Bitcoin Unlimited Remote Exploit Crash

Hyena

Member
Feb 27, 2017
42
60
https://www.reddit.com/r/Bitcoin/comments/5zdkv3/bitcoin_unlimited_remote_exploit_crash/

Where's the official statement from Bitcoin Unlimited devs? I'm running 1.0.0.0 should I upgrade to 1.0.1.0 or do nothing? Why are devs so slow to react? Most of the BU nodes seem to be offline due to this attack. I don't have time to investigate this too much I just need to know whether to update from 1.0.0.0 or not because my service needs to remain working until a proper fix is delivered.
 
  • Like
Reactions: Francis GASCHET

deebee

New Member
Dec 8, 2016
4
2
I have worked around the problem by setting listen=0 in bitcoin.conf, to prevent the malicious nodes from connecting to my node. I'll update to 1.0.1.1 when the binaries are available.
 

Hyena

Member
Feb 27, 2017
42
60
@deebee thanks for a good idea workaround! I did not make this topic to whine and point fingers, I have actual production services using BU and those need to be patched ASAP, so thanks again for the workaround tip

oh I'm behind dynamic IP anyway, I guess this bug won't affect me
 

adamstgbit

Well-Known Member
Mar 13, 2016
1,206
2,650
the debug assertion fix will do untill a full patch is ready next week.
[doublepost=1489529923][/doublepost]
I have worked around the problem by setting listen=0 in bitcoin.conf, to prevent the malicious nodes from connecting to my node. I'll update to 1.0.1.1 when the binaries are available.
theres no way to turn off xthinblocks i guess?
 
  • Like
Reactions: AdrianX

freetrader

Moderator
Staff member
Dec 16, 2015
2,806
6,088
@adamstgbit : the 1.0.1.1 release will be out shortly which will fix this. No need to wait until next week.

The build is done, people who can build from source can already build off the 1.0.1.1 tag.

Release notes are being written and the release announcement will follow imminently.
 
  • Like
Reactions: AdrianX

adamstgbit

Well-Known Member
Mar 13, 2016
1,206
2,650
i really wish it wasn't ready so bloody fast.

isn't there a bunch of other incoming communication that devs must analysis to make sure a well crafted msg can't crash BU.

asserts need to be opened in release build?
 

freetrader

Moderator
Staff member
Dec 16, 2015
2,806
6,088

sickpig

Active Member
Aug 28, 2015
926
2,541
Last edited:

adamstgbit

Well-Known Member
Mar 13, 2016
1,206
2,650
clicking the links some how leads to unrelated blank page.
[doublepost=1489537414][/doublepost]i'm gonna give it a spin, thanks for the quick fix.
[doublepost=1489537927,1489537222][/doublepost]Windows protected your PC
Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
App: bitcoinUnlimited-1.0.1.1-win64-setup.exe
Publisher: Unknown publisher

this is normal right?
 

Hyena

Member
Feb 27, 2017
42
60
Updated. None of my nodes actually never crashed though. I run 3 full BU nodes on different devices/networks.
 
  • Like
Reactions: freetrader

adamstgbit

Well-Known Member
Mar 13, 2016
1,206
2,650
seems were crashing again.

but anyway, i think we need to

replace this if (line 4817)

Code:
                if (mi != mapBlockIndex.end())
with this:

Code:
        if (mi == mapBlockIndex.end()) {
                Misbehaving(pfrom->GetId(), 100);
                return false;
            }
wild guess! lol
edit: wait thats probably not it...
 
Last edited: