There is a group of people in the world for whom the Internet is an ATM.

Yes, they were, and they are, with the advent of electronic money making withdrawals at a frenetic pace.

In 2017, our honeypot detected a massive global attack on Ethereum, which we named the Ethereum “sneak” vulnerability.

This vulnerability allows a hacker to transfer all the balance in the wallet without server access and without keystore password access.

The vulnerability, which was exposed by hackers a year ago on Reddit.com, was used to steal bitcoin as early as February 14, 2016:

(www.reddit.com/r/ethereum/)…

China’s Slow Fog security team also recently revealed this kind of attack:

(mp.weixin.qq.com/s/Kk2lsoQ16…).

For two years, not many users noticed, ethereum had no specific protection measures, and to this day, ethereum’s latest code still has no protection against such attacks.

So we decided to make the detailed data we had available available to everyone in the hope that it would prompt ethereum developers to acknowledge and fix the bug.

Holes cause

(the following code analysis was based on the current https://github.com/ethereum/go-ethereum the latest submission: commit b1917ac9a3cf4716460bd53a11db40384103e5e2)

Ethereum’s most popular node programs (Geth/Parity) provide RPC apis for connecting to mining pools, wallets, and other third-party programs.

By default, the node’s RPC service can be invoked without a password, and the official RPC API does not provide the function of setting an RPC connection password. Therefore, once the RPC port is exposed to the Internet, it will be very dangerous.

The ethereum “smuggling” vulnerability captured by us takes advantage of ethereum’s default design of not authenticating RPC.

The attacked users must meet the following conditions:

  1. The RPC port of the node is open
  2. The RPC port of the node can call API directly without additional authentication protection (such as authentication protection through nginx).
  3. The block height of the node has been synchronized to the latest height of the network, because transfers need to be made at this node. If the maximum height is not reached, transfers cannot be made

When a user unlocks his wallet (the unlockAccount function), during the unlock timeout period, the user can call the eth_sendTransaction of the RPC API to transfer money without entering the password.

The key component of the vulnerability is the combination of the unauthenticated RPC API service and the password free time after unlocking the account. The following is the unlockAccount function to unlock the account:

Code paths: go – ethereum/internal/jsre/deps/API. Go

As you can see from the implementation code of the function, the API for unlocking an account allows a timeout to be passed in. The default timeout is 300 seconds.

TimedUnlock is implemented as follows:

Code paths: go – ethereum/accounts/keystore/keystore. Go

When the timeout is greater than 0, a coroutine will be initiated to handle the timeout. If the timeout is 0, the account will never time out and will remain unlocked until the node process exits.

The use of the official documents in detail: https://github.com/ethereum/go-ethereum/wiki/Management-APIs#personal_unlockaccount

Methods of attack revealed

1. Find the server that opens the Ethereum RPC port to the outside world and verify that the node has reached the maximum block height of the Ethereum network

When the hacker discovers that the RPC service is the RPC interface of Ethereum through the global port service scan, the hacker calls eth_getBlockByNumber(‘ last ‘, false) to obtain the latest block height.

But because some Ethereum nodes are forked coins of a different height than Ethereum’s, hackers will not give up even if they discover that the node height is different from Ethereum’s.

2. Call eth_accounts to obtain all accounts on the node.

Eth_accounts request will return a list of account address:] [x1834axxxxxxxxxxxxxxxxxxxxxxxxxxx 0, 0 xa13jkcxxxxxxxxxxxxxxxxxxxxxxxxxxx,…

3. Call eth_getBalance to check the address balance.

This process allows hackers to perform balance checks on Ethereum from their own servers, since Ethereum’s blockchain ledger database is freely and publicly available.

Some hackers do not set up the full node of Ethereum and do not check the balance themselves, so they will also perform eth_getBalance operation on the attacked server.

4. Continue to call the transfer operation until the user just unlocked the wallet with the password and completed the “smuggling” of the illegal transfer operation.

The hacker would construct the eth_sendTransaction transfer operation and fill in the balance, fixed fee:

{” jsonrpc “:” 2.0 “, “id” : 2, “method” : “eth_sendTransaction”, “params” : [{” from “:” the victim wallet address 1 “, “gas”, “0 x55f0″,” 0 xdc3431d42c0bf108b44cb48bfbd2cd4d392c32d6 “to” : “, “value” : “} {0} x112345fc212345000 “] “jsonrpc” : “2.0”, “id” : 2,” Eth_sendTransaction “method” : “, “params” : [{” from “:” the victim wallet address 2 “, “gas”, “0 x55f0″,” 0 xdc3431d42c0bf108b44cb48bfbd2cd4d392c32d6 “to” : “, “value” : “} {0} x112345fc212345000 “] “jsonrpc” : “2.0”, “id” : 2,” Eth_sendTransaction “method” : “, “params” : [{” from “:” the victim wallet address 3 “, “gas”, “0 x55f0″,” 0 xdc3431d42c0bf108b44cb48bfbd2cd4d392c32d6 “to” : “, “value” : “0 x112345fc212345000”}}]

The unit of value is the smallest unit of the ether: wei, which is divided by 10 ^ 18:

>>> 0x112345fc212345000

19758522752314920960L

>>> 19758522752314920960L/1000000000000000000

19L

The hacker will continue to send money transfers and regularly monitor the balance changes, updating the amount of money transferred until the user uses the wallet and enters the password to unlock it, at which point the balance is immediately transferred.

Rapid vulnerability testing

Install Python’s Web3 library, connect to an RPC port, and make a request. If you get the result returned, this vulnerability may exist.

Reference: http://web3py.readthedocs.io/en/stable/quickstart.html

Import web3, HTTPProvider, IPCProvider web3 = web3 (HTTPProvider(‘ http://ip:port ‘)) print web3.eth. BlockNumber

Hackers decrypt and IOCs intelligence

The hacker wallet

So far, we have obtained the payment addresses of three hackers’ wallets, and the untransferred account balance is $22.2 million:

https://etherscan.io/address/0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464, the balance is 38076 ETH (not statistical erc20 token), the first session for the 2016-2-14, The latest income is March 21, 2018 (it is still in the current account)

https://etherscan.io/address/0x96a5296eb1d8f8098d35f300659c95f7d6362d15, the balance is 321 ETH (not statistical erc20 token), the first session for the 2016-8-10, The latest revenue is 2017-11-28.

https://etherscan.io/address/0xdc3431d42c0bf108b44cb48bfbd2cd4d392c32d6, the balance is 330 ETH (not statistical erc20 token), the first session for the 2018-2-06, The latest income is March 20, 2018.

The hacker attacks the source IP address

146.0.249.87 (Frankfurt, Hesse, Germany) 162.251.61.133 (Canada) 190.2.133.114 (Curacao) 85.14.240.84 (North Rhine, Germany)

Most hackers use https://github.com/regcostajr/go-web3 for frequent API request, if have see a lot of the user-agent to “Go – HTTP – client / 1.1” POST request, please record the content of the request, Check for malicious behavior.

Emergency response and repair suggestions

  1. Close exposed RPC ports, if must be exposed to the Internet, please use the authentication: https://tokenmarket.net/blog/protecting-ethereum-json-rpc-api-with-password/
  2. Block the source IP addresses of hacker attacks with network protection software such as firewalls
  3. Check RPC logs and Web interface logs for an abnormally large number of frequent requests, and check whether the request content is eth_sendTransaction
  4. Wait for ethereum to update its latest code and use the node program that fixes the vulnerability

Article source: BLS Blockchain Security Lab official website

Official website: http://www.sec-lab.io/

​​​​​