Analyzing and Reproducing the EOS Out-of-Bound Write Vulnerability in nodeos
Today, Qihoo 360 posted in its blog about an out-of-bound access vulnerability in nodeos, a part of EOSIO software package. This vulnerability can be exploited to trigger an RCE (Remote-Code-Execution) attack . Considering the severity of the vulnerability and the timing of upcoming EOS mainnet launch, researchers at PeckShield immediately looked into the nodeos codebase and successfully reproduced the bug by crafting a malicious smart contract to crash the vanilla EOS client as mentioned in the blog.
Let’s start from a quick recap of the vulnerability. We show in Figure 1 the related WASM contract handler. As highlighted in the figure, there is an out-of-bound write in line 78 because the offset local variable is extracted from the untrusted contract binary (line 75).
You may notice that there’s an assert() in line 76. With the assert(), the loop in line 77-79 would not access the table vector beyond its size (module->table.initial). However, as indicated in the commit log of the bugfix (Figure 2), the assert() works in debug mode only, NOT in release mode.
It explains why the bugfix simply changes assert() to FC_ASSERT() and the problem is solved. After understanding the internals of the vulnerability, we successfully reproduced the crash mentioned in  by crafting a malicious smart contract named malice_eos_contract.cpp.
We use the following command to compile the contract into the WAST format:
eosiocpp -o malice_eos_contract.wast malice_eos_contract.cpp
Next, we trigger the out-of-bound write by intentionally modifying offset with a pretty large value, or essentially -1 in our exploit (Figure 3).
In Figure 4, we can see that the nodeos process crashes at the instantiate_module() function as mentioned in  by receiving a SIGSEGV signal, which demonstrates the feasibility of the malicious contract.
PeckShield Inc. is a blockchain security company which aims to elevate the security, privacy, and usability of current blockchain ecosystem by offering top-notch, industry-leading services and products (e.g., smart contract auditing). Please contact us at Telegram, Twitter, or Email.
-  Qihoo 360: EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds, May 29, 2018: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/