About Project Blog Resources

Blog

Not Your Stdout Bug - RCE in Cosmos SDK

October 11, 2023

Imagine, you're hunting for bugs in a project. You're reading through the documentation of a widely used framework with millions of dollars at stake. Then, you stumble across this:

Cosmovisor is small process manager for Cosmos SDK application binaries that monitors stdout for incoming chain upgrade proposals. If it sees a proposal that gets approved, cosmovisor can automatically download the new binary, ..., switch from the old binary to the new one, and finally restart the node with the new binary.

Wait, what? It looks like the watchdog program scans through stdout to determine if an update has occurred. If that's true, then this is completely insane! All you would have to do is find a way to write to stdout and the process manager would update your binary. Is this real?

This was the position we were in: a horrible design flaw staring us in the face. While Nathan and I were reviewing the Cosmos SDK, this documentation caught my eye. And there was no going back. Both of us had been here before though. Most of the time, these "obvious" issues turn into sad and unfruitful dead ends. But this time, for once, it was real. Our deep dive into the codebase, and all our time chasing down all those loose ends, had finally paid off. I want you to join us on our journey through the high of discovering, exploiting, and reporting this bug.

For those outside of the blockchain space, this is an interesting application security issue that requires no blockchain-specific knowledge. For those in web3, this is a fascinating wake up call that not all bugs are in smart contracts; they can be within the infrastructure of the blockchain too. Enjoy! :)

Background

Cosmos SDK

Ethereum allows for the execution of arbitrary code on the blockchain. However, as the first of its kind, it has several drawbacks:

The transactions per second (tps) is extremely slow at around 14 per second.
Gas, or paying for your code to be executed on the network, is expensive.
Lack of customization of the functionality of the blockchain provided to its developers.
Lack of built-in interoperability between other blockchains. Bridges exist but are clunky and prone to vulnerabilities.

What's the solution to these problems? Create something that is faster, cheaper and allows for customization as well as interoperability between other blockchains. The Cosmos SDK is a blockchain development framework that perfectly meets all of these criteria to make application-specific blockchains. Application-specific blockchains are services made for a specific project, allowing more control over the ecosystem for the developers and users.

Continue Reading →

Eating 4 Day Old Sushi - Replicating the SushiSwap Hack

April 20, 2023

Millions of dollars are commonly lost on DeFi hacks. In any other industry, this would mean lawsuits and jail time. In DeFi, as shown by Rekt leaderboard of hacks, this is just another day.

The most recent victim was a days-old contract: a Router from the Automated Market Maker (AMM) SushiSwap. A whitehat partially saved the funds of one user, but this triggered the MEV bots and blackhats to swoop in to clear everything else out. How was this done? In this article, we will dive into the vulnerability and write a full proof of concept exploit for the security issue. Included in this post is a demo environment to tinker around with the exploit code and understand this deeper. If you want to watch this in a video form, go watch the livestream with OpenSense.

Background

Before diving into the technical details, some context is required. My goal is to provide everything needed to understand this vulnerability with links to dive deeper, but some basic programming knowledge and some familiarity with Solidity (addresses, msg.sender, tokens, etc.) will help understand the bug in full. Have fun!

High Level Issue

Figure 1: Simplified Vulnerable Code

The Sushiswap vulnerability is complicated when looking at the system as a whole. So, above in Figure 1, is a super simple version of the exploitable contract like you would find in a CTF.

The smart contract takes in an address as the parameter in func1(). The call sets the pool variable to be the user provided address parameter. In a different function, func2(), restricts access to the code based on the pool parameter.

Since a malicious user controls the pool parameter from the previous call, an attacker can bypass the restriction to perform sensitive operations. In this case, an attacker stole funds from other users. And that's basically it! You now have a high level understanding of the bug! After the general background section, we'll get into the nitty-gritty details of how this works.

Continue Reading →

When Athletic Abilities Just Aren't Enough - Scoreboard Hacking Part 3

October 3, 2022

This is the final installment of a three part series on scoreboard hacking. Please go read parts 1 and 2 first if you have not been following along; they provide much of the background and context of this post. The sections are listed below:

Introduction & Signal Analysis - Part 1
Stealing the AES Key via Hardware Hacking - Part 2
Full Protocol replication in Python and GNU Radio - Part 3 (This Post)

In the previous post, we found the AES key used for encrypting the packets via hardware hacking. To end the series, we will go through creating legitimate packets with Python and using GNU Radio to put the bits in the air. With the ability to create arbitrary packets, we will launch attacks against the scoreboard to impact real sporting events. Enjoy all of the shenanigans required to get this working :)

For a packet to be accepted, everything has to be perfect. Encryption, data whitening, CRC, baud rate... everything. Since we do not have a packet in an intermediate state, such as encrypted but not whitened, this complicates the matter further. We will have to perform both de-whitening and decryption consecutively to get our original data back. From a reverse engineering perspective, this is less than ideal but we must move forward! To start with this task, we will dive into the data whitening process.

Data Whitening

Data whitening is the process of randomly permuting bits being transmitted; the goal of the randomization is to guarantee no consecutive long string of only 0s or only 1s. In the case of the RF module, the benefit of the lack of consecutive strings is better clock synchronization between the transmitter and receiver. To replicate the effect of data whitening on the RF module, we will need to learn how the data whitening is performed. This is shown in Figure 1, which is from the RF module documentation.

Figure 1: Data Whitening in Documentation

Random data (more on this generation later) is XORed with the data to be transmitted ("transmit data" in Figure 1) that we want to send. The resulted is the whitened byte, which is the byte that is sent over the air. For example, 0x19 ^ 0xFF = 0xE6, where 0x19 is the transmit data, 0xFF is the random data and 0xE6 is the whitened(output) byte. The data whitening is why the length of the packets was wrong originally in part 1.

