Disable eval and exec inside the Electrum shell (Qt console) to reduce malware attacks on users

[CodeForcer]

Recently a user on Reddit reported that a Bitcoin mixing service asked them to run a suspicious command inside their Electrum shell. I investigated the command and discovered it was a wallet stealing malware: https://github.com/CodeForcer/bitmixer-scam-analysis

I would like to propose that Electrum disable the use of exec() and eval() in the shell. This wont eliminate these kinds of attacks but will make them slightly more difficult.

[yakitorifoodie]

nice thought. what about os subprocess etc?

[SomberNight]

what about os subprocess etc?

Indeed. Without exec/eval, you can still download code, save it to a file, and run it with os/subprocess.

import subprocess
proc = subprocess.Popen(["python3", "~/scripts/test.py"], stdout=subprocess.PIPE, shell=True)
(out, err) = proc.communicate()

---

Note: same scammers as in https://github.com/spesmilo/electrum/issues/5668

---

Related: https://github.com/spesmilo/electrum/issues/3678 see in particular https://github.com/spesmilo/electrum/issues/3678#issuecomment-356341594 It was because of that issue the social engineering warning has been added (https://github.com/spesmilo/electrum/pull/3700)

[yakitorifoodie]

proc = subprocess.Popen(["python3", "~/scripts/test.py"], stdout=subprocess.PIPE, shell=True)

in this one does the needs to have python installed right?

[SomberNight]

in this one does the needs to have python installed right?

Yes, although they could just run some commands to figure out the OS / CPU architecture, and download+run precompiled binaries.

[ghost]

this is basically a reiteration of the issue i reported which got assigned CVE-2018-6353, nice try tho. https://github.com/spesmilo/electrum/issues/3678