admin001 发布于 08月17, 2018

NEO Smart Contract Platform Runtime_Serialize Calls DoS

Zhiniang Peng from Qihoo 360 Core Security

NEO is a non-profit, community-based blockchain project. It is a distributed network that uses blockchain technology and digital identity for asset digitization. It is also an intelligent management of digital assets using intelligent contracts to create “Smart Economy”. At present, NEO’s market capitalization ranks fifteenth in the world in coinmarket, being one of the remarkable blockchain projects. We found a Denial of Service vulnerability in the NEO smart contract platform which attacker could use to instantly crash the entire neo network.

阅读全文 »

admin001 发布于 08月16, 2018

NEO智能合约平台Runtime_Serialize调用拒绝服务漏洞

Zhiniang Peng from Qihoo 360 Core Security

NEO是一个非盈利的社区化的区块链项目。它是利用区块链技术和数字身份进行资产数字化,利用智能合约对数字资产进行自动化管理,实现“智能经济”的一种分布式网络。目前Neo市值在coinmarket上排名全球第十五,是备受关注的区块链项目之一。我们在neo智能合约平台中发现一处拒绝服务漏洞,攻击者可利用该漏洞在瞬间使得整个neo网络崩溃。

阅读全文 »

admin001 发布于 08月15, 2018

数字加密货币交易软件APT攻击简报

APT-C-26(Lazarus 音译”拉撒路”)是从2009年以来至今一直处于活跃的APT组织,据国外安全公司调查显示,该组织最早的攻击可能和2007年针对韩国政府网站大规模DDOS攻击的“Operation Flame”行动相关,同时可能是2014 年索尼影业遭黑客攻击事件,2016 年孟加拉国银行数据泄露事件和2017年席卷全球的“Wannacry”勒索病毒等著名攻击事件的幕后组织。2017年以来,该组织将攻击目标不断扩大,日趋以经济利益为目的,从针对全球的传统金融机构银行系统进行攻击,开始转向于针对全球加密货币组织和相关机构以及个人进行攻击。

阅读全文 »

admin001 发布于 08月15, 2018

Brief Analysis on APT Attack through Cryptocurrency Trading Software

APT-C-26 is an APT group that has been active since 2009. According to the research by an overseas security vendor, the group’s earliest attack may be associated with the “Operation Flame” which was a large-scale DDOS attack on Korean government’s website in 2007. Lazarus may also be the group behind the hacking incident of Sony Pictures in 2014, the data breach of the Bank of Bangladesh in 2016 and other infamous attacks such as the “Wannacry” ransomware that swept across the globe in 2017. Since 2017, the group has been expanding its targets of attack and increasingly aimed at economic interests. In earlier attacks, the group mainly targeted the banking system of traditional financial institutions. Now, it has begun to attack global cryptocurrency organizations and related individuals.

阅读全文 »

admin001 发布于 08月08, 2018

EOS官方API中Asset结构体的乘法运算溢出漏洞描述

古河@360 Vulcan Team

综述

asset是EOS官方头文件中提供的用来代表货币资产(如官方货币EOS或自己发布的其它货币单位)的一个结构体。在使用asset进行乘法运算(operator *=)时,由于官方代码的bug,导致其中的溢出检测无效化。造成的结果是,如果开发者在智能合约中使用了asset乘法运算,则存在发生溢出的风险。

阅读全文 »

admin001 发布于 08月08, 2018

EOS Asset Multiplication Integer Overflow Vulnerability

Yuki Chen of Qihoo 360 Vulcan Team

Description

The asset structure is defined in EOS’s system header file, it can be used to define the amount of some tokens (such as the official EOS token or some custom tokens defined by user). Recently we discovered a bug in asset’s multiplication operator(operator *=) which makes the integer overflow check in the function to have no effect. If a developer uses asset multiplication in his EOS smart contract, he may need to face the risk of integer overflow.

阅读全文 »

admin001 发布于 07月23, 2018

From A Patched ITW 0day to Remote Code Execution (Part I) – From Patch to New 0day

Author:Yuki Chen of Qihoo 360 Vulcan Team

Background

In May 2018, the Advanced Threat Response Team of 360 Core Security Division detected an APT attack exploiting a 0-day vulnerability and captured the world’s first malicious office sample that uses a browser 0-day vulnerability. The sample exploited a use-after-free vulnerability in the VBScript engine which was fixed by Microsoft as CVE-2018-8174 in May 2018 security update, the detailed analysis of the bug could be found at: http://blogs.360.cn/blog/cve-2018-8174-en/ After analyzing the patch for CVE-2018-8174 carefully, we realized that the fix was not so complete and there still exists similar problems which could be leveraged to achieve reliable remote code execution in VBScript engine. We reported the issues we found to Microsoft immediately and Microsoft addressed them with a new fix (CVE-2018-8242) in July 2018 security update. In this blog, we will introduce the details of the new exploitable issues with CVE-2018-8174 patch we found. We will also discuss how we exploit the new bug we found and get reliable remote code execution in an upcoming blog (part II).

阅读全文 »

admin001 发布于 05月29, 2018

EOS节点远程代码执行漏洞 --- EOS智能合约WASM函数表数组越界

漏洞报告者

Yuki Chen of Qihoo 360 Vulcan Team Zhiniang Peng of Qihoo 360 Core Security

漏洞描述

我们发现了EOS区块链系统在解析智能合约WASM文件时的一个越界写缓冲区溢出漏洞,并验证了该漏洞的完整攻击链。 使用该漏洞,攻击者可以上传恶意的智能合约至节点服务器,在节点服务器解析恶意合约后,攻击者就能够在节点服务器上执行任意代码并完全控制服务器。 在控制节点服务器后,攻击者可以将恶意合约打包进新的区块,进而攻击和控制其他新的节点,最终攻击和控制整个EOS网络。

阅读全文 »