Bitcoin Forum
November 06, 2024, 03:47:57 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they believe that the creator of this topic displays some red flags which make them high-risk. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 [52] 53 54 55 56 57 58 59 60 61 62 63 64 65 »
  Print  
Author Topic: Nxt source code flaw reports  (Read 113366 times)
ricot
Newbie
*
Offline Offline

Activity: 56
Merit: 0


View Profile
January 17, 2014, 10:01:14 PM
 #1021

exactly...

Btw: I still have quite a bit of code ahead of me. Wink
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 18, 2014, 07:33:39 AM
 #1022


Is there a minimum amount of transactions/recipient accounts required to generate the Genesis Block in order to establish a secure 100% POS currency? Could all 1 Billion NXT have gone to one recipient account; thus having one transaction in the Genesis Block? How would things progress from there in regard to acceptance of chains, signing, etc. in such case? Would it just progress the same way as it did with the existing Genesis Block?

thnx   Smiley

If u give 51% of all coins to one entity and don't have TF enabled then this entity can do 51% attack at any moment.
bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
January 18, 2014, 05:20:58 PM
 #1023

TF to the rescue!!!
BitByteBite
Member
**
Offline Offline

Activity: 101
Merit: 10



View Profile
January 19, 2014, 12:42:46 AM
 #1024

Interesting callenge Grin Ill take a closer look to the source code later. Has someone found a flaw yet or are they sill undiscoverd?

2 flaws were found. The fatal flaw with 100K reward is still waiting for u.

Sounds interesting Wink

Currently Out of the Office
msin
Legendary
*
Online Online

Activity: 1470
Merit: 1004


View Profile
January 19, 2014, 05:39:08 AM
 #1025

CFB, would be cool if you could update the OP, just so people who come here know that the first two flaws have been found and the fatal flaw has yet to be found.
BitByteBite
Member
**
Offline Offline

Activity: 101
Merit: 10



View Profile
January 19, 2014, 05:43:29 AM
 #1026

CFB, would be cool if you could update the OP, just so people who come here know that the first two flaws have been found and the fatal flaw has yet to be found.

This is true, but now you have to find the posts that found the flaw to find the answer. A relatively small rabbit hole if you ask me Wink

Currently Out of the Office
bitcoinpaul
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
January 19, 2014, 05:54:56 PM
 #1027

This silence is calming Wink
nervermind
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
January 19, 2014, 07:21:50 PM
 #1028

6098:                String recipientValue = req.getParameter("recipient"), amountValue =  req.getParameter("amount"), feeValue = req.getParameter("fee"), deadlineValue = req.getParameter("deadline");

6109:             deadline = (short)(Double.parseDouble(deadlineValue) * 60);


deadlineValue comes from HttpServletRequest and passed to parseDouble which is vulnerable to DOS prior to JRE 6.23

see http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html


Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 19, 2014, 07:24:52 PM
 #1029

6098:                String recipientValue = req.getParameter("recipient"), amountValue =  req.getParameter("amount"), feeValue = req.getParameter("fee"), deadlineValue = req.getParameter("deadline");

6109:             deadline = (short)(Double.parseDouble(deadlineValue) * 60);


deadlineValue comes from HttpServletRequest and passed to parseDouble which is vulnerable to DOS prior to JRE 6.23

see http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

Interesting catch! Fortunatelly, NRS doesn't work on Java 6.
nervermind
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
January 19, 2014, 07:40:20 PM
 #1030

805:   static void loadBlocks(String fileName) throws Exception {
         
         FileInputStream fileInputStream = new FileInputStream(fileName);
         ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream);
         blockCounter = objectInputStream.readInt();
         blocks = (HashMap<Long, Block>)objectInputStream.readObject();
         lastBlock = objectInputStream.readLong();
         objectInputStream.close();
         fileInputStream.close();
         
      }
Streams are about to close at the end of the method. But if there is an Exception thrown (any of .read* can do that) - they are not.
Unreleased resources in servlets => DOS.

I've found few more such things if you're interested.
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 19, 2014, 07:41:09 PM
 #1031

805:   static void loadBlocks(String fileName) throws Exception {
         
         FileInputStream fileInputStream = new FileInputStream(fileName);
         ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream);
         blockCounter = objectInputStream.readInt();
         blocks = (HashMap<Long, Block>)objectInputStream.readObject();
         lastBlock = objectInputStream.readLong();
         objectInputStream.close();
         fileInputStream.close();
         
      }
Streams are about to close at the end of the method. But if there is an Exception thrown (any of .read* can do that) - they are not.
Unreleased resources in servlets => DOS.

I've found few more such things if you're interested.

Yes, plz.
nervermind
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
January 19, 2014, 08:06:16 PM
 #1032

OK. Here we go:

1209:   ObjectOutputStream objectOutputStream = new ObjectOutputStream(fileOutputStream);
same story here. If Exception is thrown - stream stays unreleased.

2877:    OutputStream outputStream = connection.getOutputStream();
there is a catch block at 2919, maybe close it there?

