Potential Wallet Address Book Info Leakage

[yixiao5428]

Since we've sent this by the Bug Bounty Program https://www.dash.org/bug-bounty/ and infosec@dash.org but got no reply, we submit the same issue here.

Potential Wallet Address Book Info Leakage

Currently, dash-qt stores wallet.dat unencrypted in memory. Upon a crash, it may dump a core file that can be used to reconstruct the user's wallet.dat, including the private keys.

This issue is originally reported by oxagast in Bitcoin issue #16824, and has been assigned CVE-2019-15947.

Specifically, we can first send a signal to crash dash-qt, then grep for known parts of a wallet.dat in the .core dump file, e.g., xxd dash-qt.core | grep "6231 0500". With this information, you can find the offset of the wallet within the core file, and reconstruct it per a known wallet.dat's length. Upon reloading the extracted wallet into dash-qt, you'll lose address book information.

We have successfully reproduced this issue on Dash, and the screen shot is attached. The terminal on the right side shows the original wallet.dat file and the terminal on the left side shows the reconstructed test.dat. We can see that they both contain the same address information.

A possible solution is to use madvise here to avoid including sensitive information in core dumps.

For more information, please check the following pages:

• The original CVE-2019-15947 report.
• Similar fix from Bitcoin PR #15600.
• The exploit shell script.

Reported by de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc.

[PastaPastaPasta]

bitcoin#15600 has been backported on July 13th, and will be included in 0.18 releases. IMO, this isn't a large enough concern to warrant a v0.17.0.4 release, as it requires local access to a running node.

This was backported in this commit: https://github.com/dashpay/dash/commit/8e8048e1c3a1ca1cf546128a59cab733d33c547a / this pr: https://github.com/dashpay/dash/pull/4251

Any other thoughts / concerns?