Feathercoin has a vulnerable version of the dependency zeromq, and puts the users which have this feature enabled at risk for a remote-code-execution bug related to CVE-2019-6250 .
This bug can also be triggered via a malicious website talking to localhost via a browser that is on the same computer as a full node with zeromq enabled, using a "DNS rebinding attack". Many
automated tools to perform these attacks nowexist, some written by Google Project Zero researchers.
Many block explorers and mining pools use zeromq and are particularly at risk. Exchanges may also have this feature enabled. This vulnerability can lead to exfiltration of private keys, loss of funds and potentially backdooring of servers.
Example Scenarios
Remote Node attack
Various unix user accounts exist on the same server as an instance of an FTC full node with zeromq enabled
Unprivileged user on the same machine is compromised
User uses zeromq CVE-2019-6250 via localhost to steal wallet.dat, leave backdoor/etc
Local Node attack
Developer runs a development/testing version of a zeromq-enabled FTC full node on localhost
Developer browses to a malicious website
Website uses DNS rebinding attack to communicate directly with zeromq
Website uses zeromq CVE-2019-6250 to steal all funds and leave a backdoor/etc
Any application which uses a FTC node with zeromq enabled is vulnerable.
All versions of zeromq from 4.2.0 to 4.3.0 are vulnerable, so this Pull Request upgrades FTC to 4.3.1, bringing FTC in sync with BTC upstream.
Block explorers and mining pools should be updated with this new dependency, as well as any other applications that enable zeromq. Changing configurations to add authentication to zeromq and specifically not trust all connections from localhost is also highly encouraged.
A bounty would be greatly appreciated at this address:
6ftVd853MeJREn5zCxC9adchEiaeFUdhPV
and will help fund my future security research in FTC.
My GPG keys can be obtained from Keybase if desired.
Bug description
Feathercoin has a vulnerable version of the dependency zeromq, and puts the users which have this feature enabled at risk for a remote-code-execution bug related to CVE-2019-6250 .
This bug can also be triggered via a malicious website talking to localhost via a browser that is on the same computer as a full node with zeromq enabled, using a "DNS rebinding attack". Many automated tools to perform these attacks now exist, some written by Google Project Zero researchers.
Many block explorers and mining pools use zeromq and are particularly at risk. Exchanges may also have this feature enabled. This vulnerability can lead to exfiltration of private keys, loss of funds and potentially backdooring of servers.
Example Scenarios
Remote Node attack
Local Node attack
Any application which uses a FTC node with zeromq enabled is vulnerable.
All versions of zeromq from 4.2.0 to 4.3.0 are vulnerable, so this Pull Request upgrades FTC to 4.3.1, bringing FTC in sync with BTC upstream.
Block explorers and mining pools should be updated with this new dependency, as well as any other applications that enable zeromq. Changing configurations to add authentication to zeromq and specifically not trust all connections from localhost is also highly encouraged.
A bounty would be greatly appreciated at this address:
and will help fund my future security research in FTC. My GPG keys can be obtained from Keybase if desired.
Thanks, Duke Leto