search

Egis-Security / CTF_Challenge

Repository containing CTF challenges from nmirchev8, deth and bOgO.
14 stars 8 forks source link

nmirchev8_ctf - Incorrect Handling of returndatacopy ##4 #24

Open Chidubemkingsley opened 2 months ago

Chidubemkingsley commented 2 months ago

Severity: Medium

Vulnerability Details: In the _callWithExactGasSafeReturnData function, the returndatacopy operation is used to copy the return data from the external call. However, the return data size is hardcoded to maxReturnDataBytes (which is set to 64 bytes). This can lead to a problem if the actual return data is larger than maxReturnDataBytes, resulting in the truncation of the return data.

Proof of Code:

mstore(retData, maxReturnDataBytes)
returndatacopy(add(retData, 0x20), 0x0, maxReturnDataBytes)

Impact Data Loss: The truncation of return data can result in incomplete data being returned, leading to incorrect behavior in the calling function. Potential Security Issue: Depending on how the return data is used, this could also introduce security vulnerabilities if the contract relies on the integrity of the full return data.

Tool Used Manual

Recommendation Instead of hardcoding the return data size, dynamically allocate memory for retData based on the actual size of the return data using returndatasize():


mstore(retData, returndatasize())
returndatacopy(add(retData, 0x20), 0x0, returndatasize())

Here’s the corrected part of the code:


success := call(gasLimit, target, 0, add(payload, 0x20), mload(payload), 0x0, 0x0)
gasUsed := sub(gasBeforeCall, gas())

// Store the length of the copied bytes
let returnDataSize := returndatasize()
mstore(retData, returnDataSize)
// copy the bytes from retData[0:returnDataSize]
returndatacopy(add(retData, 0x20), 0x0, returnDataSize)
NicolaMirchev commented 2 months ago

The same as #29