lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <5702BAC2.4000606@exploits4coins.com>
Date: Mon, 4 Apr 2016 21:04:34 +0200
From: "lists@...loits4coins.com" <lists@...loits4coins.com>
To: bugtraq@...urityfocus.com
Subject: Bitcoin/Altcoin Stratum Pool Mass Duplicate Shares Exploit

## Bitcoin/Altcoin Stratum Pool Mass Duplicate Shares Exploit ##

This particular vulnerability makes it possible to force a Stratum Mining
Pool to accept "invalid" shares by the thousands for each mining pool
round. It is possible to make pure money from this vulnerability. The
exploit is real but affects only a small fraction of Stratum Mining
Pools. Let's
dig into the technical side of this vulnerability.

##### What is stratum mining #####

Most of the known mining pools allow to use the so called stratum mining
pool protocol. The bitcoin and altcoin miner is configured to use the host
address and port of the stratum miner protocol server.

For example the eligius (http://eligius.st) mining pool offers a stratum
connection for mining. This mining pool is *not* affected by this
vulnerability.

Once connected to the stratum server the miner will "do work" and solve a
mathematical, crypto task. Once it has solved one of this tasks it will
*submit* a so called *share* to the stratum server. The more shares the
miners generate the more they are rewarded after a successful mining round
has completed. The actual reward given to the miner much depends on the
style of reward system used by the mining pool.

Miners submit shares using the method "mining.submit" when operating with
stratum. Client submissions contain:

1. Worker name
2. Job ID
3. ExtraNonce 2
4. nTime
5. Nonce

The server will respond with a successful accepted share response or will
reject the share submit request.

Share submits can be sent at any time to the stratum server. The stratum
server will accept only valid shares and in the case of this particular
vulnerability stratum will accept *one* valid initial share and *thousands*
of shares that follow the initial valid share but are "invalid" because
they do not solve the mathematical task in any way. The vulnerable mining
pool will accept the shares as pure payment of coins if left unnoticed.

##### node stratum pool #####
I will show you one mining pool written in javascript and making use of
node.js to illustrate the bug. Blow is a screenshot of the vulnerable
source code, can you spot the bug?


===== Listing Number 1. ======

https://github.com/zone117x/node-stratum-pool/blob/02e78da1ab53a2409bbb8721f9771346c373482b/lib/jobManager.js

    this.processShare = function(jobId, previousDifficulty, difficulty,
extraNonce1, extraNonce2, nTime, nonce, ipAddress, port, workerName){
        var shareError = function(error){
            _this.emit('share', {
                job: jobId,
                ip: ipAddress,
                worker: workerName,
                difficulty: difficulty,
                error: error[1]
            });
            return {error: error, result: null};
        };

        var submitTime = Date.now() / 1000 | 0;

        if (extraNonce2.length / 2 !== _this.extraNonce2Size)
            return shareError([20, 'incorrect size of extranonce2']);

        var job = this.validJobs[jobId];

        if (typeof job === 'undefined' || job.jobId != jobId ) {
            return shareError([21, 'job not found']);
        }

        if (nTime.length !== 8) {
            return shareError([20, 'incorrect size of ntime']);
        }

        var nTimeInt = parseInt(nTime, 16);
        if (nTimeInt < job.rpcData.curtime || nTimeInt > submitTime + 7200)
{
            return shareError([20, 'ntime out of range']);
        }

        if (nonce.length !== 8) {
            return shareError([20, 'incorrect size of nonce']);
        }

        if (!job.registerSubmit(extraNonce1, extraNonce2, nTime, nonce)) {
            return shareError([22, 'duplicate share']);
        }


===== Listing Number 2. ======

https://github.com/zone117x/node-stratum-pool/blob/02e78da1ab53a2409bbb8721f9771346c373482b/lib/blockTemplate.js

    this.registerSubmit = function(extraNonce1, extraNonce2, nTime, nonce){
        var submission = extraNonce1 + extraNonce2 + nTime + nonce;
        if (submits.indexOf(submission) === -1){
            submits.push(submission);
            return true;
        }
        return false;
    };

At listing number 1. you can see the function that processes a submitted
share. It will check for a valid shape of the mining.submit parameters. And
finally call job.registerSubmit(...) at line 211 with this parameters to
check if it handles a duplicate share. It *should* discard a duplicate
share with a shareError and return from this javascript function. When we
look into the registerSubmit function we see the lines:

*115.* var submission = extraNonce1 + extraNonce2 + nTime + nonce;   
*116.*        if (submits.indexOf(submission) === -1){   
*117.*            submits.push(submission);    
*118.*            return true;  <----- share is accepted   
*119.*        }  
*120.*        return false;     <----- share isn't handled, duplicate
share.

So how can you submit the duplicate shares? It is rather easy. extraNonce1,
extraNonce2, Nonce, nTime are HEX values. And everybody knows that HEX
values can contain ASCII characters.

Let's take an example of extraNonce1 being 0xDEADBEEF. What will
registerSubmit function do with the share if we submit 0xdEADBEEF and then
0xdeADBEEF and then 0xdeaDBEEF and so on and so on. Well: the program will
blindly accept the shares! This is because the registerSubmit function is
case insensitive and the share is still valid by arithmetic.


Best wishes & regards,
Administrator of Websecurity web site
http://exploits4coins.com/landing$blog

Powered by blists - more mailing lists