How I Used a JSON Deserialization 0day to Steal Your Money on the Blockchain

The talk discusses the use of a JSON deserialization 0day to steal money on the blockchain, highlighting the vulnerability of blockchain to security issues and proposing a more covert post-penetration exploit method for public blockchain nodes.

• Fastjson is a widely used open source JSON parser with 23,100 stars on GitHub, serving hundreds of millions of users.
• The talk details the digitalization process and security checks in the Fastjson parser and the vulnerability to bypass these checks to visualize arbitrary classes.
• The talk also discusses the use of Apache comsio to read the temp directory by byte and hijack pointers.
• The talk proposes a more covert post-penetration exploit method for public blockchain nodes, highlighting the limitations of a 51% attack and the need to target nodes with HTTP services enabled.
• The talk emphasizes the vulnerability of blockchain to security issues and the need for developers and users to be more careful about security.

The talk highlights the vulnerability of blockchain to security issues by demonstrating how a JSON deserialization 0day can be used to steal money on the blockchain. The talk proposes a more covert post-penetration exploit method for public blockchain nodes, emphasizing the need for developers and users to be more careful about security.

Fastjson is a widely used open source JSON parser with 23'100 stars on GitHub. As a basic module of countless java web services, it serves hundreds of millions of users. We managed to find a way to bypass many security checks and mitigations by using the inheritance process of some basic classes, and achieve remote code execution successfully. We will disclose these high-risk and universal gadgets for the first time in this talk.Now, we can control many important websites and affect millions of users. Let's make things more interesting. We found that this fastjson vulnerability affects a multi-billion-dollar blockchain. We designed multiple complex gadgets based on the features of the blockchain, and exquisitely achieved information leakage and pointer hijacking. Putting all these gadgets together, we achieved remote code execution on the blockchain nodes.However, generally after remote code execution, we seem to have no better exploit method other than the 51% attack, which will lead to serious accounting confusion. After a detailed analysis of the architecture design of the public blockchain, we found a way from RCE to steal the public blockchain users' assets almost without any notification.To the best of our knowledge, this is the first published attack case on the realization of covertly stealing user assets after RCE on the public blockchain nodes. We will propose a more covert post penetration exploit method for public blockchain nodes in this talk.Blockchain is not bulletproof to security vulnerability and we hope our work can notify blockchain developers and users to be more careful about security.