压在透明的玻璃上c-国产精品国产一级A片精品免费-国产精品视频网-成人黄网站18秘 免费看|www.tcsft.com

漏洞影響

該漏洞表面上是一個放大5倍udp反射DDOS漏洞，但其對ETH的P2P網(wǎng)絡(luò)的影響是非常大的，但是這個漏洞有很大的兩個副作用，一個是ETH的發(fā)現(xiàn)節(jié)點(diǎn)池會不斷的被堆滿，導(dǎo)致正常節(jié)點(diǎn)無法加入，二是可屏蔽被攻擊節(jié)點(diǎn)無法探索到任意子網(wǎng)的節(jié)點(diǎn)。

漏洞分析

先讓我們來看看ETH P2P發(fā)現(xiàn)協(xié)議的文檔，在https://github.com/ethereum/devp2p/blob/master/discv4.md這篇ETH P2P發(fā)現(xiàn)協(xié)議文檔里是有對udp反射DDOS做防御的。

Pong Packet (0x02)
packet-data = [to, ping-hash, expiration]
Pong is the reply to ping.ping-hash should be equal to hash of the corresponding ping packet.?Implementations should ignore unsolicited pong packets that do not contain the hash of the most recent ping packet.

其方法就是通過簽名PIng包并且讓對方主機(jī)回復(fù)的Pong包要帶上之前Ping包的hash才可以通過校驗。這個從設(shè)計上來說是沒什么問題的，然而go-ethereum在實(shí)現(xiàn)該協(xié)議的時候出了問題。

讓我們來看看go-ethereum是怎么實(shí)現(xiàn)該協(xié)議的，在https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L618

func (req *ping) handle(t *udp, from *net.UDPAddr, fromKey encPubkey, mac []byte) error {
    if expired(req.Expiration) {
        return errExpired
    }
    key, err := decodePubkey(fromKey)
    if err != nil {
        return fmt.Errorf("invalid public key: %v", err)
    }
    //收到ping包后馬上回復(fù)pong包
    t.send(from, pongPacket, &pong{
        To:         makeEndpoint(from, req.From.TCP),
        ReplyTok:   mac,
        Expiration: uint64(time.Now().Add(expiration).Unix()),
    })
    n := wrapNode(enode.NewV4(key, from.IP, int(req.From.TCP), from.Port))
    t.handleReply(n.ID(), pingPacket, req)
    //如果沒通過pong校驗則發(fā)送一個ping包進(jìn)行pong校驗，如果通過pong校驗則加入發(fā)現(xiàn)節(jié)點(diǎn)池
    if time.Since(t.db.LastPongReceived(n.ID())) > bondExpiration {
        t.sendPing(n.ID(), from, func() { t.tab.addThroughPing(n) })
    } else {
        t.tab.addThroughPing(n)
    }
    t.localNode.UDPEndpointStatement(from, &net.UDPAddr{IP: req.To.IP, Port: int(req.To.UDP)})
    t.db.UpdateLastPingReceived(n.ID(), time.Now())
    return nil
}

由于我們是第一次連接，所以要進(jìn)行pong校驗，我們來看看go-ethereum是怎么實(shí)現(xiàn)協(xié)議中的pong校驗的，在https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L645

func (req *pong) handle(t *udp, from *net.UDPAddr, fromKey encPubkey, mac []byte) error {
    if expired(req.Expiration) {
        return errExpired
    }
    fromID := fromKey.id()
    //開始處理pong，如果沒有請求過pong，就返回錯誤
    if !t.handleReply(fromID, pongPacket, req) {
        return errUnsolicitedReply
    }
    t.localNode.UDPEndpointStatement(from, &net.UDPAddr{IP: req.To.IP, Port: int(req.To.UDP)})
    //刷新pong時間，通過pong校驗
    t.db.UpdateLastPongReceived(fromID, time.Now())
    return nil
}

可見只要通過t.handleReply的校驗我們就可以刷新pong時間通過校驗了，讓我們來看看t.handleReply 是怎么處理的https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L369

func (t *udp) handleReply(from enode.ID, ptype byte, req packet) bool {
    matched := make(chan bool, 1)
    select {
    //放入gotreply等待返回matched
    case t.gotreply <- reply{from, ptype, req, matched}:
        // loop will handle it
        return <-matched
    case <-t.closing:
        return false
    }
}

我們繼續(xù)往下追

case r := <-t.gotreply:
            var matched bool
            for el := plist.Front(); el != nil; el = el.Next() {
                p := el.Value.(*pending)
                if p.from == r.from && p.ptype == r.ptype {
                    //是否有拉取過請求，有則matched為true
                    matched = true
                    // Remove the matcher if its callback indicates
                    // that all replies have been received. This is
                    // required for packet types that expect multiple
                    // reply packets.
                    //對應(yīng)的callback校驗，然而就算p.callback返回為false，matched也為true
                    if p.callback(r.data) {
                        p.errc <- nil
                        plist.Remove(el)
                    }
                    // Reset the continuous timeout counter (time drift detection)
                    contTimeouts = 0
                }
            }
            r.matched <- matched

這里基本能看出問題了，p.callback返回了false，只要不拋出錯誤，matched還是true，校驗就算通過了，我們再來看看pong校驗的callback是怎么處理的https://github.com/ethereum/go-ethereum/blob/master/p2p/discover/udp.go#L294

func (t *udp) sendPing(toid enode.ID, toaddr *net.UDPAddr, callback func()) <-chan error {
    req := &ping{
        Version:    4,
        From:       t.ourEndpoint(),
        To:         makeEndpoint(toaddr, 0), // TODO: maybe use known TCP port from DB
        Expiration: uint64(time.Now().Add(expiration).Unix()),
    }
    packet, hash, err := encodePacket(t.priv, pingPacket, req)
    if err != nil {
        errc := make(chan error, 1)
        errc <- err
        return errc
    }
    //這里就是pong校驗的callback，可見就算沒通過校驗也只是返回了false
    errc := t.pending(toid, pongPacket, func(p interface{}) bool {
        ok := bytes.Equal(p.(*pong).ReplyTok, hash)
        if ok && callback != nil {
            callback()
        }
        return ok
    })
    t.localNode.UDPContact(toaddr)
    t.write(toaddr, req.name(), packet)
    return errc
}

所有，實(shí)際上go-ethereum并沒有很好的實(shí)現(xiàn)pong校驗，導(dǎo)致協(xié)議設(shè)計的防御機(jī)制徹底失效。

漏洞利用

1. 偽造udp源地址
2. 構(gòu)造ping包發(fā)送到geth的p2p發(fā)現(xiàn)協(xié)議UDP端口，拉取pong請求
3. 構(gòu)造pong包發(fā)送到geth的p2p發(fā)現(xiàn)協(xié)議UDP端口，hash留空即可
4. 然后再發(fā)送findnode包即可發(fā)射5倍以上udp流量

由于官方還未修補(bǔ)該漏洞，所以暫時不公布POC

漏洞演示

下面用go-ETH最新版1.8.21來演示

成功將UDP流量放大5倍反射到1.1.6.7

單個虛擬機(jī)測試，CPU占用率輕松達(dá)到50%

屏蔽受害節(jié)點(diǎn)無法發(fā)現(xiàn)指定網(wǎng)段節(jié)點(diǎn)：