Hello Block.One / EOS Product Security Team,
There exists a Memory Corruption vulnerability in the latest EOS WASMSDK Library. The PoC.wasm file is attached along with this report.
Reproduction Steps: -
1) Fetch latest EOS WASMSDK repsository from https://github.com/eosio/eosio.wasmsdk. 2) Compile and Build WASMSDK using default compiler. OR 2) Compile and Build WASMSDK using afl-clang-fast and afl-clang-fast++ compilers from AFL fuzzer. 3) Run the attached PoC.wasm file with eosio-objdump using the "-s" flag.
Exact command to reproduce the Vulnerability is "eosio-objdump -s PoC.wasm" without the double quotes.
Below is the Buffer Overflow Crash GDB output of the eosio-objdump tool with the PoC.wasm file.
Starting program: /usr/local/bin/eosio-objdump -s PoC.wasm [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault. llvm::PrintSectionContents (Obj=<optimized out>) at /home/h4ck3r/Documents/eosio.wasmsdk/eosio_llvm/tools/llvm-objdump/llvm-objdump.cpp:1829 1829 outs() << hexdigit((Contents[addr + i] >> 4) & 0xF, true)
Also you can find the attached Valgrind output for this Vulnerability.
The Git log as seen below shows that this is the latest version available as of this report.
h4ck3r@h4ck3r-VirtualBox:~/Documents/eosio.wasmsdk$ git log -1 commit 34ea7717dc918b32a09d3cba953c879d2014db72 Merge: 4a8eb03 d220a0b Author: Bucky Kittinger <email@example.com> Date: Wed Aug 1 19:15:39 2018 -0400
Merge pull request #29 from EOSIO/develop Merge develop into master
Eagerly awaiting your response.
Yours Sincerely, Kushal Arvind Shah. Senior Security Researcher | Fortinet's FortiGuard Labs.
NOTE: This Bug Report Submission does not provide the option to select the target i.e. EOSIO WASMSDK Repository/Source Code, due to which the researcher had to select EOS source code. Please update the Bug Submission Options for the same. Thankyou.
Memory Corruption and Potential Information Disclosure & Arbitrary Code Execution.