SWC-127_hijack flow

Arbitrary Jump with Function Type Variable

Description: Solidity supports function types. That is, a variable of function type can be assigned with a reference to a function with a matching signature. The function saved to such variable can be called just like a regular function.

The problem arises when a user has the ability to arbitrarily change the function type variable and thus execute random code instructions. As Solidity doesn’t support pointer arithmetics, it’s impossible to change such variable to an arbitrary value. However, if the developer uses assembly instructions, such as mstore or assign operator, in the worst case scenario an attacker is able to point a function type variable to any code instruction, violating required validations and required state changes.
Remediation: The use of assembly should be minimal. A developer should not allow a user to assign arbitrary values to function type variables.

contract

pragma solidity ^0.4.25;

contract FunctionTypes {
    
    constructor() public payable {
        require(msg.value != 0); 
    }
    
    function withdraw() private {
        require(msg.value == 0, "dont send funds!'");
        address(msg.sender).transfer(address(this).balance);
    }
    
    function frwd() internal{
        withdraw();
    }
        
    struct Func {
        function () internal f;
    }
    
    function breakIt() public payable {
        require(msg.value != 0, "send funds!");
        Func memory func;
        func.f = frwd;
        assembly {
            mstore(func, add(mload(func), callvalue)) 
        }
        func.f();
    }
}

this contract’s idea is the same as this level in chainflag.

decompile the runtimecode

the address of func.f is 0x010c

the goal address is 0x018e

mstore(func, add(mload(func), callvalue)):

goal address = callvalue + func.f‘s content
0x018e = callvalue + 0x010c
callvalue = 0x18e - 0x010c = 398 - 268 = 130

successfully!

2023-07-13 16:12:24 # 09.SWC