Bitcoin Forum
October 28, 2024, 11:17:09 PM
Welcome,
Guest
. Please
login
or
register
.
News
:
Bitcoin Pumpkin Carving Contest
Home
Help
Search
Login
Register
More
Bitcoin Forum
>
Bitcoin
>
Development & Technical Discussion
>
This message was too old and has been purged
Pages: [
1
]
« previous topic
next topic »
Print
Author
Topic: This message was too old and has been purged (Read 1791 times)
Evil-Knievel
(OP)
Legendary
Offline
Activity: 1260
Merit: 1168
⇾
This message was too old and has been purged
December 05, 2014, 11:25:48 AM
Last edit: April 17, 2016, 08:03:20 PM by Evil-Knievel
#1
This message was too old and has been purged
dserrano5
Legendary
Offline
Activity: 1974
Merit: 1029
Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC
December 06, 2014, 03:58:54 PM
#2
Quote from: Evil-Knievel on December 05, 2014, 11:25:48 AM
... and gone the coins are.
But only if the wallet is unencrypted. This is the RPC password, not the wallet encryption password.
gmaxwell
Moderator
Legendary
Offline
Activity: 4270
Merit: 8803
Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC
December 06, 2014, 04:49:47 PM
#3
Yes, the Debian packaging of Bitcoin was broken. This was known and fixed years ago, you're linking to a two year old version of the files. People building for themselves or using the Bitcoin.org binaries were never exposed to it.
The RPC is also not exposed outside of the localhost unless you go and add additional configuration, and the additional configuration results in it still being limited to particular networks normally.
altcoinex
Sr. Member
Offline
Activity: 293
Merit: 251
Director - www.cubeform.io
Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC
December 06, 2014, 05:39:13 PM
#4
There have been a number of distro-related issues having to do with configuration settings, but most of them don't last very long...
I think I recall seeing note of this one when it was resolved :
https://bitcointalk.org/index.php?topic=102650.msg3352617#msg3352617
╓╢╬╣╣╖
┌║██████║∩
]█████████
╜██████╝`
╙╜╜╜`
╓╥@@@@@@╥╓
╓╖@@╖, ,@║██████████╢@, ,╓@@╖╓
╓╢██████╢. ╓╢███████████████╖ ║╢█████║╓
║█████████ ,,╓╓,, ┌║█████████████████┐ ,,╓╓,, ]█████████
└╢██████║` ╓╢║██████╢║∩``╙╙╙╙╙╙╙╙╙╙╙╙╙╙╙╙╙`»╢╢██████╢║╖ ║███████╜
"╜╜╜╜` ╖╢█████████╣╜ └╢██████████@ `╜╜╜╜╜
║██████████╜ ╙╢██████████
┌█████████╜ ╙╢█████████
└███████╨` ╜████████
║████╨╜ `╢█████
╙╢╣╜ └╢█╜
,, ,,
╓@║██┐ ┌██║@╓
╢██████ ]█████H
╢███████∩ ┌████████
╓@@@@╓ █████████ ║████████` ╓@@@@╖
╓╢██████║. █████████∩ ┌█████████ ,║███████╖
██████████ └█████████ ██████████ ]█████████
`║██████╜` └╢████████ ┌███████╣╜ ╙██████╨`
`╙╜╜╙` `╙╨╢████ █████╝╜` `╙╜╜`
]@╓ ╓╖H
███╢║@╓, ,╓@╢╢███`
████████╢@╖╓. ╓╖@║████████`
]███████████╢║@╓, ,╓@╢╢████████████
╙╢█████████████╨` ╜██████████████╜
╙╝╢███████║╜` `╜║████████╝╜`
,╓@@@╓ `²╙`` `╙²` ╓@@@╖,
║╢█████╢H ╓╢██████H
█████████ █████████`
╙╢██████╜ ╙╢██████╜
└╨╩╝┘ └╨╩╝╜
WINFLOW
.
██
██
██
██
██
██
██
██
██
██
██
██
██
.
...
THE NON-PROFIT SPORTSBOOK
POWERED BY ETHEREUM BLOCKCHAIN
.
██
██
██
██
██
██
██
██
██
██
██
██
██
.
JOIN OUR TELEGRAM
READ THE WHITEPAPER
|
VIDEO
Amph
Legendary
Offline
Activity: 3248
Merit: 1070
Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC
December 07, 2014, 06:41:58 PM
#5
isn't that version working with the heartbleed bug? ofcourse is vulnerable, 0.9 fixed it if i remember correctly
azeteki
Member
Offline
Activity: 96
Merit: 10
esotericnonsense
Re: Bitcoin 0.8.1 Clients vulnerable to easy bruteforce attack using RPC
December 07, 2014, 08:56:07 PM
#6
This is rather interesting but the RPC server should not ordinarily be exposed outside of a trusted network. Certainly not with an unencrypted wallet.
