Skip to content

Latest commit

 

History

History
 
 

nocve-2016-ethereum_mist_browser

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
Readme.md
Readme.md
 
 
index.html
index.html
 
 

Readme.md

VuNote

Author:     <github.com/tintinweb>
Ref:        https://github.com/tintinweb/pub/tree/master/pocs/nocve-2016-ethereum_mist_browser
Version:    0.4
Date:       Oct 26th, 2016

Tag:        ethereum mist browser arbitrary command execution file read write delete 
            and information disclosure

Overview

Name:           mist
Vendor:         ethereum/mist
References:     * https://github.com/ethereum/mist [1]

Version:        0.8.6 Beta [2]
Latest Version: 0.8.7 Beta [2]
Other Versions: <= 0.8.6 Beta
Platform(s):    cross
Technology:     electron js

Vuln Classes:   CWE-932, CWE-200
Origin:         remote
Min. Privs.:    ---

CVE:            CVE-xxxx-xxx

Description

quote website [1]

The Mist browser is the tool of choice to browse and use Ðapps.

Summary

// PoC: https://tintinweb.github.io/pub/pocs/nocve-2016-ethereum_mist_browser/

The ethereum mist comes with an integrated web-browsing functionality that allows for easy interaction with 3rd party Ðapps. This browser fails to properly protect the mist.api allowing a remote website to perform the following actions in the context of the mist process without the users consent:

  • execute arbitrary commands (windows, macosx only)
  • delete arbitrary files
  • create/overwrite and read arbitrary shortcuts/links (windows only)
  • de-anonymize the user in anonymous (unconnected) mode by leaking the main ethereum address (coinbase) including its balance and the mist application directory (leaks username on platform=windows) to the Ðapp/website

Leading to - at least - the following attack scenarios:

(client gets tricked / redirected (dns, mitm,...) or just browses a malicious website with mist ...)

  • [high risk, high impact] malicious website executes a series of commands to download and execute a reverse shell. This is the worst scenario allowing a website to completely take over the client application, stealing keys, installing keylogger, ...
  • [high risk, high impact] (windows) malicious website overwrites links to point to a different location executing arbitrary commands next time the link is executed (e.g. plant a reverse shell, see prevs. scenario)
  • [high risk, high impact] malicious websites deletes arbitrary files (platform, local path is leaked; permissions of mist process)
  • [med risk, med impact] malicious websites de-anonymizes the user via information leaked in mist/web3 api even though mist suggests that you are browsing that Ðapp in an anonymous fashion. Infoleak users coinbase, mist application path might allow to infere the windows username.

Again, this is possible without user consent.

Besides that, mist ...

  • does not warn you when connecting to Ðapps/websites over insecure transports leaving mist vulnerable to MitM/injection/passive sniffing attacks
  • does not protect known critical sites like wallet.ethereum.org by enforcing a secure transport (HSTS)
  • relies on a web-hosted default wallet (wallet.ethereum.com) that kind of is the single-point to exploit the majority of all ether holders. Hack that site, own many peers.

and the wallet.ethereum.com Ðapp

  • does not protect from framing attacks allowing scenarios like clickjacking
  • has no feature of proving that is has not been tampered with (do we really trust that code?)

see attached PoC - MistPwn / index.html / PoC [7]

Details

Create Link:        [Win]               mist.shell.writeShortcutLink(path, "create", {target:ttarget})
Read Link:          [Win]               mist.shell.readShortcutLink(path)
Delete File:        [Win][Mac][Linux]   mist.shell.moveItemToTrash(path)
Execute Command:    [Win][Mac]          mist.shell.openItem
                    [Win]               mist.shell.openExternal
Information Leak:   [Win][Mac][Linux]   mist.dirname, web3.eth.coinbase, and others leaking sync status and platform details

see PoC - MistPwn / index.html / PoC [7]

Proof of Concept

Prerequisites:

  • Mist / Browser -> navigate to https://tintinweb.github.io/pub/pocs/nocve-2016-ethereum_mist_browser/
  • MistPwn website should be loaded and will provide some background information as well as a button to run some tests on whether your mist browser is vulnerable or not. Upon clicking I agree! MistPwn will check if you are vulnerable to any of the issues raised above. It will show alerts right below the button to inform you of critical events and it will provide details for all the test run in the Results section. MistPwn wont execute any commands or remove/delete files unless it is instructed to do so. Whenever a potential harmful operation would be executed it will place a yellow button in the details section for you to check and perform that task manually. The PoC can be run in anonymous and connected mode. Make sure to have at least one address set up.

This has been tested on windows 10 with latest mist (see top). A typical result would look like:

Alerts:

info-leak    Mist leaks your local application directory: C:\Users\<MYUSER>\AppData\Local\Mist\app-0.8.6\resources\app.asar
info-leak    You are leaking your local username to this website: <MYUSER>
code exec    Mist exposes electron.shell - This website might execute arbitrary local commands without your consent (see details/testcase below).
read write delete    This website might be able to read/write shortcut links or move files to trash
info-leak    This website might be able to get your etherbase even though you are in anonymous mode: 0xxxxxxxxxxxxxxxxxxxxxxxx (balance: 999999990000000000)

Results:

danger  mist.shell.exec         Mist allows remote websites to execute arbitrary commands on your client    <launch 'calc.exe'> ...
danger  mist.shell.open         Mist allows remote websites to open arbitrary items on your client          <open 'calc.exe'> ...
danger  mist.shell.showItem     Mist allows remote websites to open arbitrary items on your client          <showItem '.'> ...
danger  mist.shell.writelink    Mist allows the remote website to create arbitrary links on your machine    <1. create linkfile> <file>
danger  mist.shell.readlink     Mist allows the remote website to read arbitrary links on your machine      <2. read linkfile> <file>
danger  mist.shell.trash        Mist allows the remote website to delete arbitrary files on your machine    <3. delete file> <file>
danger  web3.coinbase           mist reveals coinbase even though you are in anonymous mode                 0xxxxxxxxxxxxxxxx
....

Mitigation / Workaround / Discussion

  • There's a need for trust/permission policies with an attack surfaces comparable to mobile apps/browser extensions
  • There's a need for transparency and user consent if an app performs critical actions (asks for information, wants to execute something, ..). Quite the same way as for transferring funds.
  • Reconsider not exposing any backend-api directly (electron.shell). Mist should control all critical api in the backend.
  • Ethereum is based on pseudonymity. Mist builds the connection between real world users and ethereum addresses that must be protected (e.g. mist suggests that you're anonymous until you connect, which is actually not true).

Notes

  • vendor fixed the high risk issues within one day of private disclosure!
  • vendor released a fixed version [3] and advisory [3][4][6]

References

[1] https://github.com/ethereum/mist/
[2] https://github.com/ethereum/mist/releases
[3] https://github.com/ethereum/mist/releases/tag/v0.8.7
[4] https://www.reddit.com/r/ethereum/comments/59lazn/highly_recommended_security_release_for_mist/
[5] https://github.com/tintinweb/pub/tree/master/pocs/nocve-2016-ethereum_mist_browser
[6] https://blog.ethereum.org/2016/10/27/security-alert-mist-can-vulnerable-navigating-malicious-dapps/
[7] https://tintinweb.github.io/pub/pocs/nocve-2016-ethereum_mist_browser/

Contact

https://github.com/tintinweb