Analyzing and Reproducing the EOS Out-of-Bound Write Vulnerability in nodeos

Today, Qihoo 360 posted in its blog about an out-of-bound access vulnerability in nodeos, a part of EOSIO software package. This vulnerability can be exploited to trigger an RCE (Remote-Code-Execution) attack [1]. Considering the severity of the vulnerability and the timing of upcoming EOS mainnet launch, researchers at PeckShield immediately looked into the nodeos codebase and successfully reproduced the bug by crafting a malicious smart contract to crash the vanilla EOS client as mentioned in the blog.

Let’s start from a quick recap of the vulnerability. We show in Figure 1 the related WASM contract handler. As highlighted in the figure, there is an out-of-bound write in line 78 because the offset local variable is extracted from the untrusted contract binary (line 75).

Figure 1: The Vulnerable WASM Contract Handler In nodeos

You may notice that there’s an assert() in line 76. With the assert(), the loop in line 77–79 would not access the table vector beyond its size (module->table.initial). However, as indicated in the commit log of the bugfix (Figure 2), the assert() works in debug mode only, NOT in release mode.

Figure 2: Bugfix for the Vulnerable WASM Contract Handler

It explains why the bugfix simply changes assert() to FC_ASSERT() and the problem is solved. After understanding the internals of the vulnerability, we successfully reproduced the crash mentioned in [1] by crafting a malicious smart contract named malice_eos_contract.cpp.

We use the following command to compile the contract into the WAST format:

eosiocpp -o malice_eos_contract.wast malice_eos_contract.cpp

Figure 3: The Crafted malice_eos_contract in WAST Format

Next, we trigger the out-of-bound write by intentionally modifying offset with a pretty large value, or essentially -1 in our exploit (Figure 3).

Figure 4: The nodeos Process Is Crashed Due To An Access Violation

In Figure 4, we can see that the nodeos process crashes at the instantiate_module() function as mentioned in [1] by receiving a SIGSEGV signal, which demonstrates the feasibility of the malicious contract.

About US

PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.

References

• [1] Qihoo 360: EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds, May 29, 2018: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/