Bitcoin Forum
December 14, 2024, 10:36:54 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Vulnerability in UPnP library used by Bitcoin Core !!  (Read 1620 times)
OmegaStarScream (OP)
Staff
Legendary
*
Offline Offline

Activity: 3696
Merit: 6539



View Profile
October 12, 2015, 05:42:42 PM
 #1

I was just on Bitcoin.org to link someone to a wallet and I've seen the warning on the top of the page so I thought I should share it with you guys , I'am not a user of Bitcoin core anymore but here :

https://bitcoin.org/en/alert/2015-10-12-upnp-vulnerability

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
GermanGiant
Hero Member
*****
Offline Offline

Activity: 784
Merit: 501



View Profile
October 12, 2015, 05:47:07 PM
 #2

Does it affect any other wallet or only core ?
unamis76
Legendary
*
Offline Offline

Activity: 1512
Merit: 1012


View Profile
October 12, 2015, 05:57:06 PM
 #3

Thanks for the heads up... Why will there be a new 0.10 release?
krb91
Member
**
Offline Offline

Activity: 254
Merit: 10

Streamies Rocks!!!!


View Profile
October 12, 2015, 06:24:49 PM
 #4

Does it affect any other wallet or only core ?

I'm not sure, there is a reddit thread about it, and someone might use it to eventually explain if any other wallets besides core are vulnerable. At he moment the thread only gives the same advice as bitcoin.org, which I quoted. It's only for core, so the vulnerability probably doesn't affect other wallets. I don't understand UPNP well enough to say for certain.

https://www.reddit.com/r/Bitcoin/comments/3ogg0t/bitcoinorg_vulnerability_in_upnp_library_used_by/

Quote
Either
turn off the checkbox in the GUI under Options → Network → Map port using UPNP
add the line upnp=0 to your bitcoin.conf file
add -upnp=0 to the command line options

S T R E A M I E S -  Streaming in Anonimity  -  No rules
▬▬▬▬▬▬▬▬▬▬ ●●     Whitepaper Released    ●● ▬▬▬▬▬▬▬▬▬▬
DISCORD    -    BITCOINTALK    -    WEBSITE    -    EXCHANGE
Amph
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
October 12, 2015, 06:45:17 PM
 #5

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...
achow101
Staff
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
October 12, 2015, 06:58:56 PM
 #6

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...
For the daemon if you don't use core.

krb91
Member
**
Offline Offline

Activity: 254
Merit: 10

Streamies Rocks!!!!


View Profile
October 12, 2015, 06:59:56 PM
 #7

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

S T R E A M I E S -  Streaming in Anonimity  -  No rules
▬▬▬▬▬▬▬▬▬▬ ●●     Whitepaper Released    ●● ▬▬▬▬▬▬▬▬▬▬
DISCORD    -    BITCOINTALK    -    WEBSITE    -    EXCHANGE
saturn643
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


View Profile
October 12, 2015, 07:10:25 PM
 #8

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?
Amph
Legendary
*
Offline Offline

Activity: 3248
Merit: 1070



View Profile
October 12, 2015, 08:38:39 PM
 #9

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so...
achow101
Staff
Legendary
*
Offline Offline

Activity: 3570
Merit: 6927


Just writing some code


View Profile WWW
October 12, 2015, 08:47:15 PM
 #10

what's the point of setting it to zero in the config if you remove the checkbox on the option menu? they should perform the same thing

also i don't use a config at all for core...

I think you only have to select one of the options to protect your wallet from the vulnerability. Each option should protect your wallet on its own. Bitcoin.org recommends updating your wallet to the latest version. It says 0.10.3 and 0.11.1, and the upcoming 0.12.0 are safe to use. You only need to upgrade if you downloaded a compiled wallet, if you built your wallet yourself it should have UPnP disabled by default.

there is no 0.11.1 apparently, i found that they are at rc2 for this version, on a shady website, or at least it seems so...
Neither of them have been released yet. They are still in the release candidate stage.

0.11.1rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.11.1/test/
0.10.3rc2 is officially available at https://bitcoin.org/bin/bitcoin-core-0.10.3/test/

coinpr0n
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1000



View Profile
October 12, 2015, 09:14:16 PM
 #11

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?

Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public.

shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
October 13, 2015, 05:41:32 AM
Last edit: October 13, 2015, 09:33:19 AM by shorena
 #12

The vulnerability was discovered in miniupnp almost a month ago. Why didn't any of the devs let us know earlier? The article they reference looks like it has been public for a month so that would have been plenty of time for someone to try an attack against Bitcoin Core.

Has anyone tried any attacks against Bitcoin Core to see how badly these vulnerabilities affect Bitcoin Core?

Please remember that these are volunteer developers. They may have only just realized the problem was out there or they were waiting to have a patch ready before bringing it to the attention of the public.

I have no source, but I read about the issue on twitter way before this was on bitcoin.org or posted here (twice now?).

Found the source, 3 days old: https://twitter.com/gavinandresen/status/652462681442648065

Im not really here, its just your imagination.
Melds
Full Member
***
Offline Offline

Activity: 205
Merit: 100


Investor / Trader / Analyst


View Profile
October 13, 2015, 07:06:36 AM
 #13

What are the potential repercussions of this flaw? I'm slightly worried..

OmegaStarScream (OP)
Staff
Legendary
*
Offline Offline

Activity: 3696
Merit: 6539



View Profile
October 13, 2015, 07:43:41 AM
 #14

Does it affect any other wallet or only core ?

I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong !

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
shorena
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1540


No I dont escrow anymore.


View Profile
October 13, 2015, 09:33:59 AM
 #15

Does it affect any other wallet or only core ?

I suppose it affects the others because the other SPV wallets use same versions of Bitcoin Core as we do , yes ? correct me if I'am wrong !

SPV wallets are not affected, they just request data from full nodes.

Im not really here, its just your imagination.
christycalhoun
Sr. Member
****
Offline Offline

Activity: 378
Merit: 250


View Profile
October 13, 2015, 10:25:18 AM
 #16

Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?

OmegaStarScream (OP)
Staff
Legendary
*
Offline Offline

Activity: 3696
Merit: 6539



View Profile
October 13, 2015, 10:34:57 AM
 #17

Will this affect 3rd party clients as well or is this just a problem with the official bitcoin-qt client?

You must be kidding xD look the above reply (shorena replied to me)

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
NeuroticFish
Legendary
*
Offline Offline

Activity: 3892
Merit: 6623


Looking for campaign manager? Contact icopress!


View Profile
October 13, 2015, 10:58:31 AM
 #18

Quote from: TALOS VULNERABILITY REPORT
A specially crafted XML response can lead to a buffer overflow on the stack resulting in remote code execution. An attacker can set up a server on the local network to trigger this vulnerability.

So the local network has to be compromised first.
And if the local network is compromised, you can be in big trouble even without this vulnerability.

I hope that I understood it right.

███████████████████████
████▐██▄█████████████████
████▐██████▄▄▄███████████
████▐████▄█████▄▄████████
████▐█████▀▀▀▀▀███▄██████
████▐███▀████████████████
████▐█████████▄█████▌████
████▐██▌█████▀██████▌████
████▐██████████▀████▌████
█████▀███▄█████▄███▀█████
███████▀█████████▀███████
██████████▀███▀██████████

███████████████████████
.
BC.GAME
▄▄▀▀▀▀▀▀▀▄▄
▄▀▀░▄██▀░▀██▄░▀▀▄
▄▀░▐▀▄░▀░░▀░░▀░▄▀▌░▀▄
▄▀▄█▐░▀▄▀▀▀▀▀▄▀░▌█▄▀▄
▄▀░▀░░█░▄███████▄░█░░▀░▀▄
█░█░▀░█████████████░▀░█░█
█░██░▀█▀▀█▄▄█▀▀█▀░██░█
█░█▀██░█▀▀██▀▀█░██▀█░█
▀▄▀██░░░▀▀▄▌▐▄▀▀░░░██▀▄▀
▀▄▀██░░▄░▀▄█▄▀░▄░░██▀▄▀
▀▄░▀█░▄▄▄░▀░▄▄▄░█▀░▄▀
▀▄▄▀▀███▄███▀▀▄▄▀
██████▄▄▄▄▄▄▄██████
.
..CASINO....SPORTS....RACING..


▄▄████▄▄
▄███▀▀███▄
██████████
▀███▄░▄██▀
▄▄████▄▄░▀█▀▄██▀▄▄████▄▄
▄███▀▀▀████▄▄██▀▄███▀▀███▄
███████▄▄▀▀████▄▄▀▀███████
▀███▄▄███▀░░░▀▀████▄▄▄███▀
▀▀████▀▀████████▀▀████▀▀
okae
Legendary
*
Offline Offline

Activity: 1401
Merit: 1008


northern exposure


View Profile WWW
October 13, 2015, 11:11:28 AM
 #19

so if im not wrong, for users who are using the core, we just need to do it:

  • turn off the checkbox in the GUI under Options → Network → Map port using UPNP (see above)

and dont forget to update our core client when they release a new version with the fix included Smiley

IMHO #1.b of suspects, Hal Finney is/was S.N.
Lauda
Legendary
*
Offline Offline

Activity: 2674
Merit: 3000


Terminated.


View Profile WWW
October 13, 2015, 11:21:11 AM
 #20

This is not a huge deal at the moment since the issue was quickly identified which is good (and because the workaround is easy). I also think that we should change the:
Quote
News: Latest stable version of Bitcoin Core: 0.11.0 [Torrent]
to include some sort of heads up related to this issue. Let's hope that the next version gets released very quickly.

"The Times 03/Jan/2009 Chancellor on brink of second bailout for banks"
😼 Bitcoin Core (onion)
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!