A buffer overflow enabling a significant data leak was discovered in miniupnpc. Combined with the then recently-disclosed CVE-2015-6031 it enabled an RCE in miniupnpc which could have led to an RCE in Bitcoin Core. This was fixed in Bitcoin Core 0.12, released in February 2016.

This issue is considered Medium severity.

Details

CVE-2015-6031, disclosed in September 2015, made it possible for a malicious UPnP server to remotely crash a Bitcoin Core process on the local network at startup. See here for details. The fix was pulled in Bitcoin Core and released in version 0.11.1, released in October 2015. UPnP was then turned off by default.

CVE-2015-6031 disclosed a buffer overflow, which in addition to enabling a remote crash could have made it possible to remotely execute code on a victim’s machine. While investigating this possibility, Wladimir J. Van Der Laan found another buffer overflow in miniupnpc which enabled a significant data leak. This was fixed by Wladimir in miniupnpc in commit 4c90b87ce3d2517097880279e8c3daa7731100e6. The fix was then pulled into Bitcoin Core and released as part of version 0.12.

This data leak did not disclose secret information (such as the wallet’s private keys) directly. But combined with another stack overflow (such as the one disclosed in CVE-2015-6031) this made it possible to trigger a remote code execution. Wladimir demonstrated this against Ubuntu’s miniupnpc version 1.6-precise. The specific approach used in this exploit was however not directly portable to Bitcoin Core.

Attribution

Credits go to Aleksandar Nikolic for identifying CVE-2015-0035 and to Wladimir J. Van Der Laan for investigating its impact and discovering the second buffer overflow.

Timeline

  • 2015-09-15 CVE-2015-0035 is fixed and disclosed.
  • 2015-10-09 PR #6789 is merged in Bitcoin Core
  • 2015-10-14 Wladimir’s remote code execution by leveraging the second buffer overflow is disclosed to Ubuntu security and Bitcoin developers.
  • 2015-10-15 Bitcoin Core 0.11.1 is released
  • 2015-10-26 The fix for the second buffer overflow is merged into miniupnpc.
  • 2015-12-18 The fix is pulled into Bitcoin Core.
  • 2016-02-23 Bitcoin Core version 0.12 is released.
  • 2017-03-08 The last vulnerable Bitcoin Core Version (0.11.x) goes EOL
  • 2024-07-03 Public disclosure