Author: Luke Dashjr 2019-11-08 15:07:36
Published on: 2019-11-08T15:07:36+00:00
A buffer overflow vulnerability, CVE-2017-18350, has been discovered in Bitcoin Core that could allow a malicious SOCKS proxy server to overwrite the program stack on systems with a signed `char` type. The vulnerability was introduced in 2012 and first released in Bitcoin Core v0.7.0rc1 in August of that year. A fix was released in November 2017 in version v0.15.1, hidden within a code improvement. To be vulnerable, a node must be configured to use a malicious proxy server. The vulnerability arises when a connection request is made from the node and the malicious proxy responds with an acknowledgment of a different target domain name than the one requested. If the length uses the high bit, it will be interpreted by vulnerable versions as a negative number instead. When the negative number is passed to the recv() system call to read the domain name, it is converted back to an unsigned/positive number at a much wider size, resulting in an effectively infinite read into and beyond the 256-byte dummy stack buffer.The dummy buffer was changed to an explicitly unsigned data type to avoid the conversion to/from a negative number. Practicalswift discovered and provided an initial fix for the vulnerability, while Wladimir J. van der Laan created a disguised version of the fix, as well as general cleanup to the code. Timeline: The vulnerability was introduced in April 2012 and merged to the master git repository in May of that year. It was published in v0.7.0rc1 in August 2012 and released in v0.7.0 in September of that year. In September 2017, practicalswift disclosed the vulnerability to the security team, and a fix was quietly initiated by Wladimir. The fix was merged to the master git repository in September 2017 and to the 0.15 git repository in October of that year. The fix was published in v0.15.1rc1 in November 2017 and released in v0.15.1. Finally, the vulnerability existence was disclosed to bitcoin-dev ML in June 2019, and the vulnerability details were disclosed to bitcoin-dev ML in November 2019.
Updated on: 2023-05-20T21:07:17.073935+00:00