VeChain | VeChainThor

API /events endpoint input validation bypass

Creation date May 21, 2018

State: resolved
Severity: Low ( 3.9 )
Visibility: partially
Vulnerability: ------------

Target

Nodes with API enabled (all by default)

The API /events inputs are validated against a set of rules detailed in the /api/doc/thor.yaml.

Example of noncompliant request dealt with correctly:

curl -d 'xyz' http://127.0.0.1:8669/events ~> invalid character 'x' looking for beginning of value

This gives the user of a node the ability to use the API in order to get a filtered list of events accordings to certain options.

The vulnerability allows an attacker, having in one way or another access to the API node , to bypass all input validation and, thus, request all events from the node at once.

I have currently identified two ways to bypass the input validation:

(Bypass #1) empty order: curl -d '{ Order: "" }' http://127.0.0.1:8669/events > events1.out

(Bypass #2) null: curl -d null http://127.0.0.1:8669/events > events2.out

Proof: ls -lah events1.out ~> -rw-r--r-- 1 root root 38M May 21 21:37 events1.out ls -lah events2.out ~> -rw-r--r-- 1 root root 38M May 21 21:38 events2.out

(1) Run a node.

(2) Run the command: curl -d '{ Order: "" }' http://127.0.0.1:8669/events

(3) Run the command: curl -d null http://127.0.0.1:8669/events

Currently, this generates almost 38 megabyte of information (see attached file) at once that greatly sollicits the database and the API component. To date, the node is operating on a test network. It is to be expected that this vulnerability could greatly affect attacked nodes in the future (this can be a form of API DDoS, or even node DDoS, as the database is also affected).

This impact is alleviated by the fact that the API is accessible, by default, to localhost. But it can become a tool to a potential RCE.

Attack Vector: Local, as long as there is no way to have access to the API from the network. Attack Complexity: Low: it can be done by a mere command line. Privileges Required: Low: a browser can have access to the API. User Interaction: None. Availability: possible DDoS method.

Attachment:

Comments