Is an attack on a local bitcoind via an img or embedded flash viable?

In this thread on the Bitcoin forums it was suggested that a local attack on bitcoind might be possible through malformed img tags or (more likely in my opinion) through embedded flash. This also brings up the possibility of exploitation via Java et al.

Unfortunately I don’t know enough about flash to determine whether it’s prevented from connecting to a listening client on localhost. I would assume it’s sandboxed away from anything else on the local network, but I honestly don’t know if they’ve bothered to restrict access to localhost.

Answer

This page says that a Flash applet can only access the port and hostname of the URL from which it was downloaded:

Adobe Flash, a plugin believed to be installed on about 99% of all desktops, incorporates a security model generally inspired by browser same-origin checks. Flash applets have their security context derived from the URL they are loaded from (as opposed to the site that embeds them with or tags), and within this realm, permission control follows the same basic principle as applied by browsers to DOM access: protocol, host name, and port of the requested resource is compared with that of the requestor, with universal access privileges granted to content stored on local disk. That said, there are important differences – and some interesting extensions – that make Flash capable of initiating cross-domain interactions to a degree greater than typically permitted for native browser content.

But apparently that applies to the result of a request not the request itself, so it’s possible a Flash applet could send a request to your bitcoind to transfer coins, but not check to see whether it worked or not. Using wallet encryption would help mitigate this.

I’ve been able to find balances using simple HTTP ‘POST’ requests:

$ echo '{"method":"getbalance","params":[""]}' | POST http://$user:[email protected]:8332/
{"result":-6203.99412537,"error":null,"id":null}

I don’t know if it’s possible using just a regular ‘GET’ request.

Edit: I just tried ‘guessing’ the wrong password 100 times in a row, and then getting it right. bitcoind didn’t stop accepting guesses or slow down at all, and accepted the final correct guess:

$ i=100; while ((i>0)); do ((i--)); echo $(echo $i; date;
  echo '{"method":"getbalance","params":[""]}' |
  POST http://$user:[email protected]:8332/ 2>&1 | grep -i body);
  done; echo '{"method":"getbalance","params":[""]}' |
  POST http://$user:[email protected]:8332/
99 Tue Apr 24 09:10:10 PDT 2012 <BODY><H1>401 Unauthorized.</H1></BODY>
98 Tue Apr 24 09:10:10 PDT 2012 <BODY><H1>401 Unauthorized.</H1></BODY>
[...]
1 Tue Apr 24 09:10:53 PDT 2012 <BODY><H1>401 Unauthorized.</H1></BODY>
0 Tue Apr 24 09:10:53 PDT 2012 <BODY><H1>401 Unauthorized.</H1></BODY>
{"result":-6203.99412537,"error":null,"id":null}

Leave a Reply

Your email address will not be published. Required fields are marked *