A buffer overflow enabling a significant data leak was discovered in miniupnpc
. Combined with the then
recently-disclosed CVE-2015-6031 it enabled an RCE in miniupnpc
which could have led to an RCE
in Bitcoin Core. This was fixed in Bitcoin Core 0.12,
released in February 2016.
This issue is considered Medium severity.
Details
CVE-2015-6031, disclosed in September 2015, made it possible for a malicious UPnP server to remotely crash a Bitcoin Core process on the local network at startup. See here for details. The fix was pulled in Bitcoin Core and released in version 0.11.1, released in October 2015. UPnP was then turned off by default.
CVE-2015-6031 disclosed a buffer overflow, which in addition to enabling a remote crash could have
made it possible to remotely execute code on a victim’s machine. While investigating this
possibility, Wladimir J. Van Der Laan found another buffer overflow in miniupnpc
which enabled a
significant data leak. This was fixed by Wladimir in
miniupnpc
in commit
4c90b87ce3d2517097880279e8c3daa7731100e6
. The fix was then pulled into Bitcoin
Core and released as part of version 0.12.
This data leak did not disclose secret information (such as the wallet’s private keys) directly. But
combined with another stack overflow (such as the one disclosed in CVE-2015-6031) this made it
possible to trigger a remote code execution. Wladimir demonstrated this against Ubuntu’s miniupnpc
version 1.6-precise
. The specific approach used in this exploit was however not directly portable
to Bitcoin Core.
Attribution
Credits go to Aleksandar Nikolic for identifying CVE-2015-0035 and to Wladimir J. Van Der Laan for investigating its impact and discovering the second buffer overflow.
Timeline
- 2015-09-15 CVE-2015-0035 is fixed and disclosed.
- 2015-10-09 PR #6789 is merged in Bitcoin Core
- 2015-10-14 Wladimir’s remote code execution by leveraging the second buffer overflow is disclosed to Ubuntu security and Bitcoin developers.
- 2015-10-15 Bitcoin Core 0.11.1 is released
- 2015-10-26 The fix for the second buffer overflow is
merged into
miniupnpc
. - 2015-12-18 The fix is pulled into Bitcoin Core.
- 2016-02-23 Bitcoin Core version 0.12 is released.
- 2017-03-08 The last vulnerable Bitcoin Core Version (0.11.x) goes EOL
- 2024-07-03 Public disclosure