Skip to content

Latest commit

 

History

History
22 lines (18 loc) · 1.65 KB

README.md

File metadata and controls

22 lines (18 loc) · 1.65 KB

Cosmovisor RCE Exploit

  • Version v0.1.0 uses stdout/stderr to determine if an upgrade should occur.
  • By finding a print sink to output data that matches this regex, we can force an uppgrade.
  • Either leads to remote code execution (RCE) or a denial of service (DoS) depending on the Cosmovisor settings.
  • Below are three blockchains running Cosmovisor: Desmos, Cronos and Osmosis. All can be compromised with this technique.

Running

Every environment is dockerized. Perform the following actions to run a single blockchain.

  1. Run ./docker_run.sh. This runs builds, runs and goes into the running docker container. NOTE: This may take a while to build. It needs to run and build many, many things to get the blockchain running.
  2. You should have been automatically logged into the Docker container from the previous step.
  3. The Cosmos node is running in a tmux pane. To see the output of this, run tmux a -t Node. Not required to do right now.
  4. To run the exploit, call ./exploit.sh. NOTE: You may need to wait a minute for the node to spin up.
    • This will call the gov module for the print sink.
    • By hitting the print sink with the upgrade payload, it will force an upgrade on the running node.
    • To keep this self contained, a different tmux pane is serving our exploit payload with hacker.sh. Of course, this could be done remotely though.
  5. Go into the node pane with tmux a -t Node.
  6. Within the node pane, you'll notice the following:
    • The standard Cosmos Node output is gone. This is because the upgrade was completely successfully.
    • hacker.sh was executed. It prints some text to the screen and then exits.