Today, Qihoo 360 posted in its blog about an out-of-bound access vulnerability in nodeos, a part of EOSIO software package. This vulnerability can be exploited to trigger an RCE (Remote-Code-Execution) attack [1]. Considering the severity of the vulnerability and the timing of upcoming EOS mainnet launch, researchers at PeckShield immediately looked into the nodeos codebase and successfully reproduced the bug by crafting a malicious smart contract to crash the vanilla EOS client as mentioned in the blog.

Let’s start from a quick recap of the vulnerability. We show in Figure 1 the related WASM contract handler. As highlighted in the figure, there is an out-of-bound write in line 78 because the offset local variable is extracted from the untrusted contract binary (line 75).


Figure 1: The Vulnerable WASM Contract Handler

You may notice that there’s an assert() in line 76. With the assert(), the loop in line 77-79 would not access the table vector beyond its size (module->table.initial). However, as indicated in the commit log of the bugfix (Figure 2), the assert() works in debug mode only, NOT in release mode.


Figure 2: Bugfix for the Vulnerable WASM Contract Handler

It explains why the bugfix simply changes assert() to FC_ASSERT() and the problem is solved. After understanding the internals of the vulnerability, we successfully reproduced the crash mentioned in [1] by crafting a malicious smart contract named malice_eos_contract.cpp.

We use the following command to compile the contract into the WAST format:

eosiocpp -o malice_eos_contract.wast malice_eos_contract.cpp

Figure 3: Crafted malice_eos_contract in WAST Format

Next, we trigger the out-of-bound write by intentionally modifying offset with a pretty large value, or essentially -1 in our exploit (Figure 3).


Figure 4: nodeos Process Crash by an Access Violation

In Figure 4, we can see that the nodeos process crashes at the instantiate_module() function as mentioned in [1] by receiving a SIGSEGV signal, which demonstrates the feasibility of the malicious contract.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.

References



Published

29 May 2018

Tags