Описание
Vyper's _abi_decode vulnerable to Memory Overflow
Summary
If an excessively large value is specified as the starting index for an array in _abi_decode, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to bugs in contracts that use arrays within _abi_decode. The advisory has been assigned low severity, because it is only observable if there is a memory write between two invocations of abi_decode on the same input.
Proof of Concept
Sending the following calldata results in Pwn being emitted.
Patches
Patched in https://github.com/vyperlang/vyper/pull/3925, https://github.com/vyperlang/vyper/pull/4091, https://github.com/vyperlang/vyper/pull/4144, https://github.com/vyperlang/vyper/pull/4060.
Ссылки
- https://github.com/vyperlang/vyper/security/advisories/GHSA-9p8r-4xp4-gw5w
- https://nvd.nist.gov/vuln/detail/CVE-2024-26149
- https://github.com/vyperlang/vyper/pull/3925
- https://github.com/vyperlang/vyper/pull/4060
- https://github.com/vyperlang/vyper/pull/4091
- https://github.com/vyperlang/vyper/pull/4144
- https://github.com/pypa/advisory-database/tree/main/vulns/vyper/PYSEC-2024-164.yaml
Пакеты
vyper
< 0.4.0
0.4.0
Связанные уязвимости
Vyper is a pythonic Smart Contract Language for the ethereum virtual machine. If an excessively large value is specified as the starting index for an array in `_abi_decode`, it can cause the read position to overflow. This results in the decoding of values outside the intended array bounds, potentially leading to exploitations in contracts that use arrays within `_abi_decode`. This vulnerability affects 0.3.10 and earlier versions.