-
Notifications
You must be signed in to change notification settings - Fork 0
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Two vulnerabilities (at least) in reqwest crate open the door for malicious actor to bring all the workers down #65
Comments
141345 marked the issue as insufficient quality report |
Out of scope |
Although out of scope, this should be the most valuable finding among others. Let the judge decide whether to give a reward. |
kvinwang (sponsor) confirmed |
The warden has demonstrated how an issue in an external library can bring workers down. Technically, this library was out of scope, the C4 policy when it comes to that is:
For the following reasons, I will upgrade it as an exception:
|
OpenCoreCH marked the issue as selected for report |
I highly respect Koolex for this finding, which I think is technically valid. At the same time, I believe this issue should be treated as OOS for the reward calculation. It is very unfair to Wardens who read that rule and didn't submit this issue because the file was out of scope for this contest. Citing the Supreme Court verdict:
I strongly believe that it will set a bad precedent for the future if this issue is finalized as valid. All Wardens will likely begin submitting OOS findings as they don't lose anything by doing so, but the potential reward is much higher if their issue gets validated. This will result in a net loss for C4, as Wardens, Lookouts, and Judges waste their time submitting or reviewing issues that are typically invalidated as OOS. This situation happened many times, and the best way to handle it is for the Sponsor to privately reward the Warden who submitted this issue, if they wish to do so. A past example can be found here. Thank you all for your understanding. |
I thought about this some more and discussed this with the C4 team & looked at prior cases of similar scenarios. The typical way to handle this is indeed a sponsor's bug bounty program or payments outside C4. While the finding is great, it would ultimately be unfair for the other wardens to treat it as in-scope and potentially set a dangerous precedent for future contests. |
OpenCoreCH marked the issue as unsatisfactory: |
Lines of code
https://github.com/code-423n4/2024-03-phala-network/blob/main/phala-blockchain/Cargo.lock#L4116
Vulnerability details
Impact
Pink Runtime utilizes reqwest crate to perform HTTP requests.
If we check Cargo.toml#L13 file, we find that it is using "0.11" version. This way, we make sure that the dep is always updated within 0.11.X. However, if you install the deps, you will find that it is using reqwest version 0.11.20 (you can confirm this by
Cargo tree
. This is due to the lock file which has 0.11.20 version stored. For more info on Cargo.toml and Cargo.lock please check Cargo.toml vs Cargo.lock.Why the version matters? The answer is simple, any verison of reqwest prior to 0.11.24 has a vulnerablity which could be exploited to cause a panic.
As a result, anyone could cause the runtime to panic which cause the worker to panic as well. For reference, here is the direct link of what's changed in 0.11.24 version: https://github.com/seanmonstar/reqwest/releases/tag/v0.11.24
A malicious actor can cause all workers to panic (bringing the whole off-chain network down). This is possible, because you can simply pass the same query that include the attack to all workers' RPCs separately.
Note:only queries since HTTP feature is unavailable through transactions.
An example of how to exploit the vulnerablity is to pass
"http://\""
as a URL for the http request or passing too long URL (which is allowed since there is no validation in Pink Runtime for URLs lengthes).The first specific example (i.e.
"http://\""
) was reported in 2019, for more info please check this: seanmonstar/reqwest#668I've combined both attacks in this report since they have a common fix, although both throw different errors.
Please check PoC below for both scenarios.
Proof of Concept
phala-blockchain/crates/pink/chain-extension/src/lib.rs
You should see an output similiar to this:
Cargo tree
Tools Used
Manual analysis
Recommended Mitigation Steps
Update reqwest crate to 0.11.27 version (or at least 0.11.24). Make sure Lock file reflects the new version number.
Please note that
reqwest-env-proxy
crate is using reqwest 0.11.20 as well although it has "0.11.11" in its Cargo file (for the same reason above).Assessed type
Library
The text was updated successfully, but these errors were encountered: