Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

URI Argument Injection in Dogecoin-Qt #2665

Closed
CharesFang opened this issue Nov 3, 2021 · 5 comments · Fixed by #2666
Closed

URI Argument Injection in Dogecoin-Qt #2665

CharesFang opened this issue Nov 3, 2021 · 5 comments · Fixed by #2666
Labels
bug
Projects
1.14.5
Milestone
1.14.5

Comments

@CharesFang
Copy link

URI Argument Injection in Dogecoin-Qt

We recently found and confirmed that Dogecoin Core in the latest release (version 1.14.4) and earlier versions are affected by a remote code execution vulnerability in Qt5-based GUI apps. Specifically, the QApplication in Qt framework used by the Dogecoin GUI Program will parse Qt built-in arguments, such as -reverse and -platformpluginpath (see the document here). This allows a remote attacker (i.e., a web page) to invoke the local Dogecoin Core program in a victim user machine by using this kind of URI: dogecoin:address -parameter.

For a real attack, a malicious web page can first download a malicious Qt plugin (see the earlier link for how to construct the plugin) to user browser's Download folder. The malicious web page then can ask user to click the URI of dogecoin:any_wallet_address -platformpluginpath file_path_of_downloaded_plugin. Since dogecoin: URI has been registered by Dogecoin in the registary, the browser will automatically launch the local Dogecoin program and invoke that downloaded plugin, causing a remote code execution.

Here for simple demonstration, we use another parameter -reverse to demonstrate the feasibility. By using the attached HTML page and ask user to click the URI dogecoin:address -reverse. It will automatically launch the local dogecoin-qt.exe program and you will find that the GUI has been reversed due to the parameter of -reverse.

We provide the screenshot and the test HTML page in the attachment.
For more details, you can refer to the following pages.

Reported by de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc.

Attachment

  1. The vulnerability test case.
    Test Case

  2. The test HTML page code.

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Attack</title>
</head>
<body>

<h1>Attack in Browser</h1>
<p>Need to modify register item.</p>
<p>Here we use the -reverse parameter as a demo. For the real attack, it can use </p>
<p>
    <a href="dogecoin:3E8ociqZa9mZUSwGdSmAEMAoAxBK3FNDcd -reverse"> Click To attack </a>
</p>
</body>
</html>
@patricklodder patricklodder added this to To do in 1.14.5 via automation Nov 3, 2021
@patricklodder patricklodder added this to the 1.14.5 milestone Nov 3, 2021
@patricklodder patricklodder mentioned this issue Nov 3, 2021
Merged
@patricklodder
Copy link
Member

patricklodder commented Nov 3, 2021
edited

@CharesFang Thank you! I have manually back ported the fix from Bitcoin Core and have verified locally. Could you please let me know if this fix (#2666) is complete from your perspective?

@patricklodder patricklodder mentioned this issue Nov 3, 2021
Closed
27 tasks
@patricklodder patricklodder moved this from To do to In progress in 1.14.5 Nov 3, 2021
@patricklodder patricklodder linked a pull request Nov 3, 2021 that will close this issue
Give QApplication dummy arguments #2666
Merged
@eggcn
Copy link

eggcn commented Nov 3, 2021

I hope to fix as soon as possible

@patricklodder
Copy link
Member

I hope to fix as soon as possible

Fix is in #2666, and we're in the last stages of release preparation so this should be out real soon.

@CharesFang
Copy link
Author

@CharesFang Thank you! I have manually back ported the fix from Bitcoin Core and have verified locally. Could you please let me know if this fix (#2666) is complete from your perspective?

It looks good. You can fix this vulnerability just as Bitcoin did.

@patricklodder
Copy link
Member

#2666 is merged, will be released with 1.14.5 shortly.

1.14.5 automation moved this from In progress to Done Nov 4, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
1.14.5
Done
Milestone
1.14.5
Development

Successfully merging a pull request may close this issue.

Give QApplication dummy arguments patricklodder/dogecoin
4 participants
@patricklodder @ReverseControl @eggcn @CharesFang