Analyzing and Reproducing the EOS Out-of-Bound Write Vulnerability in nodeos
Today, Qihoo 360 posted in its blog about an out-of-bound access vulnerability in nodeos, a part of EOSIO software package. This vulnerability can be exploited to trigger an RCE (Remote-Code-Execution) attack [1]. Considering the severity of the vulnerability and the timing of upcoming EOS mainnet launch, researchers at PeckShield immediately looked into the nodeos codebase and successfully reproduced the bug by crafting a malicious smart contract to crash the vanilla EOS client as mentioned in the blog.
Let’s start from a quick recap of the vulnerability. We show in Figure 1 the related WASM contract handler. As highlighted in the figure, there is an out-of-bound write in line 78 because the offset local variable is extracted from the untrusted contract binary (line 75).
You may notice that there’s an assert() in line 76. With the assert(), the loop in line 77-79 would not access the table vector beyond its size (module->table.initial). However, as indicated in the commit log of the bugfix (Figure 2), the assert() works in debug mode only, NOT in release mode.
It explains why the bugfix simply changes assert() to FC_ASSERT() and the problem is solved. After understanding the internals of the vulnerability, we successfully reproduced the crash mentioned in [1] by crafting a malicious smart contract namedmalice_eos_contract.cpp.
We use the following command to compile the contract into the WAST format:
eosiocpp -o malice_eos_contract.wast malice_eos_contract.cpp
Next, we trigger the out-of-bound write by intentionally modifying offset with a pretty large value, or essentially -1 in our exploit (Figure 3).
In Figure 4, we can see that the nodeos process crashes at the instantiate_module()function as mentioned in [1] by receiving a SIGSEGV signal, which demonstrates the feasibility of the malicious contract.
References
- [1] Qihoo 360: EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds, May 29, 2018: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/
相關文章
- 【劉文彬】 Debug EOS:nodeos + mongo_db_pluginGoPlugin
- Restrictions on Analyzing TablesREST
- NodeOS作業系統作業系統
- Analyzing Strings with sscanf
- Python Analyzing your Gmail with MatplotlibPythonAI
- Drupal - pre Auth SQL Injection VulnerabilitySQL
- PHP WDDX Serializier Data Injection VulnerabilityPHP
- EOS原始碼分析(2)EOS執行原始碼
- Open Wifi SSID Broadcast vulnerabilityWiFiAST
- EOS開發完全解析(三):EOS賬號建立
- Cacti /graphs_new.php SQL Injection VulnerabilityPHPSQL
- PHP Multipart/form-data remote dos VulnerabilityPHPORMREM
- EOS JAVA 呼叫Java
- EOS開發完全解析(六):手摸手實現第一個EOS智慧合約——Hello EOS
- 1.6 EOS詳解
- EOS 入門指南
- 關於Cache的write-through & write-back
- MySQL double writeMySql
- hio_write
- EOS開發完全解析(一):Ubuntu上搭建EOS開發環境Ubuntu開發環境
- 3.02 EOS核心框架框架
- EOS 錢包淺談
- [SEEDLab]競態條件漏洞(Race Condition Vulnerability)
- dedecms /member/buy_action.php Weak Password Vulnerability Algorithm VulPHPGo
- HDFS read and write
- document.write()方法
- db file parallel writeParallel
- commit_writeMIT
- EOS開發完全解析(四):EOS快速發幣,何以圈錢?唯有發幣!
- storage儲存的cache快取相關機制write-though和write-back(write-caching)快取
- FIBOS-EOS入門
- 安裝EOS最新版
- EOS原始碼學習系列原始碼
- EOS原始碼分析(6)Token原始碼
- The Tokenizers Summary: [EOS],[BOS],[CLS],[SEP]
- Smashing The Browser:From Vulnerability Discovery To Exploit學習記錄
- Oracle db file parallel write 和 log file parallel write 等待事件 說明OracleParallel事件
- How boltdb Write its Data?