2883:          InputStream inputStream = connection.getInputStream();
same as above

3299:    static void loadTransactions(String fileName) throws Exception {
FileInputStream fileInputStream = new FileInputStream(fileName);
         ObjectInputStream objectInputStream = new ObjectInputStream(fileInputStream);

and

3437: saveTransactions

Schollepetzer
Newbie
*
Offline Offline

Activity: 17
Merit: 0


View Profile
January 20, 2014, 11:02:02 AM
Last edit: January 20, 2014, 12:01:45 PM by Schollepetzer
 #1033

Hey boyz,

could someone give a short summary plz. about the 2 flaws already been found?
Not in the mood right now the read through 55p...  Smiley

Thank you
FrictionlessCoin
Legendary
*
Offline Offline

Activity: 868
Merit: 1000


Cryptotalk.org - Get paid for every post!


View Profile
January 20, 2014, 12:15:33 PM
 #1034

Seeking Additional Java Developers

We have successfully decompiled the Nxt source and are now in the process of performing a massive refactoring and cleanup of the code base.

Short term goals.

Remove the primitive addressing scheme and use a scheme that looks like Bitcoin.  Bitcoin addresses are more readable, have a checksum and have many tools to generate them.  Nxt addresses that are all numerical are something that came out of the 1950's.

Secure Wallet.  Nxt wallet is fundamentally insecure.  Exposing a wallet to the public internet for everyone to hack is just idiotic.   No wonder so many Nxt users have lost money!

Nxt does not use an internal database like every other alt coin.  This is idiotic because NXT nodes easily fail and run out of memory.  Furthermore, if you accidentally turn off your node... your wallet can get corrupted!

NEX strives not only to be a fairer distributed Nxt variant,  but a technologically super version.

Join the enterprise... participate with your coding skills!!!

We will not ship SHIT like the Nxt folks.  We will ship product that will secure our users coins!

May I join?


Time to defect to the winning team folks!

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 20, 2014, 12:21:21 PM
 #1035

Time to defect to the winning team folks!

1st we must find the 3rd flaw... How will we split 100k btw?
nervermind
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
January 20, 2014, 12:57:50 PM
 #1036

Does security flaw count?

This is a good example of Often Misused: Authentication (see https://www.owasp.org/index.php/Often_Misused:_Authentication)
5995: if (allowedUserHosts == null && !InetAddress.getByName(req.getRemoteAddr()).isLoopbackAddress()) {
6030: if (allowedUserHosts == null && !InetAddress.getByName(req.getRemoteAddr()).isLoopbackAddress()) {
6065: if (allowedUserHosts == null && !InetAddress.getByName(req.getRemoteAddr()).isLoopbackAddress()) {

This is a bad idea to rely on remoteAddr (which can spoofed) when you do authorization checks.
I didn't do any risk assessment of removePeer, removeActivePeer and removeBlacklistedPeer so have no idea how critical are these functions. But it looks like the idea was to restrict this functionality only to requests coming from localhost. And the way it is done... Bit insecure I'd say.

Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 20, 2014, 01:01:05 PM
 #1037

Does security flaw count?

Only if injected ones.
liyi3c
Newbie
*
Offline Offline

Activity: 26
Merit: 0


View Profile
January 20, 2014, 03:44:19 PM
 #1038

Code:
for (Peer peer : groupedPeers) {

if (peer.date == validDate) {

totalWeight += peer.weight;

} else {

peer.adjustedWeight = 0;
peer.updateWeight_UserBroadCast();

}

}

for (Peer peer : groupedPeers) {

peer.adjustedWeight = 1000000000L * peer.weight / totalWeight;
peer.updateWeight_UserBroadCast();

}
the second 'for' loop assgin adjustedWeight to peer whose peer.date != validDate.
if one account attached to huge amount hallmarks, and send out them. as more and more its hallmarks out of date(peer.date != validDate), we should set their adjustedWeight = 0; but here it's not this way. the sum(peer.weight)/totalWeight will not equal to 1.
someone can increase its chosen possibility by send as much as hallmarks
Come-from-Beyond (OP)
Legendary
*
Offline Offline

Activity: 2142
Merit: 1010

Newbie


View Profile
January 20, 2014, 04:01:34 PM
 #1039

the second 'for' loop assgin adjustedWeight to peer whose peer.date != validDate.
if one account attached to huge amount hallmarks, and send out them. as more and more its hallmarks out of date(peer.date != validDate), we should set their adjustedWeight = 0; but here it's not this way. the sum(peer.weight)/totalWeight will not equal to 1.
someone can increase its chosen possibility by send as much as hallmarks

I don't see a bug there...
nervermind
Newbie
*
Offline Offline

Activity: 16
Merit: 0


View Profile
January 20, 2014, 04:15:31 PM
 #1040

4788:      if (allowedBotHosts != null && !allowedBotHosts.contains(req.getRemoteHost())) {
6700:       if (allowedUserHosts != null && !allowedUserHosts.contains(req.getRemoteHost())) {


I wouldn't rely on getRemoteHost, in some cases it's not providing legit info. It can be spoofed.
Or it can be proxy/balancer address.
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 [52] 53 54 55 56 57 58 59 60 61 62 63 64 65 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!