CVE-2019-15947 Bitcoin Core crash dumps contain walletsIf you enjoy my work, please donate! I work hard keeping oxasploits running!
Bitcoin Donation Address:
You can also sponsor me on GitHub!
Thank you so much and happy hacking!
What is stored in crash dumps?
The basic idea behind a crash dump is on abnormal program failure (a fault, or kill signal) the operating system will sometimes (depending on settings) dump core of that program so that developers can employ a debugger like gdb on the program and find out what went wrong. This is usually great, it takes a snapshot of the current memory map, the program in memory, stack, heap, as well as a stack trace of what the registers were set to at the time of the crash.
If you want to know more about gdb you can read my article on stack based buffer overflow primitives, which gives a breif introduction to gdb.
So why is this important?
You probably realized by now that if bitcoin-qt is loading the wallet.dat information into memory to be used by the program, does anything stop us from ripping the wallet.dat straight out of a crash dump? Nope, the only issue that presents to us is that sometimes a wallet.dat file is encrypted, which means it will also be encrypted while stored in memory. This means that bitcoin-qt may have the keys stored in memory as well so it can access the data within the wallet.dat, but I haven’t honestly checked. This was designed as a simple demo that rips unencrypted wallets out of the core dump (I imagine that the encryption employed would make ripping those much more involved).
So I ended up taking the length of most wallet.dat files and using that as my CLEN variable, and using grep to get the offset of the wallet within the crash dump, then used xxd to reconstruct that part of the file.
You can test it by running
pkill -11 bitcoin-qt then using
coredumpctl to pull the dump.
The major implications of this would be if you had a multiuser system and can’t trust the other users not to take a peek at your crash dumps. Another issue would be if crash dumps were uploaded to an offsite server where multiple developers and other users could browse the cores (uploaded from a crash reporting tool), because then someone could start extracting dumped data and recover your wallet.dat. This attack was defeated by the Bitcoin Core team by internally from the program telling the operating system not to dump a core unless specifically told to elsewhere.
Please don’t steal other people’s wallets with this code. You are free however to send me some bitcoin if you happen to recover your own wallet using this!
Thanks for reading!