Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update zeromq to 4.3.1 #56

Closed
wants to merge 1 commit into from
Closed

Update zeromq to 4.3.1 #56

wants to merge 1 commit into from

Conversation

leto
Copy link
Contributor

@leto leto commented Feb 19, 2019

Bug description

BitcoinZ has a vulnerable version of the dependency zeromq, and puts the users which have this feature enabled at risk for a remote-code-execution bug related to CVE-2019-6250 .

This bug can also be triggered via a malicious website talking to localhost via a browser that is on the same computer as a full node with zeromq enabled, using a "DNS rebinding attack". Many
automated tools to perform these attacks now exist, some written by Google Project Zero researchers.

Many block explorers and mining pools use zeromq and are particularly at risk. Exchanges may also have this feature enabled. This vulnerability can lead to exfiltration of private keys, loss of funds and potentially backdooring of servers.

Example Scenarios

Remote Node attack

  • Various unix user accounts exist on the same server as an instance of an BTCZ full node with zeromq enabled, such as BitcoinZ Explorer
  • Unprivileged user on the same machine as user of Insight explorer is compromised
  • User uses zeromq CVE-2019-6250 via localhost to steal wallet.dat, leave backdoor/etc

Local Node attack

  • Developer runs a development/testing version of a zeromq-enabled BTCZ full node on localhost, such as BitcoinZ Explorer
  • Developer browses to a malicious website
  • Website uses DNS rebinding attack to communicate directly with zeromq
  • Website uses zeromq CVE-2019-6250 to steal all funds and leave a backdoor/etc

Any application which uses a BTCZ node with zeromq enabled is vulnerable, Insight explorers are just a common and well-known example.

All versions of zeromq from 4.2.0 to 4.3.0 are vulnerable, so this Pull Request upgrades BTCZ to 4.3.1, bringing BTCZ in sync with BTC upstream and ZEC upstreams.

Block explorers and mining pools should be updated with this new dependency, as well as any other applications that enable zeromq. Changing configurations to add authentication to zeromq and specifically not trust all connections from localhost is also highly encouraged.

A bounty would be greatly appreciated at this address:

t1L2eqwK9PSbkPMBfoWLovgubgKAX1mojDg

and will help fund my future security research in BTCZ.
My GPG keys can be obtained from Keybase if desired.

Thanks,
Duke Leto

@renuzit renuzit closed this Mar 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@leto @renuzit