This was one of the main reasons behind me creating my terminal based frontend.
The approach should be to connect using a secure tunnel like SSH and interface with the Bitcoin Core daemon from there.
Ignoring that, I would take issue with the claim that it would take around an hour to brute force the password if on same network.
I can't say I've tried but you are claiming that you can get off over a million authentication attempts per second over a network. (4294967296/3600).
Just sending a ten byte auth request would make that 10MB/s sustained.
The RPC server is not especially fast. I have not tested but it would not surprise me if you struggled to get a few hundred auth attempts per second on a local machine. That would put you at over a month. If anyone has the time it would be interesting to see how quickly you can fail auth and try again.
I don't wish to speak for the core developers here but I would not be surprised if there are numerous vulnerabilities in the RPC server - it is likely not intended to be used with unsanitised input.
bitcoind-ncurses
-
esotericnonsense.com
-
PGP
-
old PGP
Pages: [
1
]
Print
Bitcoin Forum
>
Bitcoin
>
Development & Technical Discussion
>
This message was too old and has been purged
« previous topic
next topic »
Jump to:
Please select a destination:
-----------------------------
Bitcoin
-----------------------------
=> Bitcoin Discussion
===> Legal
===> Press
===> Meetups
===> Important Announcements
=> Development & Technical Discussion
===> Wallet software
=====> Electrum
=====> Bitcoin Wallet for Android
=====> BitcoinJ
=====> Armory
=====> Mycelium
=====> Hardware wallets
=> Mining
===> Mining support
===> Pools
===> Mining software (miners)
===> Hardware
=====> Group buys
===> Mining speculation
=> Bitcoin Technical Support
=> Project Development
-----------------------------
Economy
-----------------------------
=> Economics
===> Speculation
=> Marketplace
===> Goods
=====> Computer hardware
=====> Digital goods
=======> Invites & Accounts
=====> Collectibles
===> Services
===> Currency exchange
===> Gambling
=====> Games and rounds
=====> Investor-based games
=====> Gambling discussion
===> Lending
=====> Long-term offers
===> Securities
===> Auctions
===> Service Announcements
=====> Micro Earnings
===> Service Discussion
=====> Web Wallets
=====> Exchanges
=> Trading Discussion
===> Scam Accusations
===> Reputation
-----------------------------
Other
-----------------------------
=> Meta
===> New forum software
===> Bitcoin Wiki
=> Politics & Society
=> Beginners & Help
=> Off-topic
=> Serious discussion
===> Ivory Tower
=> Archival
===> Корзина
===> CPU/GPU Bitcoin mining hardware
===> Chinese students
===> Obsolete (buying)
===> Obsolete (selling)
===> MultiBit
-----------------------------
Alternate cryptocurrencies
-----------------------------
=> Altcoin Discussion
=> Announcements (Altcoins)
===> Tokens (Altcoins)
=> Mining (Altcoins)
===> Pools (Altcoins)
=> Marketplace (Altcoins)
===> Service Announcements (Altcoins)
===> Service Discussion (Altcoins)
===> Bounties (Altcoins)
=> Speculation (Altcoins)
-----------------------------
Local
-----------------------------
=> العربية (Arabic)
===> العملات البديلة (Altcoins)
=====> النقاشات
===> إستفسارات و أسئلة المبتدئين
===> التعدين
===> النقاشات الأخرى
===> منصات التبادل
=> Bahasa Indonesia (Indonesian)
===> Marketplace (Bahasa Indonesia)
===> Mining (Bahasa Indonesia)
===> Altcoins (Bahasa Indonesia)
===> Trading dan Spekulasi
===> Ekonomi, Politik, dan Budaya
===> Topik Lainnya
=> Español (Spanish)
===> Mercado y Economía
=====> Servicios
=====> Trading y especulación
===> Hardware y Minería
===> Esquina Libre
