Open yixiao5428 opened 2 years ago
bitcoin#15600 has been backported on July 13th, and will be included in 0.18 releases. IMO, this isn't a large enough concern to warrant a v0.17.0.4 release, as it requires local access to a running node.
This was backported in this commit: https://github.com/dashpay/dash/commit/8e8048e1c3a1ca1cf546128a59cab733d33c547a / this pr: https://github.com/dashpay/dash/pull/4251
Any other thoughts / concerns?
Since we've sent this by the Bug Bounty Program https://www.dash.org/bug-bounty/ and infosec@dash.org but got no reply, we submit the same issue here.
Potential Wallet Address Book Info Leakage
Currently,
dash-qt
storeswallet.dat
unencrypted in memory. Upon a crash, it may dump a core file that can be used to reconstruct the user'swallet.dat
, including the private keys.This issue is originally reported by oxagast in Bitcoin issue #16824, and has been assigned CVE-2019-15947.
Specifically, we can first send a signal to crash
dash-qt
, thengrep
for known parts of awallet.dat
in the.core
dump file, e.g.,xxd dash-qt.core | grep "6231 0500"
. With this information, you can find the offset of the wallet within the core file, and reconstruct it per a knownwallet.dat
's length. Upon reloading the extracted wallet intodash-qt
, you'll lose address book information.We have successfully reproduced this issue on Dash, and the screen shot is attached. The terminal on the right side shows the original
wallet.dat
file and the terminal on the left side shows the reconstructedtest.dat
. We can see that they both contain the same address information.A possible solution is to use
madvise
here to avoid including sensitive information in core dumps.For more information, please check the following pages:
Reported by
de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc
.