summaryrefslogtreecommitdiff
path: root/11/0df123c614db8cf11d8c6db522200e9a51002c
blob: 4ba81bb77a757e9b8169c9575bbd0dee093c0994 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
Return-Path: <luke@dashjr.org>
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 3C0A2B88
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Nov 2019 15:08:58 +0000 (UTC)
X-Greylist: from auto-whitelisted by SQLgrey-1.7.6
Received: from zinan.dashjr.org (zinan.dashjr.org [192.3.11.21])
	by smtp1.linuxfoundation.org (Postfix) with ESMTP id 98501196
	for <bitcoin-dev@lists.linuxfoundation.org>;
	Fri,  8 Nov 2019 15:08:57 +0000 (UTC)
Received: from [2001:470:5:265:a45d:823b:2d27:961c] (unknown
	[IPv6:2001:470:5:265:a45d:823b:2d27:961c])
	(Authenticated sender: luke-jr)
	by zinan.dashjr.org (Postfix) with ESMTPSA id 7F28038A0DEA;
	Fri,  8 Nov 2019 15:08:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dashjr.org; s=zinan;
	t=1573225736; bh=sQJC0SBQC8kfMYDwGhsOB+mIylFeToEYWhp24sRMBV4=;
	h=To:Subject:Cc:From:Date;
	b=oc2oc3oCIYcDt04oXqZ9z5YLyszTwbopa5cZlNDxjXVt4xIIn3msWpz7qvRjMSILD
	K+b+d4v9ugCe7+16pmmJ9j7F7RedNdL86Ft7IGt2sWYLza6Vli3gN4G0mZFzeJMJfK
	8O/8EGyBZq2jKh15EUkKxNjsmF84AcGc+zab9g6k=
To: bitcoin-dev@lists.linuxfoundation.org
Content-Disposition: inline
From: Luke Dashjr <luke@dashjr.org>
Date: Fri, 8 Nov 2019 15:07:36 +0000
MIME-Version: 1.0
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201911081507.40441.luke@dashjr.org>
X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Cc: security@bitcoincore.org
Subject: [bitcoin-dev] CVE-2017-18350 disclosure
X-BeenThere: bitcoin-dev@lists.linuxfoundation.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Bitcoin Protocol Discussion <bitcoin-dev.lists.linuxfoundation.org>
List-Unsubscribe: <https://lists.linuxfoundation.org/mailman/options/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=unsubscribe>
List-Archive: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/>
List-Post: <mailto:bitcoin-dev@lists.linuxfoundation.org>
List-Help: <mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=help>
List-Subscribe: <https://lists.linuxfoundation.org/mailman/listinfo/bitcoin-dev>,
	<mailto:bitcoin-dev-request@lists.linuxfoundation.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2019 15:08:58 -0000

CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious 
SOCKS proxy server to overwrite the program stack on systems with a signed 
`char` type (including common 32-bit and 64-bit x86 PCs).

The vulnerability was introduced in 60a87bce873ce1f76a80b7b8546e83a0cd4e07a5 
(SOCKS5 support) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 27.
A fix was hidden in d90a00eabed0f3f1acea4834ad489484d0012372 ("Improve and 
document SOCKS code") released in v0.15.1, 2017 Nov 6.

To be vulnerable, the node must be configured to use such a malicious proxy in 
the first place. Note that using *any* proxy over an insecure network (such 
as the Internet) is potentially a vulnerability since the connection could be 
intercepted for such a purpose.

Upon a connection request from the node, the malicious proxy would respond 
with an acknowledgement of a different target domain name than the one
requested. Normally this acknowledgement is entirely ignored, but if the 
length uses the high bit (ie, a length 128-255 inclusive), it will be 
interpreted by vulnerable versions as a negative number instead. When the 
negative number is passed to the recv() system call to read the domain name, 
it is converted back to an unsigned/positive number, but at a much wider size 
(typically 32-bit), resulting in an effectively infinite read into and beyond 
the 256-byte dummy stack buffer.

To fix this vulnerability, the dummy buffer was changed to an explicitly 
unsigned data type, avoiding the conversion to/from a negative number.

Credit goes to practicalswift (https://twitter.com/practicalswift) for 
discovering and providing the initial fix for the vulnerability, and Wladimir 
J. van der Laan for a disguised version of the fix as well as general cleanup 
to the at-risk code.

Timeline:
- 2012-04-01: Vulnerability introduced in PR #1141.
- 2012-05-08: Vulnerability merged to master git repository.
- 2012-08-27: Vulnerability published in v0.7.0rc1.
- 2012-09-17: Vulnerability released in v0.7.0.
...
- 2017-09-21: practicalswift discloses vulnerability to security team.
- 2017-09-23: Wladimir opens PR #11397 to quietly fix vulernability.
- 2017-09-27: Fix merged to master git repository.
- 2017-10-18: Fix merged to 0.15 git repository.
- 2017-11-04: Fix published in v0.15.1rc1.
- 2017-11-09: Fix released in v0.15.1.
...
- 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML.
- 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML.