CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the cryptocurrency wallet if an attacker can trick an application such as a web browser into connecting and sending a command for example. This attack appears to be exploitable via a victim visiting a webpage hosting malicious content that trigger such behavior.
References
Link | Resource |
---|---|
https://github.com/amjuarez/bytecoin/issues/217 | Broken Link Third Party Advisory |
https://github.com/cryptonotefoundation/cryptonote/issues/172 | Exploit Issue Tracking Third Party Advisory |
https://www.ayrx.me/cryptonote-unauthenticated-json-rpc | Exploit Third Party Advisory |
Configurations
History
No history.
Information
Published : 2018-03-13 15:29
Updated : 2024-02-28 16:25
NVD link : CVE-2018-1000093
Mitre link : CVE-2018-1000093
CVE.ORG link : CVE-2018-1000093
JSON object : View
Products Affected
cryptonote
- cryptonote
CWE
CWE-352
Cross-Site Request Forgery (CSRF)