|
Title: This message was too old and has been purged Post by: Evil-Knievel on December 05, 2014, 11:25:48 AM This message was too old and has been purged
Title: Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC Post by: dserrano5 on December 06, 2014, 03:58:54 PM ... and gone the coins are. But only if the wallet is unencrypted. This is the RPC password, not the wallet encryption password. Title: Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC Post by: gmaxwell on December 06, 2014, 04:49:47 PM Yes, the Debian packaging of Bitcoin was broken. This was known and fixed years ago, you're linking to a two year old version of the files. People building for themselves or using the Bitcoin.org binaries were never exposed to it.
The RPC is also not exposed outside of the localhost unless you go and add additional configuration, and the additional configuration results in it still being limited to particular networks normally. Title: Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC Post by: altcoinex on December 06, 2014, 05:39:13 PM There have been a number of distro-related issues having to do with configuration settings, but most of them don't last very long...
I think I recall seeing note of this one when it was resolved : https://bitcointalk.org/index.php?topic=102650.msg3352617#msg3352617 Title: Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC Post by: Amph on December 07, 2014, 06:41:58 PM isn't that version working with the heartbleed bug? ofcourse is vulnerable, 0.9 fixed it if i remember correctly
Title: Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC Post by: azeteki on December 07, 2014, 08:56:07 PM This is rather interesting but the RPC server should not ordinarily be exposed outside of a trusted network. Certainly not with an unencrypted wallet.
This was one of the main reasons behind me creating my terminal based frontend. The approach should be to connect using a secure tunnel like SSH and interface with the Bitcoin Core daemon from there. Ignoring that, I would take issue with the claim that it would take around an hour to brute force the password if on same network. I can't say I've tried but you are claiming that you can get off over a million authentication attempts per second over a network. (4294967296/3600). Just sending a ten byte auth request would make that 10MB/s sustained. The RPC server is not especially fast. I have not tested but it would not surprise me if you struggled to get a few hundred auth attempts per second on a local machine. That would put you at over a month. If anyone has the time it would be interesting to see how quickly you can fail auth and try again. I don't wish to speak for the core developers here but I would not be surprised if there are numerous vulnerabilities in the RPC server - it is likely not intended to be used with unsanitised input. |