<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Mppx - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/mppx/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 29 Feb 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/mppx/feed.xml" rel="self" type="application/rss+xml"/><item><title>MPPX Payment Bypass and Griefing Vulnerabilities</title><link>https://feed.craftedsignal.io/briefs/2024-02-mppx-vulns/</link><pubDate>Thu, 29 Feb 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-02-mppx-vulns/</guid><description>Multiple vulnerabilities in the `mppx` npm package (versions prior to 0.4.8) allow for payment bypass, transaction replay attacks, fee manipulation, signature bypass, and channel griefing, potentially leading to financial loss and service disruption.</description><content:encoded><![CDATA[<p>The <code>mppx</code> npm package, a payment processing library, contains several critical vulnerabilities that could be exploited to bypass payment requirements, manipulate transaction fees, and disrupt payment channels. These vulnerabilities affect versions prior to 0.4.8, and arise from insufficient validation of transaction hashes, missing transfer log verification, cross-route scope confusion, and weaknesses in channel ID binding. Successful exploitation could allow attackers to perform free transactions, force others to pay their fees, or render payment channels unusable, leading to significant financial losses and reputational damage for applications relying on the vulnerable library.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Initial Access:</strong> An attacker identifies a vulnerable application using a version of the <code>mppx</code> npm package prior to 0.4.8.</li>
<li><strong>Transaction Replay:</strong> The attacker replays <code>tempo/charge</code> transaction hashes across push/pull modes or charge/session endpoints to duplicate payments or bypass charges.</li>
<li><strong>Free Requests (Pull Mode):</strong> The attacker performs free <code>tempo/charge</code> requests by exploiting missing transfer log verification in pull mode.</li>
<li><strong>Fee Manipulation:</strong> The attacker manipulates the fee payer of a <code>tempo/charge</code> handler into paying for their requests by exploiting the missing sender signature check.</li>
<li><strong>Voucher Bypass:</strong> The attacker bypasses <code>tempo/session</code> voucher signature verification to gain unauthorized access.</li>
<li><strong>Channel Hijacking:</strong> The attacker piggybacks off existing <code>tempo/session</code> channels by reusing settle vouchers and exploiting weak channel ID binding.</li>
<li><strong>Griefing:</strong> The attacker griefs <code>tempo/session</code> channels via force-close detection bypass by exploiting the fact that <code>closeRequestedAt</code> is not persisted.</li>
<li><strong>Impact:</strong> The attacker successfully bypasses payment, manipulates fees, or disrupts payment channels, resulting in financial loss and service disruption for the targeted application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of these vulnerabilities could lead to significant financial losses for applications using the vulnerable versions of the <code>mppx</code> package. Attackers can perform free transactions at the expense of legitimate users or the service provider. Moreover, attackers can grief payment channels, rendering them unusable and disrupting services that rely on them. The number of affected applications is unknown, but any application utilizing <code>mppx</code> prior to version 0.4.8 is potentially vulnerable.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>mppx</code> npm package to version 0.4.8 or later to patch the vulnerabilities (reference: Patches section).</li>
<li>Implement robust input validation and integrity checks for all transaction-related data, especially when using <code>tempo/charge</code> and <code>tempo/session</code> (reference: Overview).</li>
<li>Monitor network traffic for unusual patterns indicative of transaction replay attacks or attempts to bypass payment mechanisms.</li>
<li>Deploy the Sigma rule to detect potential exploitation attempts related to free requests.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>npm</category><category>vulnerability</category><category>payment bypass</category></item></channel></rss>