Listen to this Post
The vulnerability exploits an integer overflow in the Parallax protocol’s handling of the `GetBlockHeaders` request. An attacker establishes a peer connection and sends a malicious `GetBlockHeadersRequest` with a `count` value of 0. In the code path descendants := chain.GetHeadersFrom(num+count-1, count-1), the calculation `count-1` underflows because `count` is 0. This results in the value `UINT64_MAX` (a very large number) being passed as the `count` parameter to the `GetHeadersFrom(number, count uint64)` function. This gigantic value bypasses the `maxHeadersServe` limit, allowing an attacker to request the entire header chain from genesis to the latest block. The victim’s node attempts to process this request, allocating massive amounts of memory to retrieve and send all block headers, leading to a Denial-of-Service through memory exhaustion.
Platform: Parallax Client
Version: < 0.1.4
Vulnerability: Integer Overflow
Severity: Critical
date: 2023-XX-XX
Prediction: Patch available
What Undercode Say:
git clone https://github.com/microstack-tech/parallax cd parallax git show f759e90
// Vulnerable Code Snippet (simplified)
func (p Peer) HandleGetBlockHeaders(msg DecodedMessage) {
count := msg.Count // Attacker controls this value
if count == 0 {
// This operation causes integer underflow
headers := chain.GetHeadersFrom(num, count-1) // count-1 becomes UINT64_MAX
p.SendHeaders(headers)
}
}
How Exploit:
1. Connect to victim node.
2. Send crafted `GetBlockHeadersRequest`.
3. Set request `count` to zero.
4. Trigger integer underflow.
5. Victim node memory exhausts.
Protection from this CVE
Upgrade to version 0.1.4+. Patch prevents integer underflow.
Impact:
Denial-of-Service via memory exhaustion. Node crashes.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
