Elad Ernst Profile picture
Nov 21, 2023 17 tweets 7 min read Read on X
1/ Our team at @dWalletLabs discovered a chain of vulnerabilities that could result in a loss of more than $1B in crypto assets. The full article here: Let's take a closer look0d.dwalletlabs.com/the-billion-do…
2/ So we simply scanned all SUI validators' ports. The list was extracted using the API in the SUI Explorer.
The API call
The API return the IP address or the DNS names of all the validators
3/ On one of the validators, we discovered that port 55555 was open and exposed an interesting web service called "Tailon", an open source service that allows easy access to log files. There are some interesting features of this service, like tail, grep, and sed the log file. The web service on port 55555
4/ What makes it interesting? sed can get the parameter "r" and concatenate any file on the server. More than that, it supports the "e" flag, which lets us run any bash command and concatenate it to the output, take full control of the server and extract validator private keys
Reading files using the ‘r’ flag in sed command
Using the ‘e’ flag to run the “ps” command on the server
5/ What is this validator? This validator is managed by a company called InfStones, which supplies staking and private node services for many blockchain networks.
6/ With this understanding, we checked whether other validators around the world exposed the same vulnerability. We found many servers that looked similar but when we tried to access 55555 port, we were asked for a password. Censys output 115 results
7/ In order to gain a better understanding of how a dedicated node of InfStones operates, we created one ourselves. Our dedicated node also has port 55555 open, but it requires authentication. Creating a validator on InfStones’ platform
8/ However, when we tried to access the "Logs" tab using the InfStones management interface, we found an embedded Tailon service. Digging into the rest API of InfStones, we found the following call:
cloud.infstones.com/backend/node_l…
9/ As far as I can tell, InfStones backend is performing a web proxy to make Tailon service accessible without authentication. We simply created a webserver and called the API with our IP address.
10/ As a result, InfStones BE attempted to connect to our server and sent us the credentials. Since the credentials were the same across all of the servers, we now have access to more than 100 servers, many of which are validators.
HTTP request from InfStones proxy with HTTP credentials
The HTTP credentials from the proxy request
11/ While investigating our private node, we came across many interesting items such as the private keys of the validator and the AWS creds. e also found a Go-based web service named "infd" listening on port 12345 on our server, that exposed REST API to manage the server. The main API router in Infd service
12/ After researching this rest API, we quickly discovered a Shell Injection. However, the rest API enforced JWT authentication. A closer look at the Auth handler revealed it is bypassed in two cases: calling from localhost, and when "CloudProvider" is set to "customer".
Shell Injection Vulnerability
The authentication middleware with the interesting “if” condition
13/ So we performed a quick Censys search and found more than 1000 servers listening on 12345 with similar services, but after accessing the "data" route on all of them, we found one that did not enforce authentication (CloudProvider = customer). Censys search for servers with 12345 port open and same signature
14/ This might not have been as meaningful if it hadn't been for the @Aptos_Network validator of infStones ($145M staked).
The key from the server is the key of InfStones Aptos validator
The server that was accessible without authentication
15/ But it wasn't good enough for us, so we dug into the "ClientIP" function and found out a very cool thing - whenever the src IP address of socket is one of the "Known-Proxies", the web server will try to extract the "ClientIP" from the "X-Forwarded-For" header. The ClinetIP function checks if the remoteIP is Trusted proxy and if so, it will get the address from the HTTP header if presented.
16/ However, the coolest part is that the default value of "Known-Proxies" is 0.0.0.0/0, so we were able to bypass authentication for all servers by using X-Forwarded-For: 127.0.0.1.


The default values for the gin-gonic instance
“Trusted Proxies” are determined using “TrustedCIDRs”
The default values for “TrustedCIDRs” which are used to determine the “Trusted Proxies”
The exploit
17/ As a result of the vulnerability, we were able to get full control on more than 1000 nodes in many blockchains, many of them validators, with a total stake worth more than $1B.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Elad Ernst

Elad Ernst Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @EladErnst

Aug 7, 2022
למה לירות רקטות, אם אפשר לפגוע עם פקטות?
בכל סבב לחימה, ולפעמים גם בין לבין, מתפרסם שאויבנו עושים מאמצים לפגוע סייברית בתשתיות ובגופים ישראלים. החלק העצוב והאבסורדי הוא שאפשר בקלות מאוד להשיג שליטה במתקני מים, מערכות חקלאיות, ומערכות קריטיות בגופים מוסדיים חשובים. >>
מערך הסייבר לא לוקח אחריות(אולימחוסר אונים, אולי חוסר עניין) ובפועל עשרות מערכות חשופות בצורה קלה לכל מפגע פוטנציאלי.
כמה זה קל?
לוקח שניות בודדות להגיע לשליטה בכל אחת מהמערכות(מניח שהרבה מהקוראים כאן יודעים במה מדובר), כאשר הידע הנדרש הוא אפסי ופוטנציאל הנזק לפעמים הוא לא קטן.
אז איך אנחנו יכולים לעזור?
תעיפו מבט על המסכים והגופים המופיעים כאן, תראו אם אתם מכירים משהו, ותנסו להעביר הלאה. בכוונה לא פרסמתי פרטים טכניים, כדי לא לייצר נזק. במידה ויפנה אליי גורם מאומת לגבי מערכת כלשהי, אעביר לו את הפרטים בשמחה (למרות ששוב- אין כאן שום מרכבות טכנולוגית)
Read 6 tweets
Aug 3, 2022
חשיפה דיי מטורפת ( לדעתי) של אבא שלי.
אמ,לק - במידה ואתם מחוברים לאינטרנט בסיב אופטי, יש סיכוי דיי טוב שאתם חולקים מידע פרטי שלכם עם השכנים.

קצת רקע- כיום, בישראל, ישנן 2 טכנולגיות עיקריות בהן נעשה שימוש בשביל להביא סיבים לבתים פרטים - PTP ו-GPON.>>
עולם ה PTP דיי דומה לעולם הנחושת הקלאסי - בכל בניין יהיה מתג אופטי, וכל דירה בבניין תתחבר לפורט אחר במתג. פחות מעניין בהקשר שלנו. הטכנולוגיה השניה היא GPON- במקום להתקין רכזת אופטית בכל בניין או בכל רחוב, פשוט מפצלים את הסיב(פיזיקלית, לא דיגיטלית) לכמה סיבים.>>
האופטיקה עושה את הקסם שלה והכל עובד מעולה. אפשר לפצל את הסיב עשרות פעמים וככה לספק תקשורת לרחוב שלם בלי צורך בשום קופסה חכמה שתגשר(אלא רק מפצל פיזיקלי).>>
Read 9 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(