Author Topic: An "arbitrary data" bug in the blockchain?  (Read 5778 times)

0 Members and 1 Guest are viewing this topic.

Offline Troglodactyl

  • Hero Member
  • *****
  • Posts: 960
    • View Profile
I think you people are missing the point...

This post contains a destructive virus.  You can execute it by following these malicious instructions:

Code: [Select]
Smash your computer with a hammer.
I could also burn these instructions onto a wall in the BitShares blockchain, but that wouldn't give me any way to make people execute it.
« Last Edit: May 10, 2015, 10:34:55 pm by Troglodactyl »

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

The issue is if you write a client which parses unstructured data from the blockchain and interprets it in then you can exploit bugs in the software interpreting it.
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline emailtooaj

Yes I'll throw in 10,000 BTS towards bounty. This is an issue that should be taken care of, if not already addressed....and not taken lightly. If we are going to ask people to put in their hard earned money and wealth into this system, it better be damn well secured from something as trivial as this. Obviously the wallet/client is the weak link, not something embedded in the block chain.


Sent from my iPhone using Tapatalk
« Last Edit: May 10, 2015, 09:35:07 pm by emailtooaj »
Sound Editor of Beyondbitcoin Hangouts. Listen to latest here - https://beyondbitcoin.org support the Hangouts! BTS Tri-Fold Brochure https://bitsharestalk.org/index.php/topic,15169.0.html
Tip BROWNIE.PTS to EMAILTOOAJ

merockstar

  • Guest
i dont understand.

you're saying that code can be run from a blockchain just by downloading it from a legit client?

if it's not a legit client, then whats to stop it from being a bitcoin wallet or a paypal phish site or something?

it seems like a general computing problem thats been known for decades...

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
Ok, so just to make my paranoid ass feel better..
Can we at least add a simple trap for a few characters that all executables would require to be run?
 
We used to trap for slashes (\), quotes (" and ') and certain sql stmnts (INSERT INTO, DROP TABLE, etc) back in the day. Just disallow the few characters that all scripts would require if someone was to try the injection.
 
Governments and other malicious types would just love to snag our coin.
 
I take this stuff VERY seriously. Our hard earned money is at stake here. No matter how small it may seem, it never hurts to code another trap.
FAILsafe.
 
Edit: I'll throw in another 10,000 BTS bounty to have that trap coded in.
Get it done (and provable) within v0.10.0 and I'll make it a 30,000 BTS bounty. Anybody else wanna pitch in?
« Last Edit: May 10, 2015, 09:02:21 pm by kenCode »
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline Akado

  • Hero Member
  • *****
  • Posts: 2752
    • View Profile
  • BitShares: akado
I think that can be compared to catching a virus over mail. In the past ou could be infected just by opening mails since javascript would execute automatically.

But now it doesn't so you don't get. It's the same thing. The malicious thing could be there, but doesn't execute so it shouldn't be a problem.
https://metaexchange.info | Bitcoin<->Altcoin exchange | Instant | Safe | Low spreads

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
So, let's assume worst case scenario, someone downloads an infected BTS wallet from somewhere.

Assume someone downloads a virus. They could then use that to download a different virus and run it (this one happened to be stored on a blockchain instead of dropbox)
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
.. this leads to the old issue: can you trust the source that delivers software to not deliver malware instead ..

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
You can write arbitrary text and base64 encoded binary blobs on every account wall ..

If you have a client that executes that code you can do whatever you want .. i acctually sounds like a nice "feature" too

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
He describes how to put executable code into the blockchain but not how to execute it. In other news, you can send viruses over email..

The wallet or downloadable app can be instructed to execute anything.
So, let's assume worst case scenario, someone downloads an infected BTS wallet from somewhere.
It executes the rpc (or whatever) and BAMM! -there goes your BTS.
 
FOUND IT: http://bitcoinist.net/kaspersky-labs-interpol-blockchain-vulnerable/
 
He mentions that as a proof of concept, they injected the code, ran it, and just had it open up Notepad. But, they could have done something much more sinister.
 
Do we have the same 80byte hole?
Can we trap for malicious injections into it?
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline toast

  • Hero Member
  • *****
  • Posts: 4001
    • View Profile
  • BitShares: nikolai
He describes how to put executable code into the blockchain but not how to execute it. In other news, you can send viruses over email..
Do not use this post as information for making any important decisions. The only agreements I ever make are informal and non-binding. Take the same precautions as when dealing with a compromised account, scammer, sockpuppet, etc.

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
Whats the tl;dl; version of the "bug"?

I'm not sure, but fyrstikken is a smart guy and he doesn't put out bs. His quatloo trader is how I first discovered him.
Do you think that bug is legit? Does the BTS blockchain have this same 80bytes hole?
We need to code in a trap, or "sql-injection" style Else condition or something if what he says is legit.
Please advise, thanx-
 ken
« Last Edit: May 10, 2015, 08:04:11 pm by kenCode »
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat

Offline xeroc

  • Board Moderator
  • Hero Member
  • *****
  • Posts: 12922
  • ChainSquad GmbH
    • View Profile
    • ChainSquad GmbH
  • BitShares: xeroc
  • GitHub: xeroc
Whats the tl;dl; version of the "bug"?

Offline kenCode

  • Hero Member
  • *****
  • Posts: 2283
    • View Profile
    • Agorise
fyrstikken has an interesting 6min post up- any validity to this?
 
URGENT! Bitcoin Flaws Malware & Viruses #Bitcoinbleed
https://www.youtube.com/watch?v=1XfXYiQQSlE
kenCode - Decentraliser @ Agorise
Matrix/Keybase/Hive/Commun/Github: @Agorise
www.PalmPay.chat