Ravencoin
Ravencoin copied to clipboard
RavenProject
URI Argument Injection in Ravencoin-Qt
We recently found and confirmed that Ravencoin Core in the latest release (version 4.3.2.1) and earlier versions are affected by a remote code execution vulnerability in Qt5-based GUI apps. Specifically, the QApplication in Qt framework used by the Ravencoin GUI Program will parse Qt built-in arguments, such as -reverse and -platformpluginpath (see the document here).
For example, when you start the raven-qt.exe program in command line and then append a built-in argument, such as -reverse, e.g., "C:\Program Files\Ravecoin\bin\raven-qt.exe" raven:address -reverse, you will get a reverse Ravencoin GUI.
For more details, you may also refer to the following pages.
- The vulnerable code in Ravencoin:
src/qt/raven.cpp, see line 367 to 373. - Similar fix from Bitcoin: PR#16578.
- The original CVE-2021-3401 report
- The exploited details.
Reported by de957ad9679f28a38f02f00cc7928bce8fb424882ff060a3c09c32895b1474cc.
Attachment
Thanks for reporting. PR #1111 is my suggested solution.
Should be included in the next release. @TronBlack @hans-schmidt @HyperPeek
Thank you CharesFang and fdov for your contributions
For clarification and to prevent unnecessary panic- As I understand this:
-This bug allows someone locally on your computer (Windows, Mac, Linux) to launch raven-qt with some strange display behavior, like a GUI in which left and right alignments work backwards. Theoretically, there might also be a way to use this bug locally to get raven-qt/ravend to do some non-display bad behavior from the command-line, but the raven-qt/ravend code is designed to prevent that. So even for someone with local rights on your system, this isn't too awful. Remotely, it's even less of a threat.
-On MacOS and Linux, there is no remote threat at all because of the way they handle command line arguments.
-On Windows, it is possible to use this from a remote location (like loading a web page) to create the strange behavior described above if your browser allows it, but none of the major browsers allow it.
-So bottom line is that this should be fixed to improve security in case some hacker finds a new way to use it. But it currently is harmless.
Pretty much.
Quote from achow101: "Even though I believe that this vulnerability cannot actually be exploited, it is still prudent to fix the issue."
Ref: https://achow101.com/2021/02/0.18-uri-vuln
Thank you CharesFang and fdov for your contributions
For clarification and to prevent unnecessary panic- As I understand this:
-This bug allows someone locally on your computer (Windows, Mac, Linux) to launch raven-qt with some strange display behavior, like a GUI in which left and right alignments work backwards. Theoretically, there might also be a way to use this bug locally to get raven-qt/ravend to do some non-display bad behavior from the command-line, but the raven-qt/ravend code is designed to prevent that. So even for someone with local rights on your system, this isn't too awful. Remotely, it's even less of a threat.
-On MacOS and Linux, there is no remote threat at all because of the way they handle command line arguments.
-On Windows, it is possible to use this from a remote location (like loading a web page) to create the strange behavior described above if your browser allows it, but none of the major browsers allow it.
-So bottom line is that this should be fixed to improve security in case some hacker finds a new way to use it. But it currently is harmless.
Very good. Though the CVE-2021-3041 author claimed that this vulnerability cannot actually be exploited, we also need to fix it.