summaryrefslogtreecommitdiff
path: root/b8/65ed0b1792fb66dcf5793d0b63cc372aaa81cb
blob: a0d33e1407f528196057dcb8db0c1ddef6736487 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
Return-Path: <luke@dashjr.org>
Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 1CD59C18DA
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 22 Nov 2019 17:21:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by whitealder.osuosl.org (Postfix) with ESMTP id 0BFB188251
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 22 Nov 2019 17:21:26 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from whitealder.osuosl.org ([127.0.0.1])
 by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id uLZA2N-WONRY
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 22 Nov 2019 17:21:25 +0000 (UTC)
X-Greylist: delayed 00:08:07 by SQLgrey-1.7.6
Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21])
 by whitealder.osuosl.org (Postfix) with ESMTP id 47B0C881E0
 for <bitcoin-dev@lists.linuxfoundation.org>;
 Fri, 22 Nov 2019 17:21:25 +0000 (UTC)
Received: from [2001:470:5:265:a45d:823b:2d27:961c] (unknown
 [IPv6:2001:470:5:265:a45d:823b:2d27:961c])
 (Authenticated sender: luke-jr)
 by zinan.dashjr.org (Postfix) with ESMTPSA id 58D1A38A0F81;
 Fri, 22 Nov 2019 17:13:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dashjr.org; s=zinan;
 t=1574442797; bh=Dmi0C14+V82DmKrUJ/2xj9H5e3T6R321oAJTS32jM/k=;
 h=To:Subject:From:Cc:Date;
 b=Y7ztwROUjd1jMep1CwCEAG/14uIcN3T6C2ScUwwAhxFi1pTVGXu1G90qp9CpZbIuU
 c2NuKcpPlHmoSlnwosO2eH9ZLSKZdZF+1wBYnLKhDin0+MUk2VDWPQMSB5uZFEADDi
 dBXyGT0ITELMpHz5uDx74/CkrsfTzoSc3guL/u1U=
To: bitcoin-dev@lists.linuxfoundation.org
Content-Disposition: inline
From: Luke Dashjr <luke@dashjr.org>
Date: Fri, 22 Nov 2019 17:13:14 +0000
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201911221713.14678.luke@dashjr.org>
Cc: security@bitcoincore.org
Subject: [bitcoin-dev] CVE-2018-20586 disclosure (log injection
	vulnerability)
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>, 
 <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 17:21:26 -0000

CVE-2018-20586 is a log injection vulnerability which allows any software with 
access to the RPC port to create fake or confusing entries in the debug log. 
Valid authentication (username/password/cookie) for the RPC service is NOT 
required to exploit this vulnerability, only the ability to connect to the 
RPC port (which is by default only exposed to the local machine).

The vulnerability was introduced in 40b556d3742a1f65d67e2d4c760d0b13fe8be5b7 
("libevent-based http server") and first released in Bitcoin Core v0.12.0rc1 
in 2016 Jan 13. A fix was hidden in 79358817e53ac0a7afa64c747115d492a74e3155 
("rpc: Make HTTP RPC debug logging more informative") released in v0.17.1, 
2018 Dec 22.

To be vulnerable, the malicious software must either be running on the same 
machine as the node, have the ability to proxy connections to the node via 
the local machine, or the node must be configured to accept RPC connections 
from a network via which the attacker can connect. Additionally, a human user 
must read the debug log and act on or otherwise believe the injected data, in 
a way that is somehow harmful.

Because the node would log the arbitrary POST request from any connection, an 
attacker can add nearly any content to the request to inject it into the log. 
To ensure their entire request is injected, standard spaces would need to be 
replaced with alternative whitespace characters, and newlines would need to 
become other control characters (such as "\r\v"). Because the injected data 
must use such non-standard characters, it is most likely to not fool other 
software parsing the debug log, and only a human visually reading it.

To fix this vulnerability, POST requests are now sanitised before being 
logged, removing all characters that shouldn't be in an ordinary POST 
request.

Credit goes to practicalswift (https://twitter.com/practicalswift) for 
discovering and fixing the vulnerability.

Timeline:
- 2015-01-18: Vulnerability introduced in PR #5677.
- 2015-09-04: Vulnerability merged to master git repository.
- 2016-01-13: Vulnerability published in v0.12.0rc1.
- 2016-02-18: Vulnerability released in v0.12.0.
...
- 2018-10-25: practicalswift discloses vulnerability to security team.
- 2018-10-31: practicalswift opens PR #14618 to quietly fix vulnerability.
- 2018-11-05: Fix merged to master git repository.
- 2018-11-30: Fix merged to 0.17 git repository.
- 2018-12-07: Fix published in v0.17.1rc1.
- 2018-12-22: Fix released in v0.17.1.
...
- 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML.
- 2019-11-22: Vulnerability details disclosure to bitcoin-dev ML.