Return-Path: Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 3E6B1DE1 for ; Fri, 8 Nov 2019 17:03:08 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from APC01-SG2-obe.outbound.protection.outlook.com (mail-oln040092253046.outbound.protection.outlook.com [40.92.253.46]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 80B388A7 for ; Fri, 8 Nov 2019 17:03:06 +0000 (UTC) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=gowqcP0L3c79yg9pl6l628cZEN6G5Ec6r9jliM39+9PROgJX+pv1+tjH6hS74SYhJMlxh7Wyr1y/z57Qb+vELG7ffZsggISfkmzAzhMCSPaH7eXwFoyXv0uj0eaFITt5Bufg9Fl6vCqs4Vj4b3kAKbXj0wsv8zD10PA3LPwgQbG5Ph1ecAF0BvDuOPAD4l5h08RStRzc/PMWrOaYqRf5uP3mtHBC9kKNBVi4231q5H1NLeC6C9PC1TQIegNQcIB09BDhQ2rpU5GVCyE7zI0ENg+TwpQJe0tnKAzFCDR1C9bDMtd2qDFuryxvl4N999rFi3kIeoLbG3wQpkFw7EVX+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LL4cvGzJGV28wd/qBznJUB1JrHZqqH6nG4Lds1/SqQs=; b=FxWesMJ/0ycUE3Y2Kf6hnznSfTMBLwPX8X6w+cmMn2t05YETLGlZ9iRvgWho681gIFjIbbYBnwvwai5Q9+H+mhGanJKmyzgz8a372XapTI6MssmBm11RUOhF6W8xrtplGJABYPK163c4juisddc9dGVNqU72e7WWgCbug3rrHkHA9JhJR2kAdSnLBtBYmR+Sq0uOrHh2G8Tiai5XCPJch4lyDGa447ZJXJYhi3Hit59zHxxenL6A661VtsCSwNJLe32MvZHa10DiyunfFOGE37EwfeDxLxqZG+smVKcYZDl2mI2ilDYjVm3WifpFtyrD+0JIg4n9gfL8cUKEES2hvQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none Received: from HK2APC01FT007.eop-APC01.prod.protection.outlook.com (10.152.248.53) by HK2APC01HT050.eop-APC01.prod.protection.outlook.com (10.152.249.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2387.20; Fri, 8 Nov 2019 17:03:03 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM (10.152.248.53) by HK2APC01FT007.mail.protection.outlook.com (10.152.248.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.2430.22 via Frontend Transport; Fri, 8 Nov 2019 17:03:03 +0000 Received: from PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([fe80::8894:14d9:68de:ed5d]) by PS2P216MB0179.KORP216.PROD.OUTLOOK.COM ([fe80::8894:14d9:68de:ed5d%9]) with mapi id 15.20.2430.023; Fri, 8 Nov 2019 17:03:02 +0000 From: LORD HIS EXCELLENCY JAMES HRMH To: "bitcoin-dev@lists.linuxfoundation.org" , Luke Dashjr Thread-Topic: [bitcoin-dev] CVE-2017-18350 disclosure Thread-Index: AQHVlkaaXgRpxKzPmU+nxC4DtZO4gaeBfz1g Date: Fri, 8 Nov 2019 17:03:02 +0000 Message-ID: References: <201911081507.40441.luke@dashjr.org> In-Reply-To: <201911081507.40441.luke@dashjr.org> Accept-Language: en-AU, en-US Content-Language: en-AU X-MS-Has-Attach: X-MS-TNEF-Correlator: x-incomingtopheadermarker: OriginalChecksum:747DA4E3BC5F5FD0C6A27FEFB1FDE58EE92D3943D3ECED1720A3E57065275F38; UpperCasedChecksum:0F711CE57C2B77E747599C5F8CFDEA21868CD281B942E809E6F507F1E738E893; SizeAsReceived:6995; Count:46 x-ms-exchange-messagesentrepresentingtype: 1 x-tmn: [kXk6HFxgTH5WQBVfX7H826xw6iOXVb0w] x-ms-publictraffictype: Email x-incomingheadercount: 46 x-eopattributedmessage: 0 x-ms-office365-filtering-correlation-id: 8f2677f1-d818-45d8-9e24-08d7646d842c x-ms-traffictypediagnostic: HK2APC01HT050: x-ms-exchange-purlcount: 2 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: ZzgLzAw1v5safSngeLaE8y9TEngVpNoyF/E9dXjUKW2Gzpwe6ic4pZNEoMkdHQt3AbLDPKG+xTLYZp4PMKNxkelKsascRAuvRqtm2h3/6+FxBv0HA9lpUQyPsjlfreIA+hZS6JIuX8G+lBL9Mr8kry5zSy2IFXL4DyRlPtFxScmUcQxbDrtAj2C9EBUhaEVKId/KBRgETgbFKi/Rf7qspV/Q40Sbq6hV59aAtYHiOOs= x-ms-exchange-transport-forked: True Content-Type: multipart/alternative; boundary="_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_" MIME-Version: 1.0 X-OriginatorOrg: outlook.com X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-Network-Message-Id: 8f2677f1-d818-45d8-9e24-08d7646d842c X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Nov 2019 17:03:02.6624 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Internet X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa X-MS-Exchange-Transport-CrossTenantHeadersStamped: HK2APC01HT050 X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org X-Mailman-Approved-At: Fri, 08 Nov 2019 17:06:49 +0000 Cc: "security@bitcoincore.org" Subject: Re: [bitcoin-dev] CVE-2017-18350 disclosure X-BeenThere: bitcoin-dev@lists.linuxfoundation.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Bitcoin Protocol Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Nov 2019 17:03:08 -0000 --_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_ Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable It goes without saying in that all privately known CVE should be handled so= professionally but, that is, well done team. Regards, LORD HIS EXCELLENCY JAMES HRMH ________________________________ From: bitcoin-dev-bounces@lists.linuxfoundation.org on behalf of Luke Dashjr via bitcoin-dev Sent: Saturday, 9 November 2019 2:07 AM To: bitcoin-dev@lists.linuxfoundation.org Cc: security@bitcoincore.org Subject: [bitcoin-dev] CVE-2017-18350 disclosure CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious SOCKS proxy server to overwrite the program stack on systems with a signed `char` type (including common 32-bit and 64-bit x86 PCs). The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a= 5 (SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 2= 7. A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 ("Improve and document SOCKS code") released in v0.15.1, 2017 Nov 6. To be vulnerable, the node must be configured to use such a malicious proxy= in the first place. Note that using *any* proxy over an insecure network (such as the Internet) is potentially a vulnerability since the connection could = be intercepted for such a purpose. Upon a connection request from the node, the malicious proxy would respond with an acknowledgement of a different target domain name than the one requested. Normally this acknowledgement is entirely ignored, but if the length uses the high bit (ie, a length 128-255 inclusive), it will be interpreted by vulnerable versions as a negative number instead. When the negative number is passed to the recv() system call to read the domain name= , it is converted back to an unsigned/positive number, but at a much wider si= ze (typically 32-bit), resulting in an effectively infinite read into and beyo= nd the 256-byte dummy stack buffer. To fix this vulnerability, the dummy buffer was changed to an explicitly unsigned data type, avoiding the conversion to/from a negative number. Credit goes to practicalswift (https://twitter.com/practicalswift) for discovering and providing the initial fix for the vulnerability, and Wladim= ir J. van der Laan for a disguised version of the fix as well as general clean= up to the at-risk code. Timeline: - 2012-04-01: Vulnerability introduced in PR #1141. - 2012-05-08: Vulnerability merged to master git repository. - 2012-08-27: Vulnerability published in v0.7.0rc1. - 2012-09-17: Vulnerability released in v0.7.0. ... - 2017-09-21: practicalswift discloses vulnerability to security team. - 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability. - 2017-09-27: Fix merged to master git repository. - 2017-10-18: Fix merged to 0.15 git repository. - 2017-11-04: Fix published in v0.15.1rc1. - 2017-11-09: Fix released in v0.15.1. ... - 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML. - 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML. _______________________________________________ bitcoin-dev mailing list bitcoin-dev@lists.linuxfoundation.org https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev --_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_ Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
It goes without saying in that all privately known CVE should be handled so= professionally but, that is, well done team.

