Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Potential Wallet Address Book Info Leakage #2672

Closed
yixiao5428 opened this issue Nov 5, 2021 · 3 comments · Fixed by #2673
Closed

Potential Wallet Address Book Info Leakage #2672

yixiao5428 opened this issue Nov 5, 2021 · 3 comments · Fixed by #2673
Labels
bug
Projects
1.14.5
Milestone
1.14.5

Comments

@yixiao5428
Copy link

Potential Wallet Address Book Info Leakage

Currently, dogecoin-qt stores wallet.dat unencrypted in memory. Upon a crash, it may dump a core file that can be used to reconstruct the user's wallet.dat, including the private keys.

This issue is originally reported by oxagast in Bitcoin issue #16824, and has been assigned CVE-2019-15947.

Specifically, we can first send a signal to crash dogecoin-qt, then grep for known parts of a wallet.dat in the .core dump file, e.g., xxd dogecoin-qt.core | grep "6231 0500". With this information, you can find the offset of the wallet within the core file, and reconstruct it per a known wallet.dat's length. Upon reloading the extracted wallet into dogecoin-qt, you'll lose address book information.

We have successfully reproduced this issue on Dogecoin, and the screen shot is attached. The terminal on the right side shows the original wallet.dat file and the terminal on the left side shows the reconstructed test.dat. We can see that they both contain the same address information.

dogecoin

A possible solution is to use madvise here to avoid including sensitive information in core dumps.

For more information, please check the following pages:

Reported by de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc.
@rnicoll
Copy link
Contributor

rnicoll commented Nov 5, 2021

As I was briefly confused why this was an issue, for otgees reading this later, the file on disk is encrypted and this allows extraction of unencrypted keys.

@patricklodder patricklodder mentioned this issue Nov 5, 2021
Merged
@patricklodder patricklodder linked a pull request Nov 5, 2021 that will close this issue
security: Backport madvise() for lockedpool sensitive data from 1.21-dev #2673
Merged
@patricklodder patricklodder mentioned this issue Nov 5, 2021
Closed
27 tasks
@patricklodder patricklodder added this to the 1.14.5 milestone Nov 5, 2021
@patricklodder patricklodder added this to To do in 1.14.5 via automation Nov 5, 2021
@patricklodder
Copy link
Member

@yixiao5428 Thank you! Fix proposed with #2673.

@patricklodder patricklodder mentioned this issue Nov 5, 2021
Merged
@patricklodder patricklodder moved this from To do to In progress in 1.14.5 Nov 5, 2021
@patricklodder
Copy link
Member

Fix has been merged!

1.14.5 automation moved this from In progress to Done Nov 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
1.14.5
Done
Milestone
1.14.5
Development

Successfully merging a pull request may close this issue.

security: Backport madvise() for lockedpool sensitive data from 1.21-dev patricklodder/dogecoin
3 participants
@patricklodder @rnicoll @yixiao5428