Bitcoin Forum
November 15, 2024, 04:48:29 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: [Full Disclosure] CVE-2012-2459 (block merkle calculation exploit)  (Read 10519 times)
deepceleron
Legendary
*
Offline Offline

Activity: 1512
Merit: 1036



View Profile WWW
August 22, 2012, 06:44:55 PM
 #21

I do wonder if there was an attacker in the wild trying this, there are various stalled out Bitcoin reports in different threads where new users getting the blockchain had to wipe the datadir and start again....
molecular
Donator
Legendary
*
Offline Offline

Activity: 2772
Merit: 1019



View Profile
August 22, 2012, 08:10:05 PM
 #22

I do wonder if there was an attacker in the wild trying this, there are various stalled out Bitcoin reports in different threads where new users getting the blockchain had to wipe the datadir and start again....

I checked github and this issue was worked around (fixed) 4 month ago: https://github.com/bitcoin/bitcoin/commit/be8651dde7b59e50e8c443da71c706667803d06d

The corresponding issue https://github.com/bitcoin/bitcoin/issues/1167 doesn't mention the merkle root calculation vulnerability, probably on purpose.

It's hard to imagine someone stumbling upon this issue or this fix and suspecting and finding the problem with the merkle root calculation.

The info might have slipped out some other way (maybe it was even pretty common knowledge amongst the devs) or maybe someone found this on his own seperately.

I still think it's likely (gut feeling) that the problems people reported were actually caused by someone trying to exploit this (I also had these troubles). On the other hand, there's probably many other possible explanations.

PGP key molecular F9B70769 fingerprint 9CDD C0D3 20F8 279F 6BE0  3F39 FC49 2362 F9B7 0769
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
August 22, 2012, 08:28:26 PM
 #23

I do wonder if there was an attacker in the wild trying this, there are various stalled out Bitcoin reports in different threads where new users getting the blockchain had to wipe the datadir and start again....

I checked github and this issue was worked around (fixed) 4 month ago: https://github.com/bitcoin/bitcoin/commit/be8651dde7b59e50e8c443da71c706667803d06d

The corresponding issue https://github.com/bitcoin/bitcoin/issues/1167 doesn't mention the merkle root calculation vulnerability, probably on purpose.

It's hard to imagine someone stumbling upon this issue or this fix and suspecting and finding the problem with the merkle root calculation.

The info might have slipped out some other way (maybe it was even pretty common knowledge amongst the devs) or maybe someone found this on his own seperately.

I still think it's likely (gut feeling) that the problems people reported were actually caused by someone trying to exploit this (I also had these troubles). On the other hand, there's probably many other possible explanations.
A lot of stuck nodes were investigated over the last year, and as far as  I know they all turned out to be harddisk corruption.

I'm aware of at least two people who were trying to figure it out on their own (with no information); one managed to suspect something to do with the merkle tree calculation (after giving up and resuming a number of times), but that was the closest he got before it was disclosed.

Jouke
Sr. Member
****
Offline Offline

Activity: 426
Merit: 250



View Profile WWW
August 22, 2012, 10:44:28 PM
 #24

Since at least 80% of the Bitcoin network is now protected against this attack, I've been given permission to disclose it:


Cool, thanks for finding and acting on it, in the right way Smiley

Koop en verkoop snel en veilig bitcoins via iDeal op Bitonic.nl
nibor
Sr. Member
****
Offline Offline

Activity: 438
Merit: 291


View Profile
August 23, 2012, 03:55:56 PM
 #25

forestv - how did you find this? Was it by accident or inspired?
forrestv (OP)
Hero Member
*****
Offline Offline

Activity: 516
Merit: 643


View Profile
August 23, 2012, 05:09:10 PM
 #26

forestv - how did you find this? Was it by accident or inspired?

First, some background:
P2Pool could theoretically use the normal merged mining standard to store the reference to its own data in the coinbase. However, the standard is flawed in several ways and requires that you have the entire coinbase transaction to validate it. P2Pool uses something similar of my invention - it stores a merkle root at the end of the coinbase transaction by integrating it into a fake txout. Then, you can prove that the merkle root is in the coinbase transaction using only O(1) data by sending the SHA256 midstate of all the data preceding the merkle root. I'd like to write up a specification for this at some point, because I believe that O(1) MM proofs are pretty useful.

I was thinking about the consequences of someone including multiple different merged mining references (something that is prevented in the original MM implementation by the chain id stuff) under one root when I realized that the merkle root function Bitcoin uses isn't nearly one-to-one. From there, I noticed that you could duplicate transactions while maintaining the block hash, wondered how Bitcoin would react to that, and remembered that Bitcoin stores unvalidated orphan blocks...

Here's the original proof of concept code, untouched since April 29/30: http://u.forre.st/u/gkwobmns/poc.zip You have to run the programs using "trial" - they were P2Pool testcases that I grabbed and reused.

1J1zegkNSbwX4smvTdoHSanUfwvXFeuV23
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!