Regards,
LORD HIS EXCELLENCY JAMES HRMH



From: bitcoin-dev-bounces= @lists.linuxfoundation.org <bitcoin-dev-bounces@lists.linuxfoundation.or= g> on behalf of Luke Dashjr via bitcoin-dev <bitcoin-dev@lists.linuxf= oundation.org>
Sent: Saturday, 9 November 2019 2:07 AM
To: bitcoin-dev@lists.linuxfoundation.org <bitcoin-dev@lists.linu= xfoundation.org>
Cc: security@bitcoincore.org <security@bitcoincore.org>
Subject: [bitcoin-dev] CVE-2017-18350 disclosure
 
CVE-2017-18350 is a buffer overflow vulnerability = which allows a malicious
SOCKS proxy server to overwrite the program stack on systems with a signed =
`char` type (including common 32-bit and 64-bit x86 PCs).

The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a= 5
(SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 2= 7.
A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 ("Improve= and
document SOCKS code") released in v0.15.1, 2017 Nov 6.

To be vulnerable, the node must be configured to use such a malicious proxy= in
the first place. Note that using *any* proxy over an insecure network (such=
as the Internet) is potentially a vulnerability since the connection could = be
intercepted for such a purpose.

Upon a connection request from the node, the malicious proxy would respond =
with an acknowledgement of a different target domain name than the one
requested. Normally this acknowledgement is entirely ignored, but if the length uses the high bit (ie, a length 128-255 inclusive), it will be
interpreted by vulnerable versions as a negative number instead. When the <= br> negative number is passed to the recv() system call to read the domain name= ,
it is converted back to an unsigned/positive number, but at a much wider si= ze
(typically 32-bit), resulting in an effectively infinite read into and beyo= nd
the 256-byte dummy stack buffer.

To fix this vulnerability, the dummy buffer was changed to an explicitly unsigned data type, avoiding the conversion to/from a negative number.

Credit goes to practicalswift (https://twitter.com/practicalswift) for
discovering and providing the initial fix for the vulnerability, and Wladim= ir
J. van der Laan for a disguised version of the fix as well as general clean= up
to the at-risk code.

Timeline:
- 2012-04-01: Vulnerability introduced in PR #1141.
- 2012-05-08: Vulnerability merged to master git repository.
- 2012-08-27: Vulnerability published in v0.7.0rc1.
- 2012-09-17: Vulnerability released in v0.7.0.
...
- 2017-09-21: practicalswift discloses vulnerability to security team.
- 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability.
- 2017-09-27: Fix merged to master git repository.
- 2017-10-18: Fix merged to 0.15 git repository.
- 2017-11-04: Fix published in v0.15.1rc1.
- 2017-11-09: Fix released in v0.15.1.
...
- 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML.
- 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML.
_______________________________________________
bitcoin-dev mailing list
bitcoin-dev@lists.linuxfoundation.org
= https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev
--_000_PS2P216MB0179D441FBC93122CDE5354D9D7B0PS2P216MB0179KORP_--