 29, 2018: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/
相關文章
- 【劉文彬】 Debug EOS:nodeos + mongo_db_pluginGoPlugin
- NodeOS作業系統作業系統
- THM-Vulnerability Capstone
- Open Wifi SSID Broadcast vulnerabilityWiFiAST
- PHP WDDX Serializier Data Injection VulnerabilityPHP
- Drupal - pre Auth SQL Injection VulnerabilitySQL
- 【EOS幣價格】EOS暴跌10%
- EOS原始碼分析(2)EOS執行原始碼
- MySQL double writeMySql
- [Javascript] Write .call()JavaScript
- MongoDB Write ConcernMongoDB
- hio_write
- [SEEDLab]競態條件漏洞(Race Condition Vulnerability)
- EOS開發完全解析(三):EOS賬號建立
- 3.01 EOS概念
- EOS JAVA 呼叫Java
- CVSS(Common Vulnerability Scoring System)打分規則解讀
- EOS開發完全解析(六):手摸手實現第一個EOS智慧合約——Hello EOS
- MongoDB 寫安全(Write Concern)MongoDB
- How boltdb Write its Data?
- ALi CTF 2015 write up
- EOS 入門指南
- 1.6 EOS詳解
- 3.02 EOS核心框架框架
- EOS賬戶管理
- Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)Linux
- WordPress Vulnerability Analysis (CVE-2015-5714 & CVE-2015-5715)
- EOS開發完全解析(一):Ubuntu上搭建EOS開發環境Ubuntu開發環境
- 【MySQL】八、double write 淺析.MySql
- mongodb批量操作, bulk_write,MongoDB
- MySQL double write存在意義MySql
- 2016 ALICTF xxFileSystem write-up
- NSSCTF Web 題解 Write upWeb
- EOS 錢包淺談
- FIBOS-EOS入門
- [漏洞復現] [Vulhub靶機] OpenSSL Heartbleed Vulnerability (CVE-2014-0160)
- EOS開發完全解析(四):EOS快速發幣,何以圈錢?唯有發幣!
- EOS主網上線在即,價值上億EOS或對映無效