- Version v0.1.0 uses stdout/stderr to determine if an upgrade should occur.
- By finding a print sink to output data that matches this regex, we can force an uppgrade.
- Either leads to remote code execution (RCE) or a denial of service (DoS) depending on the Cosmovisor settings.
- Below are three blockchains running Cosmovisor: Desmos, Cronos and Osmosis. All can be compromised with this technique.
Every environment is dockerized. Perform the following actions to run a single blockchain.
- Run
./docker_run.sh. This runs builds, runs and goes into the running docker container. NOTE: This may take a while to build. It needs to run and build many, many things to get the blockchain running. - You should have been automatically logged into the Docker container from the previous step.
- The Cosmos node is running in a
tmuxpane. To see the output of this, runtmux a -t Node. Not required to do right now. - To run the exploit, call
./exploit.sh. NOTE: You may need to wait a minute for the node to spin up.- This will call the
govmodule for the print sink. - By hitting the print sink with the upgrade payload, it will force an upgrade on the running node.
- To keep this self contained, a different tmux pane is serving our exploit payload with
hacker.sh. Of course, this could be done remotely though.
- This will call the
- Go into the node pane with
tmux a -t Node. - Within the node pane, you'll notice the following:
- The standard Cosmos Node output is gone. This is because the upgrade was completely successfully.
hacker.shwas executed. It prints some text to the screen and then exits.