The documentation shows that a Linear Feedback Shift Register (LFSR) with a polynomial of X⁹ + X⁵ + 1 is used generate the random numbers for data whitening. "Woah woah woah," I hear you saying "What is an LFSR anyway?" Well, let's find out.

Continue Reading →

When Athletic Abilities Just Aren't Enough - Scoreboard Hacking Part 2

September 26, 2022

This is part two of a three part series. Please go through the first post in order to understand the background on the device. The sections are listed below:

Introduction & Signal Analysis - Part 1
Stealing the AES Key via Hardware Hacking - Part 2 (This Post)
Full Protocol replication in Python and GNU Radio - Part 3

In the previous post, we discovered that the wireless traffic is encrypted using AES-128 ECB mode. In this post, we will go through how to uncover the AES key. Since this is done via hardware hacking, we must map out the hardware before we hack anything. It is hard(ware) to hack something without understanding how it works first!

PCB Mappings

Mapping out the entire PCB from a complete electrical level is not required. When I reverse engineer boards I think of three things: main components, communication lines and test points. All of this will be explained below.

Components on the Board

Figure 1: Receiver Teardown - Custom hat and Raspberry Pi

The chips on the boards have part information on them; nothing is scraped off or blank. For instance, one chip is labeled as Atmel ATMega328PB. Additionally, the silk screen is quite nice for documentation as well. This makes it substantially easier for us to reverse engineer what each component is doing. We can simply google the component identifier to find the documentation for the chip. Once we have the documentation for every component, we can understand what's the CPU, what's storage and everything else you need to know about the board to perform attacks.

The components on the scoreboard controller and receiver are listed below, with a picture of the receiver in Figure 1:

ATMega328PB: An ARM MCU from Microchip. I commonly refer to this as the Atmel Processor and main processor below.
RFM69HCW: RF module from HopeRF.
Raspberry Pi 3 Model A+: A Raspberry Pi with HDMI, SD Card and other easy ways to interface.
Splatch Antenna: A surface mount antenna.

Reading up on the part information provides a clean story for what is going on. The Atmel processor is the only large compute and storage on the board. Hence, it must decide what data to send wirelessly by sending it to the RF module. The RF module is magically converting the data and sending it wirelessly through the antenna. At this point, the RF module on the receiver interprets the data from the air and sends this to the Atmel processor on the receiver. Finally, the Raspberry Pi is receiving the data from the Atmel processor and displaying it over HDMI. With this, we now generally understand what every part does from reading about the documentation for the chips on the board. One of this understanding comes from recognizing the capabilities of the component and drawing logic conclusions from there. A generalization of this is shown below in Figure 2.

Communication Lines

Transmitter Communication Flow Scoreboard Hack

Figure 2: Transmitter Communication Flow

Receiver Communication Flow Scoreboard Hack

Figure 3: Receiver Communication Flow

For the RF module to send out data, something has to tell it what to do, right? So, figuring out the flow of data will get us closer to our goal of finding the AES key.

According to the RF module documentation, the only way to communicate with the chip is over SPI (more on how this works later). If this is the case, then the Atmel processor must be communicating with it over SPI.

The Atmel processor needs to talk to the Raspberry Pi as well. The Pi has a plethora of GPIO (General Purpose In/Out) pins that are connected between the two boards. Since this could be any protocol, this could be tricky to decipher. Sniffing the traffic & reverse engineering the firmware would allow us to figure this out; however, Jesse and I ended up seeing a class on the Raspberry Pi application (more on this later) with serial in the name. This made it fairly obvious that this communication line was serial but this could have been discovered in other ways.

Continue Reading →

When Athletic Abilities Just Aren't Enough - Scoreboard Hacking Part 1

September 19, 2022

Story

Growing up, I lived to play sports. Baseball, basketball, wiffleball.. Anything. And with all of those games, came lots of wins and losses. During many of these eventual losses, I looked up to the scoreboard and thought "What if I could change the score on the scoreboard?" If only I could control the scoreboard, then my team could win.

While watching a high school basketball game 10 years later, I had the question: could a somebody influence the outcome of a game by hacking the scoreboard? And now I had to know if this was possible. My 12 year old self's curiosity returned yet again. I had been nerd sniped. Over the next several months I acquired my HAM radio license hacked my parents garage door and learned all about wireless communication. This is where our story begins: the first hack of a wireless sports scoreboard.

The goal of these posts is to share the technical details and give you the ability to conduct similar research in the future. Knowing how this particular device works is awesome; but, it is more important to be able to draw these conclusions yourself. So, these posts are written from the perspective of the reader sitting in at each step in the process of hacking the device, hopefully drawing the same conclusions that I made along the way. To ensure I cover every interesting portion of the research, this will be a three part series:

Introduction & Signal Analysis - Part 1 (This Post)
Stealing the AES Key via Hardware Hacking - Part 2
Full Protocol replication in Python and GNU Radio - Part 3

If you want more background information on how we selected the device and such, go read Jesse's blog post on the research.

Overview of System

Figure 1: Wireless Receiver

Figure 2: Controller

When purchasing the scoreboard, only two components are required: a controller and a wireless receiver. Both of these can be seen within Figure 1 and Figure 2 respectively. When purchasing this product, the company will also sell a shot clock receiver and an external horn. However, the main receiver can still perform all of this functionality so that is all my partner in crime Jesse Victors and I purchased. This is a cool idea, since this can scale to as many screens as the operator wants with the one-to-many relationship.

The controller, shown in Figure 2, is how the scoreboard operator would change the scoreboard. They can start or stop the game clock, add or subtract from the scores and control everything else on the scoreboard.

Continue Reading →

← Prev 1 2 3 4 5 6 7 8 9 Next →