Skip to content

Latest commit

 

History

History
76 lines (46 loc) · 2.38 KB

009.md

File metadata and controls

76 lines (46 loc) · 2.38 KB

Petite Fleece Cheetah

High

Unauthorized access due to the incorrect usage of the public key callback

Summary

The finding demonstrates how the incorrect usage of the callback can cause an authorization bypass in the golang.org/x/crypto.

Root Cause

The problem is that the protocol uses the vulnerable dependency - go:golang.org/x/crypto:v0.28.0 (https://osv.dev/vulnerability/GHSA-v778-237x-gjrc). The library is used as a config so the impact is high.

Internal Pre-conditions

No response

External Pre-conditions

No response

Attack Path

An attacker can get an unauthorized access.

Impact

Malicious users can get unauthorized access.

PoC

Take a look at the functionality how the library is used in the protocol:

https://github.com/sherlock-audit/2024-12-babylon/blob/main/babylon/go.mod#L128

import (
"fmt"

wasmtypes "github.com/CosmWasm/wasmd/x/wasm/types"

serverconfig "github.com/cosmos/cosmos-sdk/server/config"

appparams "github.com/babylonlabs-io/babylon/app/params"

bbn "github.com/babylonlabs-io/babylon/types"
)

type BtcConfig struct {
Network string `mapstructure:"network"`
}

func defaultBabylonBtcConfig() BtcConfig {
return BtcConfig{
Network: string(bbn.BtcMainnet),
}
}

type BabylonAppConfig struct {
serverconfig.Config `mapstructure:",squash"`

Wasm wasmtypes.WasmConfig `mapstructure:"wasm"`

BtcConfig BtcConfig `mapstructure:"btc-config"`
}

As you can see here, the library is used as a config. According to the bug fix description from https://osv.dev/vulnerability/GHSA-v778-237x-gjrc:

Applications and libraries which misuse the ServerConfig.PublicKeyCallback callback may be susceptible to an authorization bypass. A call to this function does not guarantee that the key offered is in fact used to authenticate." Specifically, the SSH protocol allows clients to inquire about whether a public key is acceptable before proving control of the corresponding private key. PublicKeyCallback may be called with multiple keys, and the order in which the keys were provided cannot be used to infer which key the client successfully authenticated with, if any. Some applications, which store the key(s) passed to PublicKeyCallback (or derived information) and make security relevant determinations based on it once the connection is established, may make incorrect assumptions.

Mitigation

Change the dependency on a different version.