Skip to content
This repository has been archived by the owner on Apr 4, 2024. It is now read-only.

Ambiguity in string format conversion #632

Closed
tomtau opened this issue Oct 7, 2021 · 2 comments · Fixed by #1006
Closed

Ambiguity in string format conversion #632

tomtau opened this issue Oct 7, 2021 · 2 comments · Fixed by #1006
Labels
C:Crypto crypto package enhancement New feature or request help wanted Extra attention is needed pinned Pinned issues that won't be closed by stalebot

Comments

@tomtau
Copy link
Contributor

tomtau commented Oct 7, 2021

KS-THA-F-11
https://github.com/tharsis/ethermint/blob/main/crypto/hd/algorithm.go#L62

ParseDerivationPath parses strings starting with 0 to octal values, and strings starting with 0x and 0b to hexadecimal and binary values, respectively. This can easily cause collisions in the resulting address, which can be exploited e.g. with a JSON-RPC call:

      ~ curl -X POST --data
 '{"jsonrpc":"2.0","method":"web3_sha3","params":["0x"],"id":1}' -H "Content-Type:
 application/json" http://localhost:8545
 {"jsonrpc":"2.0","id":1,"result":"0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273
 b7bfad8045d85a470"}
 ~ curl -X POST --data '{"jsonrpc":"2.0","method":"web3_sha3","params":[""],"id":1}'
 -H "Content-Type: application/json" http://localhost:8545
 {"jsonrpc":"2.0","id":1,"result":"0xc5d2460186f7233c927e7db2dcc703c0e500b653ca82273
 b7bfad8045d85a470"}
 ~ curl -X POST --data '{"jsonrpc":"2.0","method":"web3_sha3","params":[""],"id":1}'
 -H "Content-Type: application/json" http://localhost:8545
 ~ curl -X POST --data
 '{"jsonrpc":"2.0","method":"web3_sha3","params":["ab"],"id":1}' -H "Content-Type:
 application/json" http://localhost:8545 {"jsonrpc":"2.0","id":1,"error":{"code":-
 32602,"message":"invalid argument 0: json: cannot unmarshal hex string without 0x
 prefix into Go value of type hexutil.Bytes"}}

We recommend making the parsing rules stricter in order to avoid this ambiguity.
@tomtau tomtau added C:Crypto crypto package enhancement New feature or request help wanted Extra attention is needed labels Oct 28, 2021
@github-actions
Copy link

This issue is stale because it has been open 45 days with no activity. Remove Status: Stale label or comment or this will be closed in 7 days.

@fedekunze fedekunze added pinned Pinned issues that won't be closed by stalebot and removed Status: Stale labels Dec 21, 2021
@fedekunze fedekunze reopened this Dec 21, 2021
@WilliamXieCrypto
Copy link
Contributor

WilliamXieCrypto commented Mar 18, 2022
edited
Loading

There have two problems from this issue:

  1. JSON-RPC endpoint "web3_sha3" have an ambiguity result, like get the same result with “” and “0x”.
  2. ParseDerivationPath parses strings can easily cause collisions in the resulting address, which maybe can be exploited.

I will fix the problem 1.
For the problem 2, the ParseDerivationPath is from go-ethereum lib and I have checked and test some cases like "0x"/"0X"/"0"/"0b"/"0B"... seems normal for me, I think we can raise another issue to go-ethereum repo if we find some issues.

@WilliamXieCrypto WilliamXieCrypto mentioned this issue Mar 20, 2022
Merged
11 tasks
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
C:Crypto crypto package enhancement New feature or request help wanted Extra attention is needed pinned Pinned issues that won't be closed by stalebot
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Update the JSON-RPC to correct the return information.
3 participants
@tomtau @fedekunze @WilliamXieCrypto