Bitcoin Unlimited Remote Exploit Crash

[Hyena]

https://www.reddit.com/r/Bitcoin/comments/5zdkv3/bitcoin_unlimited_remote_exploit_crash/

Where's the official statement from Bitcoin Unlimited devs? I'm running 1.0.0.0 should I upgrade to 1.0.1.0 or do nothing? Why are devs so slow to react? Most of the BU nodes seem to be offline due to this attack. I don't have time to investigate this too much I just need to know whether to update from 1.0.0.0 or not because my service needs to remain working until a proper fix is delivered.

 

[deebee]

I have worked around the problem by setting listen=0 in bitcoin.conf, to prevent the malicious nodes from connecting to my node. I'll update to 1.0.1.1 when the binaries are available.

 

[Hyena]

@deebee thanks for a good idea workaround! I did not make this topic to whine and point fingers, I have actual production services using BU and those need to be patched ASAP, so thanks again for the workaround tip

oh I'm behind dynamic IP anyway, I guess this bug won't affect me

 

[bitPico]

Here's the debug assertion fix: https://github.com/BitcoinUnlimited/BitcoinUnlimited/pull/371/files

Our nodes still running fine after patching them but there should have been binaries available already which is pretty embarrassing.

 

[adamstgbit]

the debug assertion fix will do untill a full patch is ready next week.
[doublepost=1489529923][/doublepost]

I have worked around the problem by setting listen=0 in bitcoin.conf, to prevent the malicious nodes from connecting to my node. I'll update to 1.0.1.1 when the binaries are available.

theres no way to turn off xthinblocks i guess?

 

[freetrader]

@adamstgbit : the 1.0.1.1 release will be out shortly which will fix this. No need to wait until next week.

The build is done, people who can build from source can already build off the 1.0.1.1 tag.

Release notes are being written and the release announcement will follow imminently.

 

[adamstgbit]

i really wish it wasn't ready so bloody fast.

isn't there a bunch of other incoming communication that devs must analysis to make sure a well crafted msg can't crash BU.

asserts need to be opened in release build?

 

[freetrader]

> asserts need to be opened in release build

This general situation (though not this particular assert) seems to be part of the legacy of bitcoind.

There are still modules in Core 0.14 which require NDEBUG to be turned off, i.e. assertions active:

https://github.com/bitcoin/bitcoin/blob/master/src/validation.cpp#L50
https://github.com/bitcoin/bitcoin/blob/master/src/net_processing.cpp#L36

This should receive a general review in BU with a view to identifying and mitigating further risks.

 

[sickpig]

BU ver 1.0.1.1 ready to be downloaded here: https://www.bitcoinunlimited.info/download

You could find a release note file here: https://github.com/sickpig/BitcoinUnlimited/blob/doc/release-notes-1.0.1.1/doc/release-notes/release-notes-1.0.1.1.md

Ubuntu PPA repositories is in the process of being update as we speak

edit: link fixed
update: Ubuntu repo updated to ver 1.0.1.1

 

[adamstgbit]

clicking the links some how leads to unrelated blank page.
[doublepost=1489537414][/doublepost]i'm gonna give it a spin, thanks for the quick fix.
[doublepost=1489537927,1489537222][/doublepost]Windows protected your PC
Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
App: bitcoinUnlimited-1.0.1.1-win64-setup.exe
Publisher: Unknown publisher

this is normal right?

 

[Peter Tschipper]

@adamstgbit yup that's normal, that's what i get on windows 10

 

[adamstgbit]

its UP!

thank you.

 

[deebee]

Updated ... thanks!

 

[Hyena]

Updated. None of my nodes actually never crashed though. I run 3 full BU nodes on different devices/networks.

 

[Francis GASCHET]

Hello,
I've now 4 BU nodes. they where all failing. Updated and it's OK.
Thanks.

 

[bitsein]

All good here too.

 

[adamstgbit]

seems were crashing again.

but anyway, i think we need to

replace this if (line 4817)

                if (mi != mapBlockIndex.end())

with this:

        if (mi == mapBlockIndex.end()) {
                Misbehaving(pfrom->GetId(), 100);
                return false;
            }

wild guess! lol
edit: wait thats probably not it...