===> Mercadillo
=====> Mexico
=====> Argentina
=====> España
=====> Centroamerica y Caribe
===> Primeros pasos y ayuda
===> Altcoins (criptomonedas alternativas)
=====> Minería de altcoins
=====> Servicios
=====> Tokens (Español)
=> 中文 (Chinese)
===> 跳蚤市场
===> 山寨币
===> 媒体
===> 挖矿
===> 离题万里
=> Hrvatski (Croatian)
===> Trgovina
===> Altcoins (Hrvatski)
=====> Announcements (Hrvatski)
===> Off-topic (Hrvatski)
=> Deutsch (German)
===> Anfänger und Hilfe
===> Mining (Deutsch)
===> Trading und Spekulation
===> Projektentwicklung
===> Off-Topic (Deutsch)
===> Treffen
===> Presse
===> Altcoins (Deutsch)
=====> Announcements (Deutsch)
===> Marktplatz
=====> Auktionen
=====> Suche
=====> Biete
=> Ελληνικά (Greek)
===> Αγορά
===> Mining Discussion (Ελληνικά)
===> Altcoins (Ελληνικά)
=====> Altcoin Announcements (Ελληνικά)
=====> Altcoin Mining (Ελληνικά)
=> עברית (Hebrew)
=> Français
===> Actualité et News
===> Débutants
===> Discussions générales et utilisation du Bitcoin
===> Mining et Hardware
===> Économie et spéculation
===> Place de marché
=====> Échanges
=====> Produits et services
=====> Petites annonces
===> Le Bitcoin et la loi
===> Wiki, documentation et traduction
===> Développement et technique
===> Vos sites et projets
===> Hors-sujet
===> Altcoins (Français)
=====> Annonces
=> India
===> Mining (India)
===> Marketplace (India)
===> Regional Languages (India)
===> Press & News from India
===> Alt Coins (India)
===> Buyer/ Seller Reputations (India)
===> Off-Topic (India)
=> Italiano (Italian)
===> Guide (Italiano)
===> Progetti
===> Discussioni avanzate e sviluppo
===> Trading, analisi e speculazione
===> Mercato
=====> Mercato valute
=====> Beni
=====> Servizi
=====> Esercizi commerciali
=====> Hardware/Mining (Italiano)
=====> Gambling (Italiano)
===> Accuse scam/truffe
===> Mining (Italiano)
===> Alt-Currencies (Italiano)
=====> Annunci
===> Raduni/Meeting (Italiano)
===> Crittografia e decentralizzazione
===> Off-Topic (Italiano)
=> 日本語 (Japanese)
===> アルトコイン
=> Nederlands (Dutch)
===> Markt
===> Gokken/lotterijen
===> Mining (Nederlands)
===> Beurzen
===> Alt Coins (Nederlands)
===> Off-topic (Nederlands)
===> Meetings (Nederlands)
=> Nigeria (Naija)
===> Politics and society (Naija)
===> Off-topic (Naija)
=> 한국어 (Korean)
===> 대체코인 Alt Coins (한국어)
=> Pilipinas
===> Altcoins (Pilipinas)
=====> Altcoin Announcements (Pilipinas)
===> Pamilihan
===> Others (Pilipinas)
=> Polski
===> Tablica ogłoszeń
===> Alternatywne kryptowaluty
=====> Nowe kryptowaluty i tokeny
=====> Tablica ogłoszeń (altcoiny)
=> Português (Portuguese)
===> Primeiros Passos (Iniciantes)
===> Economia & Mercado
===> Mineração em Geral
===> Desenvolvimento & Discussões Técnicas
===> Criptomoedas Alternativas
===> Brasil
===> Portugal
=> Русский (Russian)
===> Новички
===> Бизнес
=====> Барахолка
=====> Обменники
===> Идеи
===> Кодеры
===> Майнеры
===> Политика
===> Трейдеры
===> Альтернативные криптовалюты
=====> Токены
=====> Бayнти и aиpдpoпы
===> Хайпы
===> Работа
===> Разное
===> Oбcyждeниe Bitcoin
=====> Новости
=====> Юристы
=> Română (Romanian)
===> Anunturi importante
===> Offtopic
===> Market
=====> Discutii Servicii
===> Minerit
===> Tutoriale
===> Bine ai venit!
===> Presa
===> Altcoins (Monede Alternative)
=====> Anunturi Monede Alternative
=> Skandinavisk
=> Türkçe (Turkish)
===> Bitcoin Haberleri
===> Pazar Alanı
===> Madencilik
===> Ekonomi
===> Servisler
=====> Fonlar
===> Proje Geliştirme
===> Alternatif Kripto-Paralar
=====> Madencilik (Alternatif Kripto-Paralar)
=====> Duyurular (Alternatif Kripto-Paralar)
===> Konu Dışı
===> Yeni Başlayanlar & Yardım
===> Buluşmalar
=> Other languages/locations
Loading...