CVE-2018-1000093

CryptoNote version version 0.8.9 and possibly later contain a local RPC server which does not require authentication, as a result the walletd and the simplewallet RPC daemons will process any commands sent to them, resulting in remote command execution and a takeover of the cryptocurrency wallet if an attacker can trick an application such as a web browser into connecting and sending a command for example. This attack appears to be exploitable via a victim visiting a webpage hosting malicious content that trigger such behavior.
References
Link Resource
https://github.com/amjuarez/bytecoin/issues/217 Broken Link Third Party Advisory
https://github.com/cryptonotefoundation/cryptonote/issues/172 Exploit Issue Tracking Third Party Advisory
https://www.ayrx.me/cryptonote-unauthenticated-json-rpc Exploit Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:cryptonote:cryptonote:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2018-03-13 15:29

Updated : 2024-02-28 16:25


NVD link : CVE-2018-1000093

Mitre link : CVE-2018-1000093

CVE.ORG link : CVE-2018-1000093


JSON object : View

Products Affected

cryptonote

  • cryptonote
CWE
CWE-352

Cross-Site Request Forgery (CSRF)