Series of new vulnerabilities have discovered in EOS blockchain platform by Security Researchers, Which could allow hackers remote control of the complete node servers running the critical blockchain-based applications.
EOS is basicallly a smart contract platform which is known as “Blockchain 3.0”. Which allow developers to build an application which is decentralized like Ethereum over blockchain infrastructure.
the vulnerability is a buffer out-of-bounds write issue which resides in the function used by nodes server to parse contracts.
This research is been found by chinese, Chen of Vulcan team and Zhiniang Peng of Core security team, security researchers at Qihoo 360—Yuki.
To get the remote control of code execution on certain Node, All a hacker need is to upload a Web Assembly based written maliciously crafted WASM file (a smart contract) to server.
When the parser reads the WASM file malicious payload execute on the targetted node, After that hacker can also take contorl of the supernode, which is in EOS network servers. EOS network server collect transaction information and then pack it into blocks.
“With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance,” the duo explained in their blog post published today.
“And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS. Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker.”
And when hackers get control on Supernode, then can pack malicious contract into new block and then they can further control EOS networks all nodes.
If hackers get control over the Super Node they can do what ever they want to do. They can do cirtual currency transactions, they can access financial and privacy data of EOS network, They can exchange digital currency, alter user’s key which is stored in wallet they can do whatever they want to do with currency and user’s data.
“What’s more, the attacker can turn a node in the EOS network into a member of a botnet, launch a cyber attack or become a free ‘miner’ and dig up other digital currencies,”