|
| 1 | +--- |
| 2 | +title: CVE-2017-18350 Disclosure |
| 3 | +name: cve-2017-18350-disclosure |
| 4 | +id: en-2017-18350-disclosure |
| 5 | +lang: en |
| 6 | +type: posts |
| 7 | +layout: post |
| 8 | + |
| 9 | +## If this is a new post, reset this counter to 1. |
| 10 | +version: 1 |
| 11 | + |
| 12 | +## Only true if release announcement or security annoucement. English posts only |
| 13 | +announcement: 1 |
| 14 | + |
| 15 | +excerpt: > |
| 16 | + Disclosure of the details of CVE-2017-18350, a fix for which was |
| 17 | + released on November 6th, 2017 in Bitcoin Core version 0.15.1. |
| 18 | +--- |
| 19 | +{{page.excerpt}} |
| 20 | + |
| 21 | +Technical Details |
| 22 | +========== |
| 23 | +CVE-2017-18350 is a buffer overflow vulnerability which allows a malicious SOCKS proxy server to overwrite the program stack on systems with a signed `char` type (including common 32-bit and 64-bit x86 PCs). |
| 24 | + |
| 25 | +The vulnerability was introduced in [60a87bce873 (SOCKS5 support)](https://github.com/bitcoin/bitcoin/commit/60a87bce873ce1f76a80b7b8546e83a0cd4e07a5) and first released in Bitcoin Core v0.7.0rc1 in 2012 Aug 27. A fix was hidden in [d90a00eabed ("Improve and document SOCKS code")](https://github.com/bitcoin/bitcoin/commit/d90a00eabed0f3f1acea4834ad489484d0012372) released in v0.15.1, 2017 Nov 6. |
| 26 | + |
| 27 | +To be vulnerable, the node must be configured to use such a malicious proxy in the first place. Note that using *any* proxy over an insecure network (such as the Internet) is potentially a vulnerability since the connection could be intercepted for such a purpose. |
| 28 | + |
| 29 | +Upon a connection request from the node, the malicious proxy would respond with an acknowledgement of a different target domain name than the one requested. Normally this acknowledgement is entirely ignored, but if the length uses the high bit (ie, a length 128-255 inclusive), it will be interpreted by vulnerable versions as a negative number instead. When the negative number is passed to the recv() system call to read the domain name, it is converted back to an unsigned/positive number, but at a much wider size (typically 32-bit), resulting in an effectively infinite read into and beyond the 256-byte dummy stack buffer. |
| 30 | + |
| 31 | +To fix this vulnerability, the dummy buffer was changed to an explicitly unsigned data type, avoiding the conversion to/from a negative number. |
| 32 | + |
| 33 | +Attribution |
| 34 | +=========== |
| 35 | +Credit goes to [practicalswift](https://twitter.com/practicalswift) for discovering and providing the initial fix for the vulnerability, and Wladimir J. van der Laan for a disguised version of the fix as well as general cleanup to the at-risk code. |
| 36 | + |
| 37 | +Timeline |
| 38 | +======== |
| 39 | + |
| 40 | +- 2012-04-01: Vulnerability introduced in PR #1141. |
| 41 | +- 2012-05-08: Vulnerability merged to master git repository. |
| 42 | +- 2012-08-27: Vulnerability published in v0.7.0rc1. |
| 43 | +- 2012-09-17: Vulnerability released in v0.7.0. |
| 44 | +- ... |
| 45 | +- 2017-09-21: practicalswift discloses vulnerability to security team. |
| 46 | +- 2017-09-23: Wladimir opens PR #11397 to quietly fix vulnerability. |
| 47 | +- 2017-09-27: Fix merged to master git repository. |
| 48 | +- 2017-10-18: Fix merged to 0.15 git repository. |
| 49 | +- 2017-11-04: Fix published in v0.15.1rc1. |
| 50 | +- 2017-11-09: Fix released in v0.15.1. |
| 51 | +- ... |
| 52 | +- 2019-06-22: Vulnerability existence disclosed to bitcoin-dev ML. |
| 53 | +- 2019-11-08: Vulnerability details disclosure to bitcoin-dev ML. |
| 54 | + |
| 55 | +{% include references.md %} |
0 commit comments