New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets #172
Comments
|
no official anymore we make this grow up. but my team already share
cryptonote with original team as copyright. and we next step on Ruby[our
codename] to next fixed security issue. See : https://cnhv.co/1lg50 or go
our web[https://cnhv.co/dyrf] same as original we keep free they distibute
or did change on code. Hope our[cryptonote] family grow~
…On Feb 5, 2018 5:10 PM, "Terry Chia" ***@***.***> wrote:
Hi, I found a vulnerability in CryptoNote. Please send me an email at
terrycwk1994 [at] gmail.com, as well as respond to this issue so that I
know the email is from a legitimate developer.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#172>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AK51tQF3dQP_b6j-0PyJyBWV-8_MspAzks5tRreCgaJpZM4R5DZk>
.
|
|
For those reading the above, the links are malicious and point to a coinhive miner. Could at least bother with proper english if they wanted to scam people into browser mining for them. |
|
actually they pay monero. hmmm just go to nur1labs.net then. im not scammed
you just for some little cash lol. or go github mine just click my picture.
see DirhamCli we did all good works to new cryptonote evolution tech~
…On Feb 5, 2018 7:22 PM, "nnamon" ***@***.***> wrote:
For those reading the above, the links are malicious and point to a
coinhive miner.
Piece of shit could at least bother with proper english if they wanted to
scam people into browser mining for them.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AK51tb318j2wVNArbNGLr0MjaJu5mIckks5tRtZSgaJpZM4R5DZk>
.
|
|
cnhv<~doesn't this equate to coin hive miner website? |
|
@Ayrx Make a pull request. |
|
PR can did but that cannot merge. lol i try some~
…On Feb 6, 2018 4:42 PM, "Doestoievski" ***@***.***> wrote:
@Ayrx <https://github.com/ayrx> Make a pull request.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AK51tVYe690C7Yjd6sUxuRqiajRaECMxks5tSAJVgaJpZM4R5DZk>
.
|
|
As there have been no response by an official developer in 7 days, I am publishing the details of this vulnerability. A CVE ID has been requested from MITRE and will be updated here when one is assigned. The same report is duplicated at: https://www.ayrx.me/cryptonote-unauthenticated-json-rpc |
|
@Ayrx no patch needed, just don't bind the RPC daemon to 0.0.0.0 , use 127.0.0.1 from your web wallet so no external exploitation is possible, Desktop Wallets should be deprecated, they're obsolete. it's really that simple. |
|
@jared201 Exploitation is still possible via CSRF even if the daemon is bound only to 127.0.0.1. |
|
@Ayrx not really, via https, just don't allow unnecessary GET requests coming to your website directly |
|
used post instead get @_@
…On Feb 12, 2018 10:46 AM, "Jared Odulio" ***@***.***> wrote:
@Ayrx <https://github.com/ayrx> not really, via https, just don't allow
unnecessary GET requests coming to your website directly
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AK51tWwLFv34b6jzyBQuMynjnoUSrTwnks5tT5gGgaJpZM4R5DZk>
.
|
|
The 7 day disclosure window and flaming cryptonote gif are a bit much xD |
|
i guess that JSON-RPC "security" issue is not really new, everyone from Monero to Bytecoin guys already knew that, except that they are silent about it. |
|
i used json from xdn and they fixed it xD
…On Feb 13, 2018 12:23 PM, "Jared Odulio" ***@***.***> wrote:
@keylength <https://github.com/keylength>
i guess that JSON-RPC "security" issue is not really new, everyone from
Monero to Bytecoin guys already knew that, except that they are silent
about it.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AK51tYnGIRbP_GOvbn-Cmd9Ltpr68EgAks5tUQArgaJpZM4R5DZk>
.
|
|
@FndNur1Labs this issue is really serious if you're offering desktop wallets which MUST do RPC calls via public IP or FQDN. However if you're developing web wallets, all you need is to "harden" your code by not making RPC calls from the client-side javascript, which most browsers will warn or not allow you to. Instead, you should use your JS framework's server-side RPC calls (e.g. Meteor.call() or something similar) , and those RPC calls should only be connecting locally(127.0.0.1). CSRF'ing is nearly impossible, unless you allow a 'router' to do that. |
|
@jared like back port example private udp and tcp ones?for js not lack is
script not leaked. yes harden code mean improved some code to lack of
private ones. i made some experiment about cross-chain will be better or
maybe will leaked bot chain. that it. for chain protect not shared key
private~used sha or md5[web]
…On Feb 13, 2018 5:14 PM, "Jared Odulio" ***@***.***> wrote:
@FndNur1Labs <https://github.com/fndnur1labs> this issue is really
serious if you're offering desktop wallets which MUST do RPC calls via
public IP or FQDN. However if you're developing web wallets, all you need
is to "harden" your code by not making RPC calls from the client-side
javascript, which most browsers will warn or not allow you to. Instead, you
should use your JS framework's server-side RPC calls (e.g. Meteor.call() or
something similar) , and those RPC calls should only be connecting
locally(127.0.0.1). CSRF'ing is nearly impossible, unless you allow a
'router' to do that.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#172 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AK51tRkMxx65tnygyVFoc_ZZNX_2Hsd0ks5tUURZgaJpZM4R5DZk>
.
|
Walletd JSON RPC requests did not require authentication and had the potential for an attacker to gain control of the wallet by sending JSON RPC commands to the wallet via CSRF. Users can now run the Wallet JSON RPC server with the flag --rpc-password to require that all RPC commands include a password. Thank you to the Turtlecoin developers for their work. Much of this code is borrowed from their commit turtlecoin/turtlecoin@4949e91 More information about this vulnerability can be found here - https://www.cvedetails.com/cve/CVE-2018-1000093/ cryptonotefoundation#172 This commit is a copyof 2 commits from the master branch of Cash2 1b9691a f01b904
The reference implementation of CryptoNote wallets start a JSON-RPC server
listening on a localhost port that allows an attacker to execute wallet
functions due to a lack of authentication.
An attacker may exploit this vulnerability to steal cryptocurrency from
vulnerable wallets by directing users to visit a webpage hosting the exploit.
Affected Software
All cryptocurrencies that use the reference CryptoNote walletd and simplewallet
implementations are vulnerable. Notable coins include Bytecoin and Aeon.
Description
The reference CryptoNote repository comes with two different wallets,
simplewalletandwalletd. Both wallets have JSON-RPC servers that arevulnerable to similar attacks. Even though the JSON-RPC servers are listening
on localhost, they can be exploited via CSRF.
walletd
walletdhas the JSON-RPC server enabled by default. The wallet binds to port8070 by default.
The below proof-of-concept demonstrates the vulnerability by creating a new
address in the walletd container.
simplewallet
simplewalletdoes not have the JSON-RPC server enabled by default. Enablingthe server requires the
--rpc-bind-portflag when invokingsimplewallet.The below proof-of-concept demonstrates the vulnerability by making a transfer
from the running wallet to an attacker controlled wallet. Change the
INSERT_AMOUNT and INSERT_WALLET_ADDRESS parameters when testing the POC. We
assume that
simplewalletwas invoked with--rpc-bind-port 8111.Notes on exploitation
While the proof-of-concept code assumes that the server is listening on a
specific port, changing the running port does prevent exploitation. It is
trivial to enumerate open ports with WebSocket.
The proof-of-concept uses a HTML form to demonstrate the attack. However,
exploiting this over Javascript is not an issue due to a lack of CSRF
protection.
Recommended Fix
The JSON-RPC servers should be patched to require authentication on every
request. It is recommended that all forks of CryptoNote and ByteCoin apply
a patch similar to the Turtlecoin fix.
The text was updated successfully, but these errors